Re: Email Phishing and Zloader: Such a Disappointment

2021-07-12 Thread Matus UHLAR - fantomas 
--On Sunday, July 11, 2021 4:55 PM -0400 "Kevin A. McGrail" 
 wrote:



We use the olevbmacro detection added to SA.  I would guess that's
blocking the payload.I would guess that's blocking the payload.


On 11.07.21 13:35, Kenneth Porter wrote:
I see the plugin in the distribution but it doesn't appear to be 
loaded by default and the rules in the plugin's man page don't appear 
in the downloaded rules. So I guess I need to create a custom cf file.


I simpy uncommented it in /etc/spamassassin/v343.pre:

# OLEVBMacro - Detects both OLE macros and VB code inside Office documents
loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro

the KAM.cf takes care of the rest.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Save the whales. Collect the whole set.

Re: Email Phishing and Zloader: Such a Disappointment

2021-07-12 Thread Matus UHLAR - fantomas 

On 7/11/2021 5:11 PM, John Hardin wrote:
"The other parts contain an application/vnd.ms-officetheme and 
an application/x-mso file. Which (in addition to the text/xml 
files) are used by Microsoft Word to load the embedded Word 
document."


Would the presence of all three of those MIME types be a 
scorable indicator?



On Sun, 11 Jul 2021, Kevin A. McGrail wrote:
If you can get me a spample, I'm sure I can tell you but in 
general we block macros so that's all that's needed.  Likely the 
OLEVBMacro plugin and KAM ruleset is blocking all of these already 
if you have the plugin enabled.



On 12/07/2021 07:40, Dave Funk wrote:
Aren't there already rules and heuristics in ClamAV for detecting 
VBmacros in office docs?


I've got two copies of ClamAV running, one used as a blocking direct 
milter with default rules and another one feeding into the SA 
"clamav.pm" plugin with extra rules and heuristics/algorithms 
enabled.


On 12.07.21 08:51, Dominic Raferd wrote:
I quarantine emails that are caught by ClamAV with 'ScanOLE2 true' and 
'AlertOLE2Macros true'; these are then checked by command-line tool 
mraptor (part of olevba) to see if the macros are truly malicious.


I will try the OLEVBMacro plugin alongside, thanks for the heads up.


note that standard SA rules don't contain any rule using the OLEVBMacro
functions, but the KAM.cf do.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
REALITY.SYS corrupted. Press any key to reboot Universe.

Re: Email Phishing and Zloader: Such a Disappointment

2021-07-12 Thread Pedro David Marco 
 
   >On Monday, July 12, 2021, 04:01:03 AM GMT+2, Kevin A. McGrail 
 wrote:  
>If you can get me a spample, I'm sure I can tell you but in general we 
>block macros so that's all that's needed.  Likely the OLEVBMacro plugin 
>and KAM ruleset is blocking all of these already if you have the plugin 
>enabled.


The inital email has not a macro... they use an old MS feature where a document 
marks itself as "incomplete" andtells MS Office App where to download the  
missing part, that contains the payload.
To my knowledge (very limited) only zipped versions of MS files can use that 
feature. Within them, there are 2 data structures to checkif you want to find 
prizes...
-Pedro.

Re: Email Phishing and Zloader: Such a Disappointment

2021-07-12 Thread Dominic Raferd 

On 12/07/2021 07:40, Dave Funk wrote:

On Sun, 11 Jul 2021, Kevin A. McGrail wrote:


On 7/11/2021 5:11 PM, John Hardin wrote:
"The other parts contain an application/vnd.ms-officetheme and an 
application/x-mso file. Which (in addition to the text/xml files) 
are used by Microsoft Word to load the embedded Word document."


Would the presence of all three of those MIME types be a scorable 
indicator?


If you can get me a spample, I'm sure I can tell you but in general 
we block macros so that's all that's needed.  Likely the OLEVBMacro 
plugin and KAM ruleset is blocking all of these already if you have 
the plugin enabled.


Aren't there already rules and heuristics in ClamAV for detecting 
VBmacros in office docs?


I've got two copies of ClamAV running, one used as a blocking direct 
milter with default rules and another one feeding into the SA 
"clamav.pm" plugin with extra rules and heuristics/algorithms enabled.


I quarantine emails that are caught by ClamAV with 'ScanOLE2 true' and 
'AlertOLE2Macros true'; these are then checked by command-line tool 
mraptor (part of olevba) to see if the macros are truly malicious.


I will try the OLEVBMacro plugin alongside, thanks for the heads up.

Re: Email Phishing and Zloader: Such a Disappointment

2021-07-12 Thread Dave Funk 

On Sun, 11 Jul 2021, Kevin A. McGrail wrote:


On 7/11/2021 5:11 PM, John Hardin wrote:
"The other parts contain an application/vnd.ms-officetheme and an 
application/x-mso file. Which (in addition to the text/xml files) are used 
by Microsoft Word to load the embedded Word document."


Would the presence of all three of those MIME types be a scorable 
indicator?


If you can get me a spample, I'm sure I can tell you but in general we block 
macros so that's all that's needed.  Likely the OLEVBMacro plugin and KAM 
ruleset is blocking all of these already if you have the plugin enabled.


Regards,

KAM


Aren't there already rules and heuristics in ClamAV for detecting VBmacros in 
office docs?


I've got two copies of ClamAV running, one used as a blocking direct milter with 
default rules and another one feeding into the SA "clamav.pm" plugin with extra 
rules and heuristics/algorithms enabled.




--
Dave Funk   University of Iowa
 College of Engineering
319/335-5751   FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: Email Phishing and Zloader: Such a Disappointment

2021-07-11 Thread Kevin A. McGrail 

On 7/11/2021 5:11 PM, John Hardin wrote:
"The other parts contain an application/vnd.ms-officetheme and an 
application/x-mso file. Which (in addition to the text/xml files) are 
used by Microsoft Word to load the embedded Word document."


Would the presence of all three of those MIME types be a scorable 
indicator?


If you can get me a spample, I'm sure I can tell you but in general we 
block macros so that's all that's needed.  Likely the OLEVBMacro plugin 
and KAM ruleset is blocking all of these already if you have the plugin 
enabled.


Regards,

KAM

--
Kevin A. McGrail
kmcgr...@apache.org

Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

Re: Email Phishing and Zloader: Such a Disappointment

2021-07-11 Thread Kevin A. McGrail 
It's in the KAM ruleset if that helps.  Search "ifplugin 
Mail::SpamAssassin::Plugin::OLEVBMacro" and you'll see the set of rules 
we use.  Add the plugin to an appropriate pre file to activate it.


On 7/11/2021 4:35 PM, Kenneth Porter wrote:
I see the plugin in the distribution but it doesn't appear to be 
loaded by default and the rules in the plugin's man page don't appear 
in the downloaded rules. So I guess I need to create a custom cf file.


--
Kevin A. McGrail
kmcgr...@apache.org

Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

Re: Email Phishing and Zloader: Such a Disappointment

2021-07-11 Thread John Hardin 

On Sun, 11 Jul 2021, Kenneth Porter wrote:

--On Sunday, July 11, 2021 1:20 PM -0400 Jared Hall  
wrote:



The Word document (without macros) loads an external encrypted Excel file


It has macros. It tricks the user into enabling and running them by telling 
him to enable the document for editing and enabling "content" (ie. macros). 
Hiding macros from the user in this way (calling them "content") is a 
terrible piece of UI.



Both articles conclude with the statement "We suggest it is safe to
enable them (macros) only when the document received is from a trusted
source".  I really don't understand that comment since the entire unique
nature of the exploit is to disable the macro warnings entirely. 


A forged From line means the average Joe will assume the source is trusted.

Another nice analysis, I think with better details, showing how this evades 
the usual scanners:




The Word document is assembled from MIME fragments so there's no extension to 
block.



"The other parts contain an application/vnd.ms-officetheme and an 
application/x-mso file. Which (in addition to the text/xml files) are used 
by Microsoft Word to load the embedded Word document."


Would the presence of all three of those MIME types be a scorable 
indicator?



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  What the hell is an "Aluminum Falcon"??-- Emperor Palpatine
---
 9 days until the 52nd anniversary of Apollo 11 landing on the Moon

Re: Email Phishing and Zloader: Such a Disappointment

2021-07-11 Thread Kenneth Porter 
--On Sunday, July 11, 2021 4:55 PM -0400 "Kevin A. McGrail" 
 wrote:



We use the olevbmacro detection added to SA.  I would guess that's
blocking the payload.I would guess that's blocking the payload.


I see the plugin in the distribution but it doesn't appear to be loaded by 
default and the rules in the plugin's man page don't appear in the 
downloaded rules. So I guess I need to create a custom cf file.

Re: Email Phishing and Zloader: Such a Disappointment

2021-07-11 Thread Kevin A. McGrail 
We use the olevbmacro detection added to SA.  I would guess that's blocking
the payload.I would guess that's blocking the payload.

On Sun, Jul 11, 2021, 15:00 Kenneth Porter  wrote:

> --On Sunday, July 11, 2021 1:20 PM -0400 Jared Hall 
> wrote:
>
> > The Word document (without macros) loads an external encrypted Excel file
>
> It has macros. It tricks the user into enabling and running them by
> telling
> him to enable the document for editing and enabling "content" (ie.
> macros).
> Hiding macros from the user in this way (calling them "content") is a
> terrible piece of UI.
>
> > Both articles conclude with the statement "We suggest it is safe to
> > enable them (macros) only when the document received is from a trusted
> > source".  I really don't understand that comment since the entire unique
> > nature of the exploit is to disable the macro warnings entirely.
>
> A forged From line means the average Joe will assume the source is trusted.
>
> Another nice analysis, I think with better details, showing how this
> evades
> the usual scanners:
>
> <
> https://www.hornetsecurity.com/en/threat-research/zloader-email-campaign-using-mhtml-to-download-and-decrypt-xls/
> >
>
> The Word document is assembled from MIME fragments so there's no extension
> to block.
>
>

Re: Email Phishing and Zloader: Such a Disappointment

2021-07-11 Thread Kenneth Porter 
--On Sunday, July 11, 2021 1:20 PM -0400 Jared Hall  
wrote:



The Word document (without macros) loads an external encrypted Excel file


It has macros. It tricks the user into enabling and running them by telling 
him to enable the document for editing and enabling "content" (ie. macros). 
Hiding macros from the user in this way (calling them "content") is a 
terrible piece of UI.



Both articles conclude with the statement "We suggest it is safe to
enable them (macros) only when the document received is from a trusted
source".  I really don't understand that comment since the entire unique
nature of the exploit is to disable the macro warnings entirely. 


A forged From line means the average Joe will assume the source is trusted.

Another nice analysis, I think with better details, showing how this evades 
the usual scanners:




The Word document is assembled from MIME fragments so there's no extension 
to block.

Email Phishing and Zloader: Such a Disappointment

2021-07-11 Thread Jared Hall 
Reference: My reply to KAM's post: "Looking for a sample of the 
Microsoft zero day print nightmare"



To continue my rant about the disconnect with the Security community, 
this ThreatPost article pops up on my Google feed "Microsoft Office 
Users Warned on New Malware-Protection Bypass".  I think not. A typical 
Microsoft Office user is "Joe Average", and good ol' Joe can't tell a 
ThreatPost from a Fencepost.  But five paragraphs down, this caught my 
eye: "The initial attack vector is inbox-based phishing messages with 
Word document attachments that contain no malicious code."  Now we're 
talking.  Golly, maybe I can help!  So, I read on...


Just a whole lot of uselessness for a Mail Admin:  Unknown file 
attachment name, Unknown From Name/Email Address, Unknown IP address, 
Unknown message Sugject, Unknown message strings, etc.  You can read the 
post here: 
https://threatpost.com/microsoft-office-malware-protection-bypass/167652/


ThreatPost is the media arm of McAfee (mostly), and within the article 
is a link to an article by a couple of McAfee researchers, found here: 
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/


The article goes to great lengths to explain that the observed 
infections are mostly in the US and Canada.  The Word document (without 
macros) loads an external encrypted Excel file and through the power of 
DDE, writes VBA macros into the Excel file, and then disables Macro 
Warnings in the computer's registry.  The coup de grâce is the download 
and execution of ZLoader.  Then its game over for "Joe Average".


Of course, there's a lot of excitement over the technical wizardry 
therein; Word document analysis, VBA Code analysis, Excel Cell 
Structures, and the like.  But again, it is totally useless for Mail 
Admins, who ultimately are in the best position to mitigate the 
widespread distribution of this infection.  Great researchers they may 
be, but useful communicators they are NOT.


Both articles conclude with the statement "We suggest it is safe to 
enable them (macros) only when the document received is from a trusted 
source".  I really don't understand that comment since the entire unique 
nature of the exploit is to disable the macro warnings entirely.  It 
sure sounds like Emotet 2.0 in the making.  So Anti-Virus/Malware 
companies will hype up their products, Phishing companies create new 
courses, and Firewall companies start blocking "11.php and 22.php's" and 
all kinds of "heavenlygems".  Everybody wants to sell a cure, but 
mitigation be damned.


Maybe some 400-pound anti-spam nut in New Jersey would've stopped the 
whole thing.  We'll never know.  We anti-spam folks are forced to sit on 
the bench, waiting for another billion dollars in damages.



$0.02,

-- Jared Hall