Archive for January, 2017

Second email I've received today (some headers omitted):

Return-Path: <ludv.jani-2015@vrg.se>
Received: from unknown (HELO mail.bsme-mos.ru) (95.163.65.54)
by ariel.informaction.com with SMTP; 27 Jan 2017 11:25:22 -0000
Received: from unknown (HELO o) (zayavka@bsme-mos.ru@94.23.58.202)
by mail.bsme-mos.ru with SMTP; 27 Jan 2017 14:25:17 +0300
Subject: question
Date: Fri, 27 Jan 2017 12:25:26 +0100
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331

This is a multi-part message in MIME format.

------=_NextPart_000_25F3_01D27898.7064C4E0
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_25F4_01D27898.7064C4E0"

------=_NextPart_001_25F4_01D27898.7064C4E0
Content-Type: text/plain;
charset="windows-1251"
Content-Transfer-Encoding: quoted-printable

Hey. I found your software is online. Can you write the code for my proje=
ct? Terms of reference attached below.
The price shall discuss, if you can make. Answer please.

------=_NextPart_001_25F4_01D27898.7064C4E0
Content-Type: text/html;
charset="windows-1251"
Content-Transfer-Encoding: quoted-printable

(HTML omitted)

------=_NextPart_001_25F4_01D27898.7064C4E0--

------=_NextPart_000_25F3_01D27898.7064C4E0
Content-Type: application/octet-stream;
name="PROJECT.gz"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="PROJECT.gz"
...

The "PROJECT.gz" file, despite its extension, was actually a RAR archive containing a "PROJECT.doc" MS Word document, presumably with some malicious macro payload (I didn't bother to check).

The earlier one had a "2701.zip" attachment, with a "2701.doc" inside, likely the same as the other one (unfortunately I had not kept it for reference).

Both messages appearing to be hand-crafted, and the reference to today's date in the attachment file name IMHO hint at a focused campaign explicitly targeting targets perceived as "high return investments", such as developers (possibly working on popular / open source projects).

I doubt many of us would fall for this stuff, but I felt a heads up was in order nonetheless ;)

Update

As soon as I published this post I checked my inbox and there was another one...

Update 2

It looked like a VBA marcro malware, indeed. Thanks Ludovic for reminding me of Virustotal.

Bad Behavior has blocked 3282 access attempts in the last 7 days.