Targeted email attack against (open source?) developers
Posted by: Giorgio in Mozilla, SecuritySecond email I've received today (some headers omitted):
Received: from unknown (HELO mail.bsme-mos.ru) (95.163.65.54)
by ariel.informaction.com with SMTP; 27 Jan 2017 11:25:22 -0000
Received: from unknown (HELO o) (zayavka@bsme-mos.ru@94.23.58.202)
by mail.bsme-mos.ru with SMTP; 27 Jan 2017 14:25:17 +0300
Subject: question
Date: Fri, 27 Jan 2017 12:25:26 +0100
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
This is a multi-part message in MIME format.
------=_NextPart_000_25F3_01D27898.7064C4E0
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_25F4_01D27898.7064C4E0"
------=_NextPart_001_25F4_01D27898.7064C4E0
Content-Type: text/plain;
charset="windows-1251"
Content-Transfer-Encoding: quoted-printable
Hey. I found your software is online. Can you write the code for my proje=
ct? Terms of reference attached below.
The price shall discuss, if you can make. Answer please.
------=_NextPart_001_25F4_01D27898.7064C4E0
Content-Type: text/html;
charset="windows-1251"
Content-Transfer-Encoding: quoted-printable
(HTML omitted)
------=_NextPart_001_25F4_01D27898.7064C4E0--
------=_NextPart_000_25F3_01D27898.7064C4E0
Content-Type: application/octet-stream;
name="PROJECT.gz"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="PROJECT.gz"
...
The "PROJECT.gz" file, despite its extension, was actually a RAR archive containing a "PROJECT.doc" MS Word document, presumably with some malicious macro payload (I didn't bother to check).
The earlier one had a "2701.zip" attachment, with a "2701.doc" inside, likely the same as the other one (unfortunately I had not kept it for reference).
Both messages appearing to be hand-crafted, and the reference to today's date in the attachment file name IMHO hint at a focused campaign explicitly targeting targets perceived as "high return investments", such as developers (possibly working on popular / open source projects).
I doubt many of us would fall for this stuff, but I felt a heads up was in order nonetheless ;)
Update
As soon as I published this post I checked my inbox and there was another one...
Update 2
It looked like a VBA marcro malware, indeed. Thanks Ludovic for reminding me of Virustotal.
January 27th, 2017 at 3:39 pm
You could use virustotal to check the file :)
January 27th, 2017 at 3:49 pm
@Ludovic: done, thanks.
January 27th, 2017 at 4:02 pm
It's Github-based - the emails I've been getting of this type have been coming to the email address I only use on Github. So I suspect it's more automated than you first thought.
March 21st, 2017 at 10:01 am
Finally, sometimes it's all about getting creative with your marketing and pr. How many smartphone users know that their smart devices can also help in keeping them healthy and fit? There are many more things which needs to be taken care of. Photos and other types of files can be sent as well!
April 1st, 2017 at 2:15 pm
What exactly needed to do to combat Email Scams?