Emotet malspam campaign exploits reliance on magic for file type detection

A screenshot of a VirusTotal results page showing a detection rate of 10/58 for a Emotet dropper document

Emotet is a Trojan designed to steal banking information. It is frequently spread by sending phishing emails to governments, banks, healthcare organizations, and schools. The phishing emails will often claim to be an invoice, with a malicious Microsoft Word document attached. The email may often appear to be from a trusted supplier. Once the attachment or link is opened, the target is prompted to click “Enable content”, which would allow the dropper to install Emotet.

Screenshot of a Emotet dropper document open in Microsoft Word 2016.
The document clams that the user must click “enable content” to view it, but doing so would actually install malware

I recently encountered two Emotet dropper samples (0b9ccb04553ba5f1ce784630ef9b2c478ed13a96e89c65dcd9c94205c235ea12 and eff6619aee017ee5d04c539ff12c63a199a1e489660f7156b95e562667393d3c) that would not run correctly in my malware sandbox. I soon found the cause of the problem: the file type had been detected as a generic XML file, rather than what it really is: a Microsoft Word document.

Read more

How to inspect the certificate of a mail server over a CLI

If you ever need to inspect the certificate of a remote SMTP server, you can use the openssl CLI tool.

If you need to check STARTTLS:

openssl s_client -connect mail.example.com:25 -starttls smtp

Or, for a standard secure SMTP port:

openssl s_client -connect mail.example.com:465

To save the certificate to a file, just redirect the output:

openssl s_client -connect mail.example.com:25 -starttls smtp > mail.example.com.crt

You can also check SMTP TLS using MX Toolbox or Check TLS.

How to compile and install FFmpeg on Debian/Ubuntu

Here’s how to build and install FFmpeg from source with all the bells and whistles (i.e codec support).  We’ll install it as a custom Debian package using checkinstall. That way, any other package that depends on the ffmpeg package will recognize that it is already installed, and won’t try to fetch it from the Debian or Ubuntu software repositories.

Read more

WannaCry ransomware analysis: Samples date back to at least early February 2017

VirusTotal results showing the earliest observed sample of Wannacry ransomware

The WannaCry ransomware worm has spread panic and destruction as it infects hundreds of thousands of systems around the world; a rate not seen since the Blaster and Sasser worms of 2003. WannaCry — also known as WannaCrypt, WannaCryptor, WanaCrypt0r, WCry, or WCrypt — leverages vulnerabilities that Microsoft patched in the March MS17-010 Security Bulletin, after taking the unprecedented step of canceling the February Patch Tuesday.

While collecting samples of WannaCry, I found a sample that predates the worm version. The sample was compiled on February 9th, and uploaded to VirusTotal on February 10th. While compile timestamps can be faked, the closeness to the upload date suggests that the compilation timestamp is legitimate.

Read more

Google Pixel phones can be unlocked with a recording of a trusted voice by default

user manually enables "Ok Google" Trusted Voice

The headline feature of the new Google Pixel phones is deep integration between the operating system and the Google Assistant AI. By default, the Google Assistant can be activated even when the phone is locked and the display is off, if the device hears the trusted voice say the hot word, “Ok Google”. This also has the effect of unlocking the device, meaning that anyone with a recording of the trusted voice saying “Ok Google” — or even someone with a similar voice — can easily unlock the device.

Read more

Android 7.1 adds native android visual voicemail support for Verizon

After upgrading my Nexus 6P on Verizon to the Android 7.1.1 beta, I discovered that Visual Voicemail in the native Android dialer works! You just need to make sure that that basic (free) or premium visual voicemail is active on your line. Voicemail-to-text works too, if you add Premium Visual Voicemail to your line. Unfortunately, there is no sign of Wi-Fi calling support (yet?). HD voice has always worked on the Nexus 6P.

Read more

PSA: The latest Google Chrome release trips EMET’s EAF+ mitigation

A screenshot of the EAF+ error generateted W=by the latest Google Chrome release when used with the defualt EMET config

When Google Chrome updated to 53.0.2785.101 on my Windows systems, I encountered an onslaught of alerts from EMET, which was killing chrome.exe processes for EAF+ violations as fast as Chrome kept trying to spawn them (each tab in Chrome is a separate process). Luckily, this problem is easily fixable.

Read more