Alerts Bring More Than Bad News


Thought Leadership

Alerts Bring More Than Bad News

Fred Touchette

Murder Was the Case That They Gave Me

In a malware campaign we've seen hit our filters today, attackers have simulated what appears to be an automated email alert from the City of London. The fake alert is meant to raise community awareness about a supposed homicide suspect who is on the loose in London and was made to look like it was sent out by the London City Police themselves. All of the information provided in the email body is seemingly important looking, but rather vague, by design. This is to raise curiosity and to direct readers to the real target, the attachment. This is where the real details of the case are, what is this suspect's name, what do they look like, where were they last seen, etc etc, but instead, as is the norm, the attachment actually contains malware.

The attachment is a zip file named Homicide-case#(random numeric string).zip. The random string in the file name is also meant to match the "Bulletin Case#" in the body of the email. Inside the archive file is a .scr file with an icon made to resemble a .pdf. Once executed, this malware goes right to work hijacking a svchost.exe system process to gain its foothold. It then reaches out to the internet to check the IP of its new victim machine as well as to confirm actual internet and communications access. Once it confirms this info, it begins to reach out directly to 197. 149. 90. 166 which is an IP located in Lagos Nigeria, where it waits for further payloads and instructions from its command and control server.

Currently only 3 out of 57 Anti-Virus companies are recognizing this sample on Virustotal which means this attack is likely working for its authors. AppRiver, however, has preemptively nabbed all of these before they had a chance to make it to inboxes. Be aware that not everything you read on the internet, or in your email, is true (I know, shocking, sorry to have to be the one to break it to you). Attackers use very convincing themes at times to try to socially engineer their potential victims. Always know that you can run across one of these campaigns at any moment and be ready to recognize these techniques and avoid putting yourself at further risk by deleting any unsolicited email that raises a red flag, such as these.