TT Remittance payment for PO# 089, 090 & 091

[JeffIT]

Hi,

This morning we had an employee open a phishing email and subsequently open one of the two attachments that came with it. When they opened it nothing appeared to happen, so far as they could tell, but they got in touch with us here in the IT department as it seemed odd to them. As soon as we saw the email we could see that it had flags all over it. Anyway we have ran scans and been in touch with our email spam filter guys and they came back to us saying that it was phishing for credentials and possibly more.

The laptop is now disconnected from any network and all logins have been changed that the end user would have used.

What can we do now in this situation as we ran it through virustotal.com and it showed as not being caught by anything and also only appearing today? 

Any help you can bring to us here would be very much appreciated.

[Malwarebytes]

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven't done so already, please run these two tools and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

• Farbar Recovery Scan Tool (FRST)
  1. Download FRST and save it to your desktop
     Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit
  2. Double-click to run FRST and when the tool opens click "Yes" to the disclaimer
  3. Press the "Scan" button
  4. This will produce two files in the same location (directory) as FRST: FRST.txt and Addition.txt
     • Leave the log files in the current location, they will be automatically collected by mb-check once you complete the next set of instructions
• MB-Check
  1. Download MB-Check and save to your desktop
  2. Double-click to run MB-Check and within a few second the command window will open, press "Enter" to accept the EULA then click "OK" 
  3. This will produce one log file on your desktop: mb-check-results.zip
     • This file will include the FRST logs generated from the previous set of instructions
     • Attach this file to your forum post by clicking on the "Drag files here to attach, or choose files..." or simply drag the file to the attachment area

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

• Renewals
• Refunds (including double billing)
• Cancellations
• Update Billing Info
• Multiple Transactions
• Consumer Purchases
• Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

[Aura]

Hi JeffIT

Can you .zip both attachments, and PM me them? I'll forward them to the Research Team.

[JeffIT]

Hi Aura,

I am in the process of running FRST and MB-Check and will zip and PM you the actual attachments now in a couple of minutes.

[JeffIT]

Here is the zip of the MB-Check results. Let me know what you need from me next.

mb-check-results.zip

[Aura]

Okay so both files are the same .rtf file (the .zip contains an exact copy of the standalone .rtf file attachment). It opens Internet Explorer and leads the user to SendSpace.com, to download a file called File.rtf. THIS is the malicious file which leverages, CVE-2017-11882 to remotely download and execute file on the system. 

Did the user download and execute the File.rtf file, or did it only open the .rtf attached in the email?

Edit:

VT of Fire.rtf: https://www.virustotal.com/#/file/67671c9f9931e3a6e086e1989d9e737dbe605f5a6cca5129f471160297e94248/detection
Hybrid-Analysis (analysis in progress): https://www.hybrid-analysis.com/sample/67671c9f9931e3a6e086e1989d9e737dbe605f5a6cca5129f471160297e94248?environmentId=100
Hybrid-Analysis of the swift RTF attachment (look at the screenshots): https://www.hybrid-analysis.com/sample/5f0a1f4d1e94b60bc5ead013bbfccda1e7232365a68208e93fd683f3cb07d041?environmentId=100

Edited February 20, 2018 by Aura

[JeffIT]

She opened the attachment and all that opened was a document and not a website. I have double checked her laptop, in case she remembered incorrectly, and I can't find anything that was downloaded today.

Does this mean we dodged one as it freaked us out when we saw it but no scans seemed to catch it.

[Aura]

If she just opened the swift RTF, then yes, you dodged the main payload, which was the Fire.rtf file that needed to be downloaded and executed from the Sendspace.com website. This is what I get when I open the swift .rtf file inside a VM with Word Viewer 2003 installed. If the CSS was loaded, it would display a SendSpace download page.

[JeffIT]

Thanks Aura this is good to hear. Also I love that hybrid analysis sites breakdown of what is in the virus, it is incredibly detailed and I will spend quite a bit of time have a good read through it. 

Once again thanks for all your swift responses and help. When I uploaded the attachment initially to VirusTotal.com it came up as if we were the first to come across this particular piece of Malware and naturally we in the IT department got very concerned. We had isolated the machine and immediately ran scans and updated user login details, on another machine, as we were not sure what we were dealing with. In future I will be certain to get on here first as the response was very timely and thorough. Cheers!!