[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Malware being distributed using list emails

To: list@xxxxxxxxxxxxx
Subject: Re: [LUG] Malware being distributed using list emails
From: Julian Hall <linux@xxxxxxxxxxxx>
Date: Wed, 16 Mar 2022 09:48:47 +0000
Content-language: en-GB
Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dcglug.org.uk; s=1633856761; h=Sender:Content-Type: Content-Transfer-Encoding:Reply-To:List-Subscribe:List-Help:List-Post: List-Unsubscribe:List-Id:Subject:In-Reply-To:From:References:To:MIME-Version: Date:Message-ID:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner:List-Archive; bh=c+VXsoEXt7na49EUtmJj/X5nAMDya5cK3D++nuN19Y8=; b=VtIwmsHk1JQ+ho2D/SuIyKCSu CxWvNf2uug7+J0r0JNxiB/1ZOxgKqFxiYmF4BNc+4aHAbWKOH88LHfP/fDh2FOTB9TpWg3qga7JqJ YwnPBua6WFd7FQcsNncHgHXGC+BnjGLzVThSoZOaYRXThPNvn4LPW0/v9XZAjvKwGnQpE=;

Hi,

I've noticed over the last year or so that - and it may be clientspecific - Thunderbird has 'Reply: List' and 'Reply' so if youaccidentally click the wrong one it could go yo the user instead of thelist. I've also inadvertently /received/ legitimate mails direct fromlist subscribers, who use different mail clients, by mistake, so it mayalso be a configuration change by Mailman?


Kind regards,

Julian

On 15/03/2022 19:25, Simon Waters wrote:

Hi,

we've mentioned it before but a reminder that this list emails are being
targeted in the distribution of malware.

I've just received an email which looked like a reply to a DCGLUG email but
direct to my email address rather than to the group's email address, and
lacking the List-ID header (so not filtered correctly for me).

Since the archive doesn't have full email addresses, it is likely a member's
PC is, or was previously, compromised. That is pretty much inevitable on a big
public list.

It has a link to an encrypted ZIP file on Microsoft One Drive, on careful
decryption it contained a Microsoft Excel 2007 file with a malware downloader
in a macro. Possibly an Emotet downloader, so likely after any financial
credentials or crypto currency they can get their hands on.

Sent from a "greenmillenia.com" email address, likely compromised.

An encrypted attachment or download, with a trivial/weak password in the email
doesn't provide any meaningful security but does make an excellent method of
bypassing corporate anti-malware defences in email servers. If you see this
type of behaviour in your organisation it is time to teach them how to
transfer files securely.

In context this email was pretty obviously of malicious intent. Last time a
number of members received similar emails.

This particular malware very unlikely to infect GNU/Linux boxes, even if
people did open the attachment, but some of you still use Windows for email.

Also if any of you see malware from "greenmillenia.com" to non-list addresses
at your organisation⎄, this might nail down whose PC got compromised, but I
suspect it may have happened long ago.

  Simon

--
“The great tragedy of Science — the slaying of a beautiful hypothesis by an ugly 
fact.”

― Thomas Henry Huxley


--
The Mailing List for the Devon & Cornwall LUG
https://mailman.dcglug.org.uk/listinfo/list
FAQ: https://www.dcglug.org.uk/faq/

References:
- [LUG] Malware being distributed using list emails
  - From: Simon Waters

Prev by Date: Re: [LUG] Re Malware being distributed using list emails
Next by Date: Re: [LUG] Re Malware being distributed using list emails
Previous by thread: Re: [LUG] Re Malware being distributed using list emails
Next by thread: [LUG] Perl development and systems engineer role
Index(es):
- Date
- Thread