Ziceman 0 Posted September 5, 2020 Share Posted September 5, 2020 We have a situation where the quarantine and detection logs of a Win10 workstation are showing hundreds of detected, infected emails as follows: VBA/TrojanDownloader.Agent.BNH JS/Danger.ScriptAttachment VBA/TrojanDownloader.Agent.BKT VBA/TrojanDownloader.Agent.BRC VBA/TrojanDownloader.Agent.BRC VBA/TrojanDownloader.Agent.BMH VBA/TrojanDownloader.Agent.BMA VBA/TrojanDownloader.Agent.BMA JS/Danger.ScriptAttachment JS/Danger.ScriptAttachment JS/Danger.ScriptAttachment Many of the emails are internal or inter-office, and would normally seem to be safe and legitimate. This is not happening on all workstations. Both the workstation and the Exchange mail server show no active threats and status normal. I have run a full scans on both. Not sure what to make of this? Please advise. Thank you! Link to comment Share on other sites More sharing options...
Administrators Marcos 4,920 Posted September 5, 2020 Administrators Share Posted September 5, 2020 It's very unlikely that all the above detections were false positives. What makes you think they are FPs? You could restore one file from quarantine and have it scanned at VirusTotal to find out how other AVs detect it. Link to comment Share on other sites More sharing options...
Ziceman 0 Posted September 5, 2020 Author Share Posted September 5, 2020 I am not sure they are FPs and agree they could be real. But if they are indeed real, what is going on? How could nearly every single legitimate internal email received be triggering all the variants of VBA/TrojanDownloader.Agent.XXX? Is the Exchange server compromised? Same question for the local workstation? If they are infected, why do ESET full scans not showing anything? If the Mail Server is the problem, then why wouldn't this be showing on more workstations? I am looking for any kind of insight and suggestions on how to proceed. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,920 Posted September 5, 2020 Administrators Share Posted September 5, 2020 How do you know it's internal? Did you check the IP addresses in headers? Link to comment Share on other sites More sharing options...
Ziceman 0 Posted September 5, 2020 Author Share Posted September 5, 2020 I have not done that yet, but based on the times, dates, senders, and subject lines, it appears to be entirely normal and legitimate messages. I have never seen spam, malicious or phishing campaigns work in such a way to simulate full compliment of everyday internal communication by fully replicating actual or real traffic. Is this even possible / likely? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,920 Posted September 5, 2020 Administrators Share Posted September 5, 2020 What matters are the IP addresses of mail servers in headers. Maliciouos emails are typically spoofed and the IP addresses are the only reliable information about the origin. Link to comment Share on other sites More sharing options...
Ziceman 0 Posted September 5, 2020 Author Share Posted September 5, 2020 OK. I will remote into the box, restore some of the messages and check the raw headers to confirm. Yes, I realize they could be spoofed, but this would typically include baited subject lines like "your packed was delivered", "funds transfer request", etc, etc. Hard to imagine the perpetrators would take the time to recreate all full compliment of mundane internal correspondences. Link to comment Share on other sites More sharing options...
ESET Staff JamesR 50 Posted September 5, 2020 ESET Staff Share Posted September 5, 2020 53 minutes ago, Ziceman said: I have not done that yet, but based on the times, dates, senders, and subject lines, it appears to be entirely normal and legitimate messages. I have never seen spam, malicious or phishing campaigns work in such a way to simulate full compliment of everyday internal communication by fully replicating actual or real traffic. Is this even possible / likely? Just so you are aware, Emotet uses an email phishing technique where it uses legitimate stolen emails and then spoofs the sender to make it look like a continued email communication. It sounds like these trojan downloaders are appearing via that tactic. Do not exclude them or you risk getting a very dangerous worm like Emotet on your network. "One of Emotet's most devious methods of self-propagation centers around its use of socially engineered spam emails. Emotet's reuse of stolen email content is extremely effective. Once they have swiped a victim's email, Emotet constructs new attack messages in reply to some of that victim's unread email messages, quoting the bodies of real messages in the threads." - https://blog.talosintelligence.com/2019/09/emotet-is-back-after-summer-break.html While the above is from 2019, Emotet has recently resurfaced. And there is always the chance some other attacker is imitating their tactics. Definitely focus on examining the email headers to verify the source IP addresses of the Emails. Its likely you are simply the target of a phishing attack. Link to comment Share on other sites More sharing options...
Recommended Posts