Jump to content

tons of emails showing infected, no active threats


Ziceman

Recommended Posts

We have a situation where the quarantine and detection logs of a Win10 workstation are showing hundreds of detected, infected emails as follows:

VBA/TrojanDownloader.Agent.BNH
JS/Danger.ScriptAttachment
VBA/TrojanDownloader.Agent.BKT
VBA/TrojanDownloader.Agent.BRC
VBA/TrojanDownloader.Agent.BRC
VBA/TrojanDownloader.Agent.BMH
VBA/TrojanDownloader.Agent.BMA
VBA/TrojanDownloader.Agent.BMA
JS/Danger.ScriptAttachment
JS/Danger.ScriptAttachment
JS/Danger.ScriptAttachment

Many of the emails are internal or inter-office, and would normally seem to be safe and legitimate. This is not happening on all workstations. 

Both the workstation and the Exchange mail server show no active threats and status normal. I have run a full scans on both. 

Not sure what to make of this? Please advise. 

Thank you!

Link to comment
Share on other sites

  • Administrators

It's very unlikely that all the above detections were false positives. What makes you think they are FPs? You could restore one file from quarantine and have it scanned at VirusTotal to find out how other AVs detect it.

Link to comment
Share on other sites

I am not sure they are FPs and agree they could be real. 

But if they are indeed real, what is going on? How could nearly every single legitimate internal email received be triggering all the variants of VBA/TrojanDownloader.Agent.XXX?  Is the Exchange server compromised? Same question for the local workstation? If they are infected, why do ESET full scans not showing anything? If the Mail Server is the problem, then why wouldn't this be showing on more workstations?
 

I am looking for any kind of insight and suggestions on how to proceed.

Link to comment
Share on other sites

I have not done that yet, but based on the times, dates, senders, and subject lines, it appears to be entirely normal and legitimate messages. I have never seen spam, malicious or phishing campaigns work in such a way to simulate full compliment of everyday internal communication by fully replicating actual or real traffic. Is this even possible / likely?

Link to comment
Share on other sites

  • Administrators

What matters are the IP addresses of mail servers in headers. Maliciouos emails are typically spoofed and the IP addresses are the only reliable information about the origin.

Link to comment
Share on other sites

OK. I will remote into the box, restore some of the messages and check the raw headers to confirm. 

Yes, I realize they could be spoofed, but this would typically include baited subject lines like "your packed was delivered", "funds transfer request", etc, etc. Hard to imagine the perpetrators would take the time to recreate all full compliment of mundane internal correspondences.  

Link to comment
Share on other sites

  • ESET Staff
53 minutes ago, Ziceman said:

I have not done that yet, but based on the times, dates, senders, and subject lines, it appears to be entirely normal and legitimate messages. I have never seen spam, malicious or phishing campaigns work in such a way to simulate full compliment of everyday internal communication by fully replicating actual or real traffic. Is this even possible / likely?

Just so you are aware, Emotet uses an email phishing technique where it uses legitimate stolen emails and then spoofs the sender to make it look like a continued email communication.  It sounds like these trojan downloaders are appearing via that tactic.  Do not exclude them or you risk getting a very dangerous worm like Emotet on your network.  

"One of Emotet's most devious methods of self-propagation centers around its use of socially engineered spam emails. Emotet's reuse of stolen email content is extremely effective. Once they have swiped a victim's email, Emotet constructs new attack messages in reply to some of that victim's unread email messages, quoting the bodies of real messages in the threads."

     - https://blog.talosintelligence.com/2019/09/emotet-is-back-after-summer-break.html

While the above is from 2019, Emotet has recently resurfaced.  And there is always the chance some other attacker is imitating their tactics.

Definitely focus on examining the email headers to verify the source IP addresses of the Emails.  Its likely you are simply the target of a phishing attack.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...