Posted by Martijn Grooten on Feb 11, 2019
This year, Virus Bulletin's VBSpam test lab turns ten years old. Just as malicious and unwanted emails have evolved over the years, so has the lab. We continue to publish quarterly reports on the performance of email security products, but we also provide weekly feedback to the test participants, some of which have opted not to be included in the public reports but use this feedback to help improve their products and understand their performance in relation to that of competitor products.
This set-up also gives us a unique insight into the kinds of emails that are more likely to bypass email filters. On our blog, we regularly report on the malware and phishing emails for which this is the case.
During the past week there were two phishing emails (in our definition phishing emails include those with a malicious link) that bypassed most of the email security products in our lab: one that masqueraded as a message (in English) from a Bulgarian bank, and another that masqueraded as a message from Microsoft Office 365. Banks have, for obvious reasons, long been a target of phishing campaigns, while email account credentials are valuable both for the content of the mailbox and for the ability to send emails from them.
The bank email linked to a site hosted on Firebase, a Google-owned app development platform, while the Microsoft email linked to a URL on a compromised website. The use of legitimate services or compromised domains for links helps the emails bypass domain-based blocklists, which is a first step towards bypassing email filters.
A better way to achieve high delivery rates, though, is to send the emails in small, very targeted batches. This explains why delivery rates for both phishing and malware tend to be many times higher than those of ordinary spam, which is still sent in very large numbers with only a tiny fraction of the messages making it to inboxes.
Given the lower delivery rate of larger campaigns, we were somewhat surprised this week to see two fairly large malware campaigns with quite high delivery rates.
Emails in German claiming to contain a bill from Deutsche Telekom (a large telecommunications provider) were spreading Emotet, a malware family that is commonly spread via spam campaigns. Emotet is known to have been used as a stepping stone in some pretty damaging malware campaigns, including recent Ryuk infections. Emotet infections can thus be rather costly.
A second large and quite poorly blocked malware campaign was based on an email sent in Italian which claimed to contain an invoice. The attachment was a RAR archive which included a single .vbs file, an instance of the Bushaloader downloader. Though we did not analyse the malware in this case, there was a similar campaign in November that served the Danabot banking trojan.
If you would like your product to be tested in our lab, to receive weekly updates on its performance and, optionally, be included in our quarterly public reports, or if you have a question about our research, don't hesitate to contact us at firstname.lastname@example.org.
Emotet (.doc attachments; SHA256)
Bushaloader (.rar attachments; SHA256)