Some malware apparently believes in covering its bases
Today our system for logging email attachment type information caught something interesting. Here's the important log messages:
<MSGID> attachment application/rtf; MIME file ext: .rtf <MSGID> attachment application/zip; MIME file ext: .zip; zip exts: .pdf .rtf .xlsx rejected <MSGID> from firstname.lastname@example.org to <redacted>: identified virus: CXmail/Rtf-E, Exp/20180802-B
Exp/20180802-B is apparently an OLE2 based exploit using CVE-2017-11882, which appears to often be RTF-based (cf). This opens up the interesting and amusing possibility that both attachments are RTF based attacks (with the .pdf and .xlsx included in the .zip as either cover or supporting elements), and perhaps that they're the same RTF file. At the very least, this malware seems to believe in covering its bases; maybe you'll open a direct RTF attachment, or maybe you'll unzip the ZIP archive and use something in that.
We actually got several copies of this to various different local addresses, all apparently coming directly from this IP address (ie with no additional Received: headers) and all with the same 'Subject: Payment Advice'. The IP address in question isn't currently in the CBL or in Spamhaus ZEN, although it is in b.barracudacentral.org.
In a further interesting development, looking at our logs in more detail showed that there's actually a second run from the same IP an hour or so earlier, with a HELO of '163.com', a MAIL FROM of 'email@example.com', and a Subject of 'Purchase Inquiry RG LLC'. This run was detected as the same two types of malware, but it has a different mix of attachment types:
attachment application/pdf; MIME file ext: .pdf attachment application/octet-stream; MIME file ext: .xlsx; zip exts: .bin .png .rels .vml .xml none
This may mean that the first attachment is basically a cover letter and it's the second attachment where all the malware lurks.
Sidebar: More spammers covering their bases
In the past nine days or so, we've also seen:
attachment application/msword; MIME file ext: .doc; zip exts: .rels .xml none attachment application/vnd.ms-excel; MIME file ext: .xls; zip exts: .rels .xml none rejected [...] identified virus: CXmail/OleDl-AD, CXmail/OleDl-AQ
(with the Subject of 'Re: August PO #20180911000'.)
The idea of putting together two different OLE-based attacks in two different documents amuses me. It's kind of brute force, and also optimistic (since you're hoping that neither is recognized and thus blocks your email).
attachment application/msword; MIME file ext: .doc attachment application/pdf; MIME file ext: .pdf rejected [...] identified virus: CXmail/RTF-F, Troj/20170199-P
And then there's what is probably a case of 'let's throw two phish attempts into one email':
attachment text/html; MIME file ext: .html attachment text/html; MIME file ext: .html rejected [...] identified virus: Troj/Phish-CZV, Troj/Phish-DAG
As I discovered once we started logging attachment types, our commercial anti-spam system identifying something as having phish 'malware' probably means it's in the attachments. This one had a Subject of 'Details Attached'. I bet they were.
Some Firefox addons I'm experimenting with (as of Firefox 62 or so)
One of the interesting things that's happened as a consequence of my switch to Firefox Quantum (ie 57+) is that I've become much more willing to experiment with addons. My pre-Quantum Firefox setup seemed prone to memory leaks due to addons, which made me fairly nervous about adding more; resigned to leaks or not, I didn't really enjoy the experience. My Firefox Quantum setup seems to be clearly better on all aspects of this (both initial memory usage and growth over time), and this has made me more willing to try addons.
Technically I'm getting most of my exposure to these addons through the latest Firefox master tree ('mozilla-central'), which I compile from source every week or so. But I don't think they do anything different in Firefox 61 or 62, and I have set up some of them there.
(Medium really is a plague and there is going to be a lot of carnage whenever it winds up shutting down, which I expect it to do within five or ten years at most. A lot of writing is going to disappear from the Internet and that bums me out.)
Certainly Something was pointed out to me on Twitter by @AleXgTorres. It's a quite thorough HTTPS connection information and certificate viewer. I don't use it very often but I care enough about TLS certificate stuff to keep it around in case (I have a history of having some such addon lying around), and it's not particularly obtrusive when I'm not using it. I could pick nits with the interface, but it's not that important in something that I only look at infrequently and CS's presentation of the certificate is traditional.
Finally I've recently added Link Cleaner (via the Mozilla blog entry) because I have to admit that I'm more than a bit tired of all of those utm_ fragments and other things. I sort of wish that it worked like my Google URL fixer addon and fixed the links in place, so that copying a link into some other program also gave me the de-utm'd version, but that's a minor thing. If I cared enough, well, LC's code is GPL3 and I could easily drop it into a version of my addon.
(The LC addon page is clear about how it works and there are probably benefits to cleaning the URL when it's actually used. Ultimately I don't care enough to go out of my way to deal with this; I barely care enough to use the addon when Mozilla basically shoved it under my nose.)
I've considered using 'Stylish' again (these days I'd use Stylus, since the actual 'Stylish' browser extension went bad), but I just don't seem to have much of a desire for re-styling websites these days. Most of what I want to do today is make annoying bits of websites go away entirely, and that's part of what I use uBlock Origin for. Possibly I could use some clever style override to deal with the header and footer plague, but my current answer is often to close the window instead.