It's always convenient when malware is clear about its nature (7z edition)

September 25, 2019

A certain amount of malware these days likes 7z files, or at least things that claim to be 7z files with their file extension. We've been getting a run of malware that claims its file extension is .pdf.7z and that Sophos PureMessage detects as 'CXmail/MalPE-AS', which I suspect means that there's actually a Windows executable in there. We've also got others that are being reported by our attachment logger as simply .7z files (and also, apparently, as MalPE-AS).

All of this caused me to take a look at our logs, where I found some attachments with the listed extension of .exe.7z (which were also detected as MalPE-AS). This is actually quite convenient for us, because we already reject email with .exe attachments. If you're going to helpfully label your attachment as a .exe in some way, well, we'll extend our rejection to rejecting it too, which we now do.

(We've also decided to reject .pdf.7z attachments. As far as we can tell we don't get any real ones. We're not sure we get any real .7z attachments in general, but rejecting those is currently a little bit more chancy. For various reasons, we will probably be augmenting our attachment logger to try to peer into 7z archives, as it currently does for ZIP and RAR archives.)

As a side note, the reason I said that the .7z attachments were 'apparently' detected as MalPE-AS is that all of the email messages with them actually had two attachments:

application/octet-stream; MIME file ext: .7z
application/msword; MIME file ext: .doc; zip exts: .bin .emf .rels .xml[9] none

PureMessage only gives us a report for the entire message, and it reported that these emails have both CXmail/DocDrp-C and CXmail/MalPE-AS. I suspect that DocDrp is the .doc and MalPE is the .7z, but I don't know for sure.

(This would be another example of malware covering its bases.)

Written on 25 September 2019.
« Our workaround for Ubuntu 16.04 and 18.04 failing to reliably reboot some of our servers
A file permissions and general deployment annoyance with Certbot »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Sep 25 16:26:44 2019
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.