JAFF Ransomware via PDF attachment with Doc

We continuously receive phishing emails coming from a variety of sources, often containing attachments with malicious payloads. In this case the attachment was a bit more interesting because it embedded a .docm file inside a .pdf file.

The email that arrived to our servers had “Order” as subject, and no visible content, only a p(paragraph) HTML entity with an empty symbol, but fun was on the attachment.

Attack stages

The attachment was a proper PDF file that contained a .docm file embedded. Once you opened the pdf file de docm would unpack and execute its macros leading to the download of a file that, once repacked by the macro on execution, would be executed in the system.
[Read more…]

What is a TDS (Traffic Director System)?

The idea to write this post came from investigating multiple cases of infections in computers because of the ubiquitous Exploit Kits (EK). A visit to a website that apparently should not carry any risk ended with the user calling the security service because he could not open his files and said that an image appeared on the screen asking him for money to recover his data. And in other cases not even that, because he had become infected with a RAT or a banking Trojan and was not aware of it.

There are simple redirection methods that are implemented directly on the web server. They are options that allow to manage the visits to this website and adapt its behavior to the preferences or characteristics of the visitors.

[Read more…]