Current wave of phishing attack: Valyria downloader reloads spyware

Current wave of phishing attack: Valyria downloader reloads spyware

Since the end of last year we notice a wave of phishing mails containing the downloader Valyria. Valyria is an office document with a VBA macro which is reloads several kinds of spyware.


Initially, phishing attacks animate the victim to activate the macro function of Microsoft Office. For this, the invaders use the methods represented in the following screenshots.



As soon as the macro is excecuted, it reloads a visual basic, delphi or c# spyware, which then begins to collect information within the system, sending it to their command-and-control-server.


While the Valyria downloader is relatively easy to identify, the precise identification of reloaded malware proofs to be significantly harder. That is because the tools the cyber criminals have used are highly configurable. Signatures detected various versions of Spyware Agent Tesla, LokiBot and Kryptik, as well as Androm Backdoors. The behavioural analysis of the reloaded malware shows that they all have one thing in common: they diligently collect information such as passwords, browser data, credentials and connectivity data of FTP and email clients, instant messengers, general keyboard activities as well as screenshots in their victim’s systems.


The behavioural analysis of the ATP sandbox reliably recognizes Valyria and the behaviour of reloaded spyware since the beginning of the campaign.  Due to the amount of emails of that kind, we developed additional filter rules in order to protect our costumers from all different variants of this malware.


Here is an excerpt from the ATP report from one of the spyware samples:


Security breach in Microsoft Office – Hornetsecurity filters harmful documents

Security breach in Microsoft Office – Hornetsecurity filters harmful documents

A short while ago, security experts discovered the security breach CVE-2017-11882 in the Microsoft Office suite. Microsoft reacted quickly and closed the breach with a security update. Due to the publication of the exploit, however, attackers are now aware of the breach and target systems that haven’t been patched yet.


All Office versions besides Office 365 are affected by the security breach. The exploit is located in the Equation editor of Microsoft, which is a former version of the formula editor. It uses a buffer overflow which allows the attacker to execute his hazardous code on the user’s system. Through this, it is possible to download malware from the Internet and to install them.


Breach existed for 17 years


The Equation editor was compiled in 2000 and since then never reconditioned. Due to this, it is not fulfilling current security standards and allows a buffer overflow to happen which leads to the exploit. Even though the causing formula editor was replaced in Office 2007, it is still part of the package in order to ensure backward compatibility with older document versions, where the 17-year-old piece of software is needed to display and edit mathematical formula.


The only interaction necessary for the exploit to be executed is for a user to open the infected document. After that, the hazardous code will be executed automatically. Only the protected view, the so-called sandbox of the Office programs, is prohibiting its execution.


Hornetsecurity detects exploit in documents


Since the security breach was published, attackers are increasingly trying to distribute infected Office documents using the exploit. However, Hornetsecurity adapted its filters so it can detect infected documents before they appear in the mailbox. Nevertheless, we advise you to perform the security update as soon as possible.


Attack of the encryption trojan Bad Rabbit

Attack of the encryption trojan Bad Rabbit

Some time has passed since the last huge wave of ransomware attacks has been detected. Now, a new type has appeared and it is causing considerable damage. Especially in Eastern Europe and Russia the trojan was successful and infected several companies. But Germany has seen those attacks, too.

The malware Bad Rabbit, named after a specific site in the darknet, where the victims are supposed to pay the ransom. It encrypts local data and demands 0,05 Bitcoins to provide the decryption key. Considering the recent change rates this amounts to 293 USD or 255 Euro.

Down the Rabbit-Hole

The crypto-trojan spreads mainly through compromised news sites. By using so called watering hole attacks, the cyber criminals can target certain user groups and companies. If a user visits an infected website, an automated drive-by-download is initiated and a forged Adobe Flash update is downloaded. As soon as this file is executed, Bad Rabbit enters the system and all data are encrypted after a forced reboot of the computer.



Bad Rabbit Trojaner

Payment page in the TOR network


Click on the image to enlarge



Like WannaCry and Petya before, Bad Rabbit can spread within a network. However, instead of using the EternalBlue exploit in the Version 1.0 of the SMB protocol, the malware infects other computers through the Windows Management Instrumentation (WMI). To prevent a local distribution of Bad Rabbit, it is advisable to deactivate WMI if it is not in use.

Hornetsecurity recognizes the malware and protects with URL rewriting

The URL rewriting feature of Hornetsecurity Advanced Threat Protection recognizes Bad Rabbit on compromised websites and blocks it. Using Hornetsecurity ATP, you can continue clicking on news links in your emails without fearing to catch the malware.


Our recommendations

Nevertheless, we recommend you to create backups on a regular basis and to not download unknown files or even execute them. Especially Adobe Flash updates should only be downloaded from the software producer itself. In case of an infection, do not pay the ransom, because it is unclear whether you will receive the keys necessary to recover your files.

Administrate email signatures via Active Directory

Administrate email signatures via Active Directory

Keep individual data automatically up-to-date with Advanced Email Signature and Disclaimer from Hornetsecurity


Hannover, Germany, August 2, 2017 – Signature, boilerplate, disclaimer – the end of a text in emails has different names. But no matter what you call these text-snippets: they consist of static components like general company data and dynamic components, such as the contact details of the sender. Advanced Email Signature and Disclaimer from Hornetsecurity now offers a simple and centralized administration of both static and dynamic content across the whole company. For this, the solution directly accesses data from a company’s Active Directory in order to use the most up-to-date personal data at all times. This greatly facilitates the work of IT administrators while also ensuring a consistent appearance in the email signature for enterprises.


Advanced Email Signature and Disclaimer

The web interface allows fast, uncomplicated creation of signatures and disclaimers (click to enlarge).

Corporations generally have to provide mandatory information within their business letters – this also applies to emails. In order to ensure this, it is recommended to automatically attach them to every sent message. With Advanced Email Signature and Disclaimer, IT administrators of a company can easily create text modules via a web-based interface and adapt them quickly at any time. The product directly accesses the data of the Active Directory so it can automatically integrate individual contact information into the text data. This is done by inserting AD attributes into the signature templates and through a synchronization via LDAP. Advanced Email Signature and Disclaimer subsequently attaches the text automatically to any email that you send.


This eliminates the need for administrators to manually maintain individual signatures. Changes to extension numbers, job positions, or email addresses in the Active Directory immediately are automatically implemented in the email boilerplate. Apart from individual signatures, it is also possible to create group-based signatures in order to insert, for example, general department information.


At the same time, the solution offers companies an elegant opportunity to achieve a uniform corporate design in the ​​signature and disclaimer area. Advanced Email Signature and Disclaimer is also used for marketing and sales purposes: announcements for new products or updates, an upcoming road show or a notice about the company newsletter can be easily attached to emails. HTML-based formats, images or banners can also be used.


“Advanced Email Signature and Disclaimer is another valuable addition to our email security services,” said Oliver Dehning, CEO of Hornetsecurity. “IT administrators will need significantly less effort to maintain obligatory and mandatory email attachments, which allows them to focus more on their core tasks.”

WannaCry: No harm for Hornetsecurity customers

WannaCry: No harm for Hornetsecurity customers

Hornetsecurity ATP deflects global ransomware attack from the first malicious email


WannaCry has caused severe damage in more than 150 countries: The woldwide attacks, in which for example the British National Health Service, the car manufacturer Renault and some systems of Germany’s railway company Deutsche Bahn have fallen victim, took advantage of several weaknesses at once. However, Hornetsecurity Advanced Threat Protection was able to detect and prevent the dangerous ransomware attack from the first email onward.


This window appeared on thousands of computer screens last weekend

This window appeared on thousands of computer screens last weekend

WannaCry is a ransom software that is distributed via email. Activated on a local device, the malware starts encrypting the stored data. After that, the user is being asked to pay a certain ransom in order to receive the decryption key, a procedure which security experts advise not to do. WannaCry uses an exploit, that initially has been developed by the NSA and made public by a hacker group called “Shadow Brokers”.


The success of WannaCry comes from the fact that it uses a weakness in Microsoft’s „Server Message Block (SMB) Protocol“. Through this, it spreads quickly and infects other systems, which lead to the high worldwide distribution rate. WannaCry is exploiting the old Windows XP operating system, as this is still in use but Microsoft stopped providing security updates for. With the emergence of WannaCry, the company quickly changed that and distributed a patch.


Hornetsecurity Advanced Threat Protection (ATP) detected the zero-day ransomware from its first appearance by using a dynamic pattern analysis in its sandbox and put the malware into quarantine. Additional analyses revealed that WannaCry installs a DOUBLEPULSAR Backdoor variant which then plants malicious code onto the local device. After that, the program encrypts various files and adds the file ending .wncry to them, for example finance.xlsx into finance.xlsx.wncry. This renders the files useless. At the same time the infected hosts become part of a botnet, which is being commanded by a TOR network.


Hornetsecurity recommends the following procedures to protect yourself from an infection. Companies and private users still using Windows XP should immediately use the patch provided by Microsoft and update their system. Even more effective is the installation of a more recent operating system with active security updates (at least MS17-010). Also, companies should adapt their firewalls so that incoming SMB traffic on port 445 as well as outgoing TOR traffic will be blocked. Additionally, the security specialists from Hornetsecurity recommend to thoroughly check emails containing invoices or other attachments (office, script or executable files) and to scan them using a virus check. With the URL rewriting and URL scanning engines Hornetsecurity ATP offers a service for in-depth URL analysis in emails – for an all-around protection from new dangers.


A year of full of records for Hornetsecurity

A year of full of records for Hornetsecurity

All quarters show record results for new orders – number of employees grows explosively


Hornetsecurity closes out 2016 with another strong balance sheet: After already having achieved a record number of new orders in the fourth quarter of 2015, the IT security specialists reported an even stronger performance in 2016. They once again managed to outdo their results in all four quarters of the year – with the last quarter clearly surpassing the preceding ones. Overall, Hornetsecurity grew by 44% in 2016. The upcoming year also promises unchecked growth.


The successful development also had an impact on the staffing structure: A total of 19 new employees, including seven trainees, were recruited in 2016. Several additional vacancies are being advertised for 2017, meaning that the office newly occupied only two years ago is already reaching full capacity again.


“The past year has shown that cloud computing is an absolute growth market and that this technology is now much more widely accepted,” says Oliver Dehning, managing director of Hornetsecurity. “This is nevertheless only one of the reasons for the record numbers: New customers come to us primarily thanks to the high quality and the simplicity of our products.”


Hornetsecurity Advanced Threat Protection, which was only launched back in September, has already yielded significant contributions. With the new service, Hornetsecurity is responding to the changing risk situation in the field of email security: Whereas the flood of spam was the predominant problem only a few years ago, today aggressive, yet well-disguised viruses such as Locky or Petya are paralyzing entire companies by encrypting critical data within minutes. Hornetsecurity ATP even fights off CEO fraud and blended attacks.


The company’s will have another reason to celebrate in the upcoming year: Hornetsecurity will be celebrating its tenth anniversary.