EFAIL: A vulnerability in the PGP and S/MIME encryption methods?

EFAIL: A vulnerability in the PGP and S/MIME encryption methods?

UPDATE from May 16, 2018:

In order to proactively protect our corporate customers, who are still encrypting and decrypting their emails via an in-house solution and have not yet booked the Hornetsecurity Encryption Service, from EFAIL, we have also developed a special filter level for attacks according to the EFAIL pattern. The only prerequisite for this is that their email communication runs via the Hornetsecurity servers, which is generally the case with our email security products.


The filter level is already activated by default for all our customers who have booked at least the Hornetsecurity spam filter service and. It protects not only against EFAIL, but also against future attacks with similar patterns.




A known vulnerability is transferred to the PGP and S/MIME protocols and takes email manipulation to a new level. No problem for Hornetsecurity.

On Monday, May 14, 2018, a team of security researchers from the University of Applied Sciences Münster, the Ruhr University Bochum and the University of Leuven (Belgium) published a paper that questions the security of the PGP and S/MIME encryption standards and thus attracts worldwide attention.

However, the vulnerabilities discovered (CVE-2017-17688 and CVE-2017-17689) do not affect the protocols themselves, but use an already known vulnerability to decrypt encrypted emails by the mail client and send them to the attacker.

A prerequisite for the execution of the attacks is that the attacker already possesses emails in encrypted form. To do this, the emails need to be intercepted during transport. The attacker must have previously executed a man-in-the-middle attack (MitM) or compromised a mail server to gain access to the emails passing through him or the server. Only if these requirements are met, the attacker can execute one of the EFAIL attacks described in the paper.

The authors of the paper present two similar attacking methods to decrypt emails with existing PGP or S/MIME encryption.

The first method is quite simple, but limited to certain email clients (Apple Mail, iOS Mail, Mozilla Thunderbird) and any third-party plug-ins installed there:

To do this, the attacker creates an email with three body parts. The first part formats the email as HTML and inserts an image tag with a target website. The quotation marks and the image tag are not closed. This is followed in the second body part by the PGP- or S/MIME-encrypted text. The third part consists of HTML formatting again and closes the image tag from part one.

EFAIL vulnerabilty pgp smime encryption methods

(Source: EFAIL attacks, 14/05/04 )

If the attacker sends this email to the sender of the encrypted message, it is possible that the message is decrypted and transmitted to the stored website. To do this, the email client must be configured so that it automatically downloads external images without asking the user.

The second way to read PGP or S/MIME encrypted emails is a well-known method of how to extract plain text in blocks of encrypted messages.

The attacking scenarios are called CBC attack (S/MIME) and CFB attack (PGP). They determine a known text portion in an encrypted message and overwrites subsequent blocks with their own content. The EFAIL attack inserts an image tag with a target website into the encrypted text, as described in the first part. If the message is then delivered to the actual recipient of the encrypted message, it is possible that the message is decrypted and transmitted to the attacker.

Hornetsecurity News

Stay in touch

Sign up to get the latest News about Cloud Security.

The emails encrypted by Hornetsecurity are protected by design against attacks of this kind, since Hornetsecurity does not even allow the different content types (multipart/mixed) required for the attack.

The encryption methods themselves – S/MIME and PGP – were not broken; rather, vulnerabilities were found in email clients for HTML emails that bypass these encryption techniques. In addition, we object to the recommendation of various security researchers to generally deactivate content encryption: PGP and S/MIME are still not per se more insecure than a pure transport-encrypted transmission or no encryption at all, even after this publication. Since the attack requires a MitM attack, i.e. a breaking of the possible transport encryption, a general levering out of content encryption would be fatal: Possible attackers could even read the email traffic directly like a postcard!

Hornetsecurity Encryption Service, which is immune to EFAIL, does not require any client plug-ins: Encryption and decryption are fully automated by Hornetsecurity in the cloud – no installation, maintenance or user interaction is required – simply secure!

Further information:

Hornetsecurity updates Advanced Email Signature and Disclaimer with new features

Hornetsecurity updates Advanced Email Signature and Disclaimer with new features

Pittsburgh, May 08, 2018 – Hornetsecurity, a German-based cloud security solutions company that recently opened its first United States base of operations in Pittsburgh, has updated its Advanced Email Signature and Disclaimer service with new features that provide significant upgrades and additional user-friendly applications.

Advanced Email Signature and Disclaimer Editor

Advanced Email Signature and Disclaimer Editor

Advanced Email Signature and Disclaimer - Hide empty fields in the editor

Advanced Email Signature and Disclaimer – Hide empty fields in the editor

Advanced Email Signature and Disclaimer Disclaimer offers an elegant solution for creating uniform company-wide content by ensuring all email signatures are attached in the same format, regardless of whether the message was sent from a PC, tablet or mobile phone.

Advanced Email Signature and Disclaimer Editor

Advanced Email Signature and Disclaimer Editor

In the original version, some fields in certain signatures would remain empty. Thanks to this upgrade, users can create additional sub-signatures within existing signatures, including slogans, logos or banners that promote upcoming trade shows or new products a company wants to highlight within a specific timeframe. Companies can activate and centrally manage the sub-signatures on a group basis, as well as use them for targeted marketing campaigns.

Advanced Email Signature and Disclaimer Mobile View

Advanced Email Signature and Disclaimer Mobile View

Advanced Email Signature and Disclaimer Mobile View (empty fields)

Advanced Email Signature and Disclaimer Mobile View (empty fields)

Advanced E-Mail Signature and Disclaimer Editor Untersignaturen

Advanced E-Mail Signature and Disclaimer Editor Untersignaturen

In addition, users can now include signatures and disclaimers not only within HTML emails, but also in plain text emails, significantly increasing the consistency and professional appearance of corporate email traffic.

Advanced E-Mail Signature and Disclaimer

Advanced E-Mail Signature and Disclaimer bei E-Mails mit Plain Text

“The signature at the end of a professional email is like a digital business card and serves as an important branding tool for every company,” Hornetsecurity CEO Oliver Dehning said. “With these newly added features, IT administrators and corporate marketing teams will have fresh opportunities to shape, sharpen and strengthen their company’s image.”

Further information to Hornetsecurity Advanced Email Signature and Disclaimer :

“For your safety” – Beware of fake ING-DiBa emails

“For your safety” – Beware of fake ING-DiBa emails

Cybercriminals are currently trying to obtain sensitive data from ING-DiBa customers with dubious fake emails. The fake email claims that a problem has occurred during a routine security check of the online banking system. It advises that customers should immediately log on to an external website to avoid troubles with their bank.

However, in reality, this is a phishing attack that tries to collect personal information. In the following blog article, you will learn in detail how to protect yourself from fake emails or phishing attacks.

The fake email from our example

Fake E-Mail

A German ING-DIBA fake email (click for zoom)

The adjacent picture shows the detailed structure of the fake email – allegedly sent by ING-DiBa – in an iPhone mailbox. In fact, the email is part of a mass phishing attack and the message was sent fraudulently to a variety of email recipients.

For example, the subject line states “For Your Safety (Reference Number: xyz)”, and the presumable arbitrary order of the combination was set to “kx5qrvnzx3h” in this case. Before we blackened the personal information for reasons of data protection, we noticed that both the recipient’s address and the sender’s address had the same information. This was already a first indication of a fake email.

This scam is not uncommon amongst perpetrators when it comes to gathering information about their randomly selected victims via phishing. Those affected are especially inclined to follow the attached link if the phishing or fake email is opened on a mobile device, as it is in this case. This is particularly true if they are actual customers of the bank mentioned in the email.

In everyday life, too, recipients of phishing emails are also quick to follow the link when receiving such an email. The attacker offers the targeted person appropriate options in case a recipient does not have an account with ING-DiBa. In our example, the recipient has the opportunity to follow a flashy red button and allegedly communicate that he is not a customer of ING-DiBa. The destination of the link, however, is a phishing website, which is intended to tap user data in a big way from the mostly unsuspecting victims. The fake security notification of ING-DiBa is not an isolated case.

6 tips to detect phishing or fake emails

With the following tips, you will be able to detect phishing or fake emails to protect yourself from being affected by such attacks.

Feature No. 1: The salutation

It is striking that either a standard phrase is used to address the target person, or the salutation is completely missing. Very rarely recipients of phishing emails are addressed with their whole name. This is due to the fact that fake emails are not isolated cases, but often automated emails which are sent out millions of times. Individual addresses are rather the exception. In our example there was no address at all.

Once the victim has entered his details into the according form fields and pressed the confirmation button, the cybercriminal is in possession of the login details. Now he can make orders in online shops under false names or get access to sensitive account or company data. The phishing attack has been successful.

Hornetsecurity News

Stay in touch

Sign up to get the latest News about Cloud Security.

Feature No. 2: Content of the email

A phishing mail is contextually designed to hide the true intentions towards the recipient at least until he first clicks on one of the attached links. These following baits are very popular with cyber crooks:

  • Fake emails in the form of alleged PayPal security notifications
  • Phishing emails which seem to come from banks or other institutions
  • Fake email notifications that seem to come from Amazon or Ebay
  • Fake security issues in social media accounts that need to be resolved promptly

This shows that cybercriminals are very creative when it comes to fooling their victims.

Feature No. 3: The call to action

Once the attacker has created and sent out his fake email, he urges the recipient to act. In this specific case, the targeted person is initially led to an external page by clicking on a link. This page usually resembles closely the login area of a bank, an online retailer or any other company that offers certain Internet services.

Feature No. 4: The time shortage

An effective means often used by attackers is the limitation of time. This is an attempt to put the victim under stress and distract it. In our example, this is stated as follows: “Please log into your account as soon as possible to avoid any delay in your banking activities.”

Fear-spreading phrases in the subject line, such as “Your account has been suspended” or “An amount has been debited from your account” are also quite popular and common. These sentences cause some recipients to panic, so they follow the attached link without much thought.

Feature No. 5: Questionable buttons and links

In order to successfully carry out the process of phishing, a related link in text or button form is part of the standard repertoire of any phishing or fake email. This is also the case in our example.

Therefore, when it comes to questionable security queries that have a link, we recommend that you do not access these links from your email program. Instead, you should always directly log in to your user accounts via a browser or via the official website of the provider. This applies to online services of any kind.

Feature No. 6: This is how reputable companies and institutes work

As far as the detection of phishing emails or fake emails is concerned, it should always be remembered that reputable companies or institutes would never ask you to disclose personal information via email.

For this reason, various banks regularly point to the problem of fake emails or the so-called phishing mails. One bank states for example:

“Volksbank Raiffeisenbank or BVR will never ask bank customers for personal information such as PIN or account number via email. Neither will we insert a link to online banking in emails or ask bank customers to make test or remittance transfers. These practices are always indicators of attempted fraud.” (Source: Volksbank Raiffeisenbank)

Therefore, you can delete such an email immediately. This is ultimately the simplest way to counter a phishing attack.

Additional service information

Viruses, worms, trojans – aren’t they all the same?

Viruses, worms, trojans – aren’t they all the same?

Malware, cyber-attacks and how to protect yourself and your company – are top of mind for both employees and IT managers. To help understand and tackle the issues of malware and cyber-attacks, we would like to provide a series of basic information on this topic in a loose succession. In this first post we give a definition and classification of malware, this is by no means complete, but covers some of the most important types of malware.

Viruses have been around for millions of years. but have only been known to humanity for a blink of an eye since there was no scientific evidence of viruses until the end of the 19th century. Viruses are responsible for a variety of diseases and in nature there is an eternal struggle between the evolution of viruses and the defense against them.

It is almost the same situation in the field of Information Technology. There are numerous types of malicious software and  IT security companies are constantly developing new defense methods to prevent intrusions and negative impacts on IT systems and sensitive data. When conceptually naming these malicious codes, the term “virus” is usually used.

This is perfectly understandable from the historical point of view, as originally only viruses and worms emerged as a threat. However, this terminology is insufficient because of the great variety of threats. Therefore, we would like to shed some light on the subject and give an overview of which terminologies are actually correct and which malicious codes are the most common.


The term “virus” is often used incorrectly because it is usually symbolic of the more general term “malware”. However, this is not correct since malware includes all malicious software.

The word “virus” refers only to the specific distribution path of a particular type of malware. This malware infects a defined file type and injects its part of the malicious code into it. The infected file then carries the virus on by recognizing other files of the same type and infecting them again.

However, viruses do not spread actively from computer to computer. This rather happens through external storage media, emails or within networks.


Just like the “virus”, the term “worm” stands for a certain type of distribution. Unlike the computer virus, the malicious code spreads actively and independently by exploiting existing security gaps. A current example is a worm that spreads via open Android debugging ports, especially in the area of Internet of Things (IoT), or Internet-enabled devices.

In contrast to a ransomware, or software that is clearly aiming at encrypting computer data and demanding a ransom, a computer worm does not have a clearly defined goal. For example, it can compromise and make changes to the system itself, ensure a very high utilization of the Internet infrastructure or trigger DDoS attacks.

Hornetsecurity News

Stay in touch

Sign up to get the latest News about Cloud Security.

Trojans / Trojan horses

Much of the malware that is used today can be described as “trojan horses.” The term is quite generic stating that the malware disguises itself as benign. This means that the user only sees the positive side of the application without recognizing that it has a negative impact and intention. Therefore, the user cannot influence the effects of the application.

The name “trojan horse” goes back to the legendary strategy of Greek mythology, in which the Greek invaders tricked the inhabitants of Troy with the help of a wooden horse. For this reason, the common terminology “trojan” is incorrect, since the Trojans were the inhabitants of the city and the ones that were attacked in this historic example. The horse, in fact, was the attacker.

In addition to these most commonly used malware terminologies, there is still a large number of malware that can be broken down into the following categories.

RAT: Remote Access Trojans

This type of malware allows attackers to take over computers and remotely control them. They allow attackers to execute commands on the victims’ systems and distribute the RAT to other computers with the goal of building a botnet.


A backdoor malware has a similar objective as a RAT but uses a different approach. The attackers use so-called “backdoors” which are mostly deliberately placed in programs or operating systems. However, they may also be installed in secret.

A special characteristic of backdoors is the fact that they can be used to bypass the existing defense mechanisms. For example, they are very attractive for cybercriminals to create botnets.

Botnets and Zombies

Botnets are large accumulations of infected computers that the attacker builds up over time. Each affected computer is called a zombie. The attacker can send commands to all computers at the same time to trigger activities such as DDoS attacks or to mine bitcoins with the help of individual zombie computers.

It is especially treacherous that owners of the affected computers do not notice that they are part of a botnet until they are already carrying out the externally controlled activities.


This is malware that collects information from the victim’s computer. These can be Credential Stealers which extract the login data from user accounts such as email mailboxes, Amazon or Google accounts., On the other hand Keyloggers record everything that users speak or write and often take screenshots. Bitcoin Stealers search for Bitoin Wallets and rob the cryptocurrency.

Downloader / Dropper

Downloaders or droppers are small programs that serve only one purpose – to reload more malware from the Internet. At first victims are not able to recognize which contents are being downloaded because only an URL is visible. The great advantage for an attacker with this method is being able to constantly provide new malware for download and distribute up-to-date and difficult-to-detect malware.


Rootkits are the most dangerous type of malware, even though is not even necessarily malware. Rather, a rootkit hides malicious code from discovery. In this form of attack, the attacker penetrates deeply into the computer system, gains root privileges and thus gains general access rights. The cybercriminals then change the system so that the user no longer recognizes when processes and activities are started. It’s very hard to locate attacks based on rootkit obfuscation.

Naturally, there are other categories and definitions of malware that are not listed here. It should be noted that the malware which is circulating nowadays is mostly a mixture of several types. For example, there are trojan horses that also include a backdoor.

Often, the different attack types can be put together dynamically according to a modular principle. Therefore, the malware found today can no longer be clearly assigned to one of the categories mentioned above.

In our next post, you will learn about the main players in terms of malware and cyber-attacks.

Further information:

Dangerous Amazon phishing emails cause trouble

Dangerous Amazon phishing emails cause trouble

Reputable and hardly suspicious – that’s how phishing emails, which have been circulating for several months and which allegedly come from Amazon, reach the mailboxes of many users. The reason for this is that those emails do not appear to be a cunning fraud but quite the opposite. They are so good in copying the design of a real Amazon email that they are hardly indistinguishable for end users. In addition, the cybercriminals use a personalized form of address in these phishing emails, which adds weight to the credibility of the email.

Example of such an Amazon phishing email

Example of such an Amazon phishing email (Click to enlarge image).

A phishing email personalized in this way is referred to as a “spear phishing attack”. These targeted attacks aim specifically at a single person or group of people. The behavior and personal data of target persons are spotted in advance in order to personalize the spear-phishing email the best possible way. Those fraud emails can only be identified through the sender address with which they were sent. These can, for example, be as follows:

More detailed information about possible sender addresses, the structure of phishing emails and content can be found here.

Hornetsecurity News

Stay in touch

Sign up to get the latest News about Cloud Security.

What do the attackers want to achieve?


Referring in the email to the Federal Data Protection Act, the victims are requested to verify their data. By clicking on a link, they are redirected to a fake website that is almost indistinguishable from the real Amazon site. On closer inspection, only the URL used does not match that of Amazon.

On the fake sites, the people concerned should then disclose data of themselves. Otherwise the hackers threaten to block access to the account, as shown in the example above. This is, of course, a hollow statement. Anyone who responds to this request, however, transmits his data directly to the fraudsters. The cybercriminals use the obtained data to make purchases at the expense of the person concerned or to misuse them for other criminal activities.


Does Hornetsecurity Advanced Threat Protection detect fake emails?


Hornetsecurity Advanced Threat Protection is able to detect the new Amazon phishing emails as well as other targeted attacks. Safety mechanisms including Fraud Attempt Analysis, Identity Spooning Recognition and Intention Recognition can filter out threats of this kind. A loss of sensitive data can thus be prevented and Amazon phishing emails do not even get into the mailboxes of a company or employees.

Additional service information

Disguised .NET Spyware Camolog is Stealing Access Data

Disguised .NET Spyware Camolog is Stealing Access Data

When it comes to new types of malware, there is always the question of what their objectives are. At the moment we are monitoring a new .NET spyware that has not yet been reported. It distinguishes itself by using persistent anti-analysis techniques implemented by utilizing the Confuser packer. Apart from that, the spyware does not put a lot of effort into disguising itself during runtime, thus revealing its intentions. This malware collects login details from many different programs and uses a keylogger to gather information.


This .NET spyware that we named Camolog is spreading due to an ongoing phishing campaign and it uses a keylogger to collect login details from mail clients, browsers, FTP and instant messenger clients. After these campaigns collect information, the access data gathered is usually sold by cybercriminals or used for later attacks.


In the individual emails of a large wave of spam emails, the subject headings (see screenshot) and attachments are slightly different. Most of the time, the attachments that deliver the malware are between 400KB and 1.3MB in size. In the following screenshot, you can see one of these phishing e-mails with the contact information crossed out, because in many cases, these are the information stolen from real people.


Example of a phishing mail that delivers malware.

Example of a phishing mail that delivers malware


The phishing email fools the recipients into believing that they are going to receive a price quote or an offer of some kind and this motivates them to open the attachment. However, it contains a RAR archive named “Sample Product 9076_pdf.rar”. The archive hides the executable .NET file “SampleProduct9076_pdf.exe” which serves as a dropper for the spyware and is secured by a version of the publicly available cover-up tool Confuser.


When opening the malware in the .NET decompiler dotPeek, the usage of Confuser becomes apparent. The project name “dimineata” is noticeable and can be used to identify the malware and is displayed in the screenshot below.


The .NET Decompiler dotPeek lets you analyze the Confuser.

The .NET Decompiler dotPeek lets you analyze the Confuser.


On the other hand, the application of both anti-decompiler and anti-debugger techniques makes it harder to analyze the malware. The analysis tool IDA Pro will crash when loading the binary file, specific .NET decompilers do not function properly and debuggers used in dynamic analyses fail, which means that manual analyses will rarely provide information. It’s likely that this is also one of the reasons why there is an absence of this spyware being publicly reported so far.


Bypassing security measures


The only way to obtain an overview of this malware’s behavior is to run it in a safe and controlled environment. In doing so, you can observe that the malware runs as a process named “chrome.exe” with the description “Accu-Chek 360˚ diabetes management software”. This process starts another sub-process with the same name. After a few moments, the original binary file generates a copy of itself as AppData\Local\Temp\iaq\iaq.exe, starts its sub-process and subsequently deletes itself.


At the time the sub-process is loaded, its binary data must be fully extracted and decrypted in the memory. The transfer takes place in the form of a byte array to the AppDomain.Load() function. This function is not affected by the anti-analysis methods of the cover-up tool because it belongs to the .NET framework. Unlike the malware functions, it can be easily analyzed. Thus, with a debugger such as dnSpy it is possible to set a breakpoint on this function and dump the binary file of the malware that is loaded by the dropper. But, let’s have a closer look into the malware itself.


Analysis of spyware.

Analysis of spyware.


The binary file of the dropped spyware is only masked by randomly renaming the functions and variables, not by additional anti-analysis methods. Therefore, it is possible to generate readable source code with a .NET decompiler again and thus reveal the behavior of the malware.


Hornetsecurity News

Stay in touch

Sign up to get the latest News about Cloud Security.

What information is collected?


The spyware collects numerous information: Next to the FTP Client SmartFTP’s connection data, which are saved in the favorites, but also passwords from the client WS_FTP, recently used connections from FileZilla, connections of saved sessions from WinSCP and the connection data from FTPWare.


Additionally, the account data saved in the Instant Messenger Pidgin and the passwords from the video chat tool Paltalk are read out. Camolog also diligently collects account data from the Outlook and Thunderbird mail clients as well as the login details from the YandexBrowser, ChromePlus and Chromium browsers. The spyware can also record all kind of data and password input with a keylogger.


The Spyware nests itself within the system by creating registry keys for Windows Autorun (see list of indicators). The malware is pretty good at identifying itself in the system through these registry keys and the running process “chrome.exe”.


Cloud protection by Hornetsecurity products


Through the use of our cleverly designed spam filter mechanisms, Hornetsecurity has been detecting the emails of this campaign since they first appeared and we have been filtering them out in the cloud. As a result, there is no way for the spyware to get close to our customers’ business infrastructure.


With Hornetsecurity Advanced Threat Protection, our customers benefit from being protected against any variation of this malware. Through the use of behavioral analysis, the level of protection Hornetsecurity ATP provides exceeds that of a conventional spam filter.


Here is an extract from the ATP behavioral analysis:


The detailed evaluation of the sandbox analysis.

The detailed evaluation of the sandbox analysis.


List of indicators for the detection of malware


Phishing emails


Subject lines used in the campaign:

  • Quotation request
  • Quote-Bid Identifier: ITB-0011-0-2018/AM
  • Quote-Bid Identifier: ITB-0014/0015-0-2018/AM
  • Kindly Quote-Bid Identifier: ITB-0016-0-2015/AM
  • Quotation required


Attachment of the phishing email – Win32 RAR Archive


  • File name: Sample Product 9076_pdf.rar
  • SHA256: 5f5e7a57d9500fcece0b7c88c8925bb13243222182e5badddaa2419bda963ca6
  • Attachments of other emails of this campaign:
    • 30eaa3e9b9390f603d2a349c0a4cf064225eff3ede60a24aab8e69cf67cf83a5  Product sample 0015_pdf.rar
    • 6acf72c636aa9ff2fae225d75eea063c2ee61026151a6c405175dd06e8a5c01f  product sample 0019_pdf.rar
    • a54f7ff3ecf8acccc23fe2c52fd5e58099852f3448dcec67c6deff5fa925a4d5  Sample product 0011_pdf.rar
    • c165676976f9e91738c5b6a3442bf67832a7556e23e49f1a77c115af47b290ee  Sample Product 0014_pdf.rar
    • 97cea5ce28bbebff16251cbde247362915e8f41a89f979ae266c797aff6ef5e6  Sample Product 0016_pdf.rar
    • 5f5e7a57d9500fcece0b7c88c8925bb13243222182e5badddaa2419bda963ca6  Sample Product 9076_pdf.rar
  • File type: RAR archive data, v4, os: Win32
  • Size: 331K
  • Content of the archive, SHA256: 2feb8a19f44c29a83a0561ca7e38492e1a843add08eda2027a8a7c5041af6de6


Dropper from out of the archive


  • File name: SampleProduct9076_pdf.exe
  • SHA256: 2feb8a19f44c29a83a0561ca7e38492e1a843add08eda2027a8a7c5041af6de6
  • Other dropper of the campaign:
    • 38782911f7deca093b0e6018fd6c51122a8211c9c446f89de18e6ada85afa0d1  Product sample 0015_pdf.exe
    • 542b6a778489710994aadfaca3b57e0a9c03d2e3b6d5617e3220f364cbde9a45  product sample 0019_pdf.exe
    • 04381c6ecdf618ce122084a56ca5416c6774cba4b34909e95f7a532523c3e877  Sample product 0011_pdf.exe
    • 42992976461c59a4a52e4bf202d4bfcd738408d729ff9cbc55786016cb4075c3  Sample Product 0014_pdf.exe
    • 2a159afdc686df016ee370aeed134f9c4fe44320a32ec2eb25d76270206b5b5a  Sample Product 0016_pdf.exe
    • 2feb8a19f44c29a83a0561ca7e38492e1a843add08eda2027a8a7c5041af6de6  Sample Product 9076_pdf.exe
  • File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
  • Size: 429K
  • Process name: chrome.exe
  • Description: Accu-Chek 360˚ diabetes management software
  • Drops the file SHA256: 67c7840eefb640e70473ebc4bb7dec89f8168d679226be0696708e3427956114
  • Significant string:  dimineata.exe
  • Stores a copy of itself under C:\Benutzer\analyst\Appdata\Local\Temp\iaq.exe ab


Reloaded spyware:


  • File name: impartial.exe
  • SHA256: 67c7840eefb640e70473ebc4bb7dec89f8168d679226be0696708e3427956114
  • File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
  • Size: 58K
  • Process name: chrome.exe


Registry Keys, of which information have been gathered


  • HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles*
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook*
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook*
  • HKEY_CURRENT_USER\Software\Paltalk
  • HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions


Files, of which information have been gathered


  • C:\Users\Administrator\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
  • C:\Users\Administrator\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
  • C:\Users\Administrator\AppData\Roaming\FileZilla\recentservers.xml
  • C:\Users\Administrator\AppData\Roaming\Thunderbird\profiles.ini
  • C:\Users\Administrator\AppData\Roaming.purple\accounts.xml
  • C:\Users\Administrator\AppData\Local\Chromium\User Data\Default\Login Data
  • C:\Users\Administrator\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
  • C:\Users\Administrator\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data


Registry Keys, that have been created to generate persistence


  • Autorun entry for the dropper: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\iaq
    • reg_value   C:\Users\ADMINI~1\AppData\Local\Temp\iaq\iaq.exe
  • Autorun entry of the spyware: Spyware: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Application
    • reg_value   C:\Users\Administrator\Desktop\chrome.exe -boot