Good day to you!

Khoroshiy den' dlya tebya!

The other day, I got this cryptic email. It read:

– – – – – – – – – – – – – – – –
From: Wayne Millbrand <waynem@icon.co.za>
Date: 03/27/2017 2:23 PM (GMT-05:00)
To: ***
Subject: ***

Good day to you!

I have a rather delicate issue, which touches directly to you. Don’t be surprised how do I learned about you! The fact is that I have got already a second letter from the person, I do not know which asserts that you are fraud involved. He insists, that you forced him transfer funds on your PayPal account under fictional reason. However,with this information he pointed out your private data up to address:

First Last Name
Street Address
Town
State (with capitalization error)
Zip Code

Now he is collecting information and planing to contact the police. I advise you to view the information that he sent to me. I have attached Fine.doc with a copy of all of his messages.

Document was password-protected – 4299
Please explain to me what’s happening.  I hope that all of this is a silly misunderstanding.

Best regards,

Wayne Millbrand
– – – – – – – – – – – – – – – –

Based on the fake email address and the tell-tale Anguished English, I concluded that this was just another phish. I usually delete these emails promptly, but this one had an interesting component to it: it came with a password protected MS Word document. This is somewhat unusual because they typically expect you to just launch the attachment and activate the payload immediately.

So it appears that the attack strategy was to:

  1. Send a threatening email
  2. Add some publicly available information about the recipient to make it look genuine
  3. Encrypt the document in order to hide the payload from an anti-virus scanner
  4. Provide the password in the email to allow the user to open and decrypt the file
  5. Activate the payload in the MS Word document and infect the user’s machine

Based on the version of the MS Word attachment, I’ve setup a Windows 7 virtual environment in a sandbox. I’ve also installed Microsoft Office 2016 in order to debug the payload macro, the following SysInternals utilities: ProcessMon, DiskMon, DebugView, and Wireshark to sniff the TCP traffic. 

I launched the document and entered the provided password. Inside the decrypted file, I found the following API declarations, variable names, and code:

Shell32.dll   ShellExecuteA
Kernel32     GetTempPathA
Kernel32     GetTempFileNameA
URLMon”     URLDownloadToFileA

Dim wyqud As String
Dim zdwie As Long
Dim rufhd As Long
Dim bldos As Integer
Dim mufid () As Byte
Dim kmvbf As Long
Dim dfety As Long
Dim bvjwi As Long
Dim wbdys As Long
Dim dvywi (256) As Byte
Dim wdals As Long
Dim dwiqh As Long

API Declarations and Variables
Yaacov Apelbaum-Document OpenYaacov Apelbaum-Functions

The attack mechanism, seems to be a variation on an old theme where as soon as the user opens the file, the routine executes a URL file download from one of these two backup sources:

h t t p://adenzia.ch/_vti_cnf/bug.gif
h t t p://kingofstreets.de/class/meq.gif

The macro is quite sophisticated, it can even prompt the user to disable their firewall if the download fails. Both GIFs, “bug.gif” and “meg.gif”—despite having an appropriate header block and some image content bytes—actually carry the encoded malware.

The macro uses a subroutine to extract the executable binary from the downloaded GIFs. It stores the binary in a temp file, appends an “exe” extension to it, and then using the Explorer function ShellExecuteA, executes it in order to install additional malware. In this case, it was ransomware that encrypted the Documents folder.

Yaacov Apelbaum-Ransomware e
Image 1: The installed ransomware after installation

Interestingly, the first compromised URL used for the malware distribution was website that belongs to a company called Adenzia, a Swiss accounting and corporate services firm that ironically advertises itself as providing “Privacy and secure data storage” and:

  •   Accounting services
  •   Secure financial services
  •   Data entry from paper to digital
  •   Scanning paper data to digital
  •   Archiving data anonymously

Adenzia.ch 1

 

Adenzia.ch 2

 

Image 2: The Adenzia.ch website used for malware distribution

Mafia Scripts
Image 3: The Kingofstreets.de website used for malware distribution

Another noteworthy strategy is that both, the repurposed Swiss Adenzia.ch financial site as well as the second German kingofstreets.de gaming site required a login. This provided an additional layer of security by preventing internet security scanners from tracking down the payload by trying to follow a link to the malware.

Adenzia
Image 4: Malware distribution site login prompt

From the variable naming convention and the language of the email itself, it seems that the writer is non native English speaker from the FSU. The metadata from the Word document further supports this and suggest a strong link to a Russian origin. First, the author’s name was preserved as виньда (Vinda) and the company name came up as: SPecialiST RePack. 

SPecialiST RePack Metadata

SPecialiST RePack is a Russian digital publisher that is used for repackaging software.  According to Emsisoft malware database, they are a source of a large number of infected files and products.

SPecialiST RePack
Image 6:
Samples of SPecialiST RePack infected content

As far as the unfortunate Adenzia.ch site, it seems that it was breached in the past few months as the Wayback Machine still shows them operational on October 4, 2016.

Swiss Banking Russian Style
Image 7: The office address of Adenize in Lugano Switzerland

I’ve contacted Giovanni De Martin Cavan, the registered owner of Adenzia (who seems to have a strange history of forming companies and abandoning their websites) via email and gave him heads up that he needs to have a look at his website and corporate network. As of this date, I haven’t heard back from him. This could be an indication that either the site was a front for malware distribution from the get go or else it is no longer in business and has been abandoned.  

 

© Copyright 2017 Yaacov Apelbaum, All Rights Reserved.

Coincidence or Not?

Coincidence or not

You may have seen this motivational masterpiece. It’s a favorite among performance consultants.

It goes as follows:

IF

A

B

C

D

E

F

G

H

I

J

K

L

M

N

O

P

Q

R

S

T

U

V

W

X

Y

Z

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

THEN:

K

N

O

W

L

E

D

G

E

 

11

14

15

23

12

5

4

7

5

96%

AND:

H

A

R

D

W

O

R

K

   

8

1

18

4

23

15

18

11

 

98%

Both are important, but fall just short of 100%

BUT…

A

T

T

I

T

U

D

E

   

1

20

20

9

20

21

4

5

 

100%

So the moral of the story is that if you have the right attitude, you will achieve 100% of your potential. 

It sure looks great on paper. To test the mystical value of this proposition, I’ve written a short script to first create words that are between 2-12 character long that add up to the value of 100 and then find which of these is found in a dictionary. 

As might be expected, the script generated hundreds of valid words (see the short sample at the end of the post just for the letter A). It turns out that many of them are not very motivational.

A

N

E

U

R

I

S

M

   

1

20

20

9

20

21

4

5

 

100%

B

O

Y

C

O

T

T

     

1

20

20

9

20

21

4

   

100%

The problem with all of these leadership gimmicks is that they fail to understand the fundamentals of human performance, chiefly that nothing in nature functions at 100% efficiency. In reality, any information worker productivity in the 50% range is outstanding. As you can see from the list bellow, this is a conservative average daily activity breakdown of a typical information worker:

#

Activity

Time (Min)

1

Checking social media

44

2

Reading news websites and checking out Amazon

65

3

Visiting and discussing non-work-related activity with colleagues

40

4

Making hot drinks

17

5

Smoking or doing some mobile device maintenance

23

6

Texting and instant messaging

14

7

Snacking

8

8

Preparing food in the office

7

9

Calling partners and friends

18

10

Looking for a new job and doing LinkedIn “maintenance”

26

Total

262

So about 4.3 hours of every 8 hour day are non-productive. Any doubts? Feel free to consult Frederick Brooks’ Mythical Man-Month.

Word

Letter Values

Sum

Abrogative

1 + 2 + 18 + 15 + 7 + 1 + 20 + 9 + 22 + 5

100

Acromegaly

1 + 3 + 18 + 15 + 13 + 5 + 7 + 1 + 12 + 25

100

Affectation

1 + 6 + 6 + 5 + 3 + 20 + 1 + 20 + 9 + 15 + 14

100

Alienation

1 + 12 + 9 + 14 + 5 + 1 + 20 + 9 + 15 + 14

100

Anchoritic

1 + 14 + 3 + 8 + 15 + 18 + 9 + 20 + 9 + 3

100

Anglophobia

1 + 14 + 7 + 12 + 15 + 16 + 8 + 15 + 2 + 9 + 1

100

Anorchism

1 + 14 + 15 + 18 + 3 + 8 + 9 + 19 + 13

100

Aryanism

1 + 18 + 25 + 1 + 14 + 9 + 19 + 13

100

Asbestos

1 + 19 + 2 + 5 + 19 + 20 + 15 + 19

100

 

© Copyright 2017 Yaacov Apelbaum, All Rights Reserved.

Only a Math Genius can Solve this Puzzle–Not Really!

 

Yaacov Apelbaum Sumerian mathematic tablet

 

One of the most popular math equation puzzles on social media is interesting because it doesn’t have one correct answer and it illustrates the nature of a solution divergence.

Here is an example. The following two problems can be solved correctly regardless if we use sum of the digits in the product or product of the sum of digits methods:

Set 1: 11×11=4
Set 2: 22×22=16
Set 3: 33×33=?

For first set
Method 1   11×11=121 then summing the digits in the products give us 1+2+1=4
Method 2   (1+1) x (1+1) = 4

and for second set
Method 1  22×22=484 then summing the digits in the product gives us 4+8+4=16
Method 2  (2+2) x (2+2) = 16

But when it comes to the next set of 33×33=? each solution diverges and will yield two different results (see result bellow for method 1 and 2).

Method 1 (sum of the digits in the product) it is: 33×33=18

33×33=1089 or 1+0+8+9= 18

Method 2 (product of the sum of digits) it is: 33×33=36

(3+3) x (3+3) = (6) x (6)=36

Here is a graphic solution for method 2

Yaacov Apelbaum If X and Y than Z

Here are the solution for the first 40 sets for each method.

Method 1

Method 2

11

11

121

4

11

11

4

22

22

484

16

22

22

16

33

33

1089

18

33

33

36

44

44

1936

19

44

44

64

55

55

3025

10

55

55

100

66

66

4356

18

66

66

144

77

77

5929

25

77

77

196

88

88

7744

22

88

88

256

99

99

9801

18

99

99

324

110

110

12100

4

110

110

400

121

121

14641

16

121

121

484

132

132

17424

18

132

132

576

143

143

20449

19

143

143

676

154

154

23716

19

154

154

784

165

165

27225

18

165

165

900

176

176

30976

25

176

176

1024

187

187

34969

31

187

187

1156

198

198

39204

18

198

198

1296

209

209

43681

22

209

209

1444

220

220

48400

16

220

220

1600

231

231

53361

18

231

231

1764

242

242

58564

28

242

242

1936

253

253

64009

19

253

253

2116

264

264

69696

36

264

264

2304

275

275

75625

25

275

275

2500

286

286

81796

31

286

286

2704

297

297

88209

27

297

297

2916

308

308

94864

31

308

308

3136

319

319

101761

16

319

319

3364

330

330

108900

18

330

330

3600

341

341

116281

19

341

341

3844

352

352

123904

19

352

352

4096

363

363

131769

27

363

363

4356

374

374

139876

34

374

374

4624

385

385

148225

22

385

385

4900

396

396

156816

27

396

396

5184

407

407

165649

31

407

407

5476

418

418

174724

25

418

418

5776

429

429

184041

18

429

429

6084

440

440

193600

19

440

440

6400

image

imageimage

It is interesting to note the series growth patterns for each method.  Where in method 1, the values tend to cluster around a range of several values (see pattern for 30K solutions), in method 2 the growth is polynomial.

 

© Copyright 2017 Yaacov Apelbaum, All Rights Reserved.