Mailing List Archive: [clamav-users] Be wary of emails with attachments targeting clamav-users list members

[clamav-users] Be wary of emails with attachments targeting clamav-users list members

Mar 22, 2023, 9:48 AM

Post #1 of 5 (171 views)

All,

Some users have reported receiving emails that appear to be a reply to a clamav-users mailing list thread but are in fact a phishing attempt have attached malware.

Most recently, Marc reported receiving an email that appeared to be a reply to an older clamav-users mailing list thread but was in fact a direct email targeting him. It had this fairly generic phishing text:

"Would you please look through the last agreement? I have attached some extra details about it."

The attached file was some small HTML file containing malicious obfuscated javascript.

This isn't the first time we've heard of this type of phishing using our mailing list archives. Please be careful when you see any sort of attachment, even if it appears to be from this community.

If you receive this sort of phishing email, please report the attached HTML file to https://www.clamav.net/reports/malware

Regards,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

Re: [clamav-users] Be wary of emails with attachments targeting clamav-users list members [ In reply to ]

clamav-users at lists

Mar 22, 2023, 10:35 AM

Post #2 of 5 (171 views)

Permalink

I have just started getting these claiming to be relevant to ClamAV, but I have *also* been receiving this sort of thing claiming to be from the Firefox ESR list for months now.

I am posting (one of) the HTMLs "about" ClamAV to https://www.clamav.net/reports/malware. Should I also post (one of) the Firefox phishes? (In fact, I have several of each, but it quickly gets tedious.)

On Wed, 22 Mar 2023 16:48:32 +0000
"Micah Snyder \(micasnyd\) via clamav-users" <clamav-users@lists.clamav.net> wrote:

> All,
>
> Some users have reported receiving emails that appear to be a reply to a clamav-users mailing list thread but are in fact a phishing attempt have attached malware.
>
> Most recently, Marc reported receiving an email that appeared to be a reply to an older clamav-users mailing list thread but was in fact a direct email targeting him. It had this fairly generic phishing text:
>
> "Would you please look through the last agreement? I have attached some extra details about it."
>
> The attached file was some small HTML file containing malicious obfuscated javascript.
>
> This isn't the first time we've heard of this type of phishing using our mailing list archives. Please be careful when you see any sort of attachment, even if it appears to be from this community.
>
> If you receive this sort of phishing email, please report the attached HTML file to https://www.clamav.net/reports/malware
>
> Regards,
> Micah
>
>
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Be wary of emails with attachments targeting clamav-users list members [ In reply to ]

clamav-users at lists

Mar 22, 2023, 10:44 AM

Post #3 of 5 (171 views)

Permalink

Hi Paul,

yes, submit all files. Maybe ClamAV need different Phising - Sigs for each file or something ...
For my submitted file, ClamAV currently not warn ...

kind greetings
Marc

Von / From: Clamav User Mailinglist <mailto:clamav-users@lists.clamav.net>
An / To: Newcomer01 <mailto:newcomer01@posteo.de>
CC / CC: Paul Kosinski <mailto:clamav-users@iment.com>
Gesendet / Sent: Mittwoch, März 22, 2023 um 18:35 (at 06:35 PM) +0100
Betreff / Subject: Re: [clamav-users] Be wary of emails with attachments targeting clamav-users list members
> I have just started getting these claiming to be relevant to ClamAV, but I have *also* been receiving this sort of thing claiming to be from the Firefox ESR list for months now.
>
> I am posting (one of) the HTMLs "about" ClamAV to https://www.clamav.net/reports/malware. Should I also post (one of) the Firefox phishes? (In fact, I have several of each, but it quickly gets tedious.)
>
>
>
> On Wed, 22 Mar 2023 16:48:32 +0000
> "Micah Snyder \(micasnyd\) via clamav-users" <clamav-users@lists.clamav.net> wrote:
>
>> All,
>>
>> Some users have reported receiving emails that appear to be a reply to a clamav-users mailing list thread but are in fact a phishing attempt have attached malware.
>>
>> Most recently, Marc reported receiving an email that appeared to be a reply to an older clamav-users mailing list thread but was in fact a direct email targeting him. It had this fairly generic phishing text:
>>
>> "Would you please look through the last agreement? I have attached some extra details about it."
>>
>> The attached file was some small HTML file containing malicious obfuscated javascript.
>>
>> This isn't the first time we've heard of this type of phishing using our mailing list archives. Please be careful when you see any sort of attachment, even if it appears to be from this community.
>>
>> If you receive this sort of phishing email, please report the attached HTML file to https://www.clamav.net/reports/malware
>>
>> Regards,
>> Micah
>>
>>
>>
>> Micah Snyder
>> ClamAV Development
>> Talos
>> Cisco Systems, Inc.
> _______________________________________________
>
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat

_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Be wary of emails with attachments targeting clamav-users list members [ In reply to ]

clamav-users at lists

Mar 22, 2023, 1:53 PM

Post #4 of 5 (171 views)

Permalink

>
> The attached file was some small HTML file containing malicious obfuscated
> javascript.

Just to note that at my workplace 1 user received a similar email, using
older email threads to make it look convincing
and a with a single html attachment.

0/55 av's so far 6 hours after submitting..

In case this helps...

https://www.virustotal.com/gui/file/8cb4b28d9c452dfa77e8a061791158bb851681550c889e579a0acc4cb0ff2c86

Cheers,

Steve
Twitter: @sanesecurityhttps://fosstodon.org/@sanesecurity
Sanesecurity.com

Re: [clamav-users] Be wary of emails with attachments targeting clamav-users list members [ In reply to ]

clamav-users at lists

Mar 22, 2023, 8:46 PM

Post #5 of 5 (171 views)

Permalink

Just a note that in my experience, e-mail phishing detection is routinely disabled, perhaps because of excessive false positives, but also because signature maintenance appears to be a low priority.

Sent from my iPad

-Al-

On Mar 22, 2023, at 10:44, newcomer01 via clamav-users <clamav-users@lists.clamav.net> wrote:
> ?Hi Paul,
>
> yes, submit all files. Maybe ClamAV need different Phising - Sigs for each file or something ...
> For my submitted file, ClamAV currently not warn ...
>
> kind greetings
> Marc
>
>
> Von / From: Clamav User Mailinglist <mailto:clamav-users@lists.clamav.net>
> An / To: Newcomer01 <mailto:newcomer01@posteo.de>
> CC / CC: Paul Kosinski <mailto:clamav-users@iment.com>
> Gesendet / Sent: Mittwoch, März 22, 2023 um 18:35 (at 06:35 PM) +0100
> Betreff / Subject: Re: [clamav-users] Be wary of emails with attachments targeting clamav-users list members
>> I have just started getting these claiming to be relevant to ClamAV, but I have *also* been receiving this sort of thing claiming to be from the Firefox ESR list for months now.
>>
>> I am posting (one of) the HTMLs "about" ClamAV to https://www.clamav.net/reports/malware. Should I also post (one of) the Firefox phishes? (In fact, I have several of each, but it quickly gets tedious.)
>>
>>
>>
>>> On Wed, 22 Mar 2023 16:48:32 +0000
>>> "Micah Snyder \(micasnyd\) via clamav-users" <clamav-users@lists.clamav.net> wrote:
>>>
>>> All,
>>>
>>> Some users have reported receiving emails that appear to be a reply to a clamav-users mailing list thread but are in fact a phishing attempt have attached malware.
>>>
>>> Most recently, Marc reported receiving an email that appeared to be a reply to an older clamav-users mailing list thread but was in fact a direct email targeting him. It had this fairly generic phishing text:
>>>
>>> "Would you please look through the last agreement? I have attached some extra details about it."
>>>
>>> The attached file was some small HTML file containing malicious obfuscated javascript.
>>>
>>> This isn't the first time we've heard of this type of phishing using our mailing list archives. Please be careful when you see any sort of attachment, even if it appears to be from this community.
>>>
>>> If you receive this sort of phishing email, please report the attached HTML file to https://www.clamav.net/reports/malware
>>>
>>> Regards,
>>> Micah
>>>
>>>
>>>
>>> Micah Snyder
>>> ClamAV Development
>>> Talos
>>> Cisco Systems, Inc.
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat