Attention! Intruders distribute Trojan via e-mail

Computer Emergency Response Team - KZ-CERT warns of intruders sending emails containing links to malicious software.

Since September 2015, Internet users began to receive e-mail messages allegedly sent by the legal entity, which has a tax audit. The letters have the heading "Documents":

«Здравствуйте!
В нашей компании налоговая проверка. У нас с Вами нет одного договора и счeт-фaктуры.
Огромнейшая просьба подписать, отсканировать и выслать нам сегодня. Архив прикреплен

Ссылка для скачивания файлов: (malicious links are given) Файлы будут храниться до 24.10.2015».

By following the link, user automatically downloads the malicious file that has a “Word” icon to confuse the user about the true content of the file.

The attackers use scr file extension since the users often consider it as not dangerous. Besides, the automatic control systems (for example, downloads control on a proxy server, etc.) not always control this extension (unlike .exe and .com).

Many products detect object named Cryakl (Cryakl) - one of the up-to-date Trojan cryptographers.

This malware is very dangerous since for now in many cases the decryption of encrypted by Trojan data is impossible.

A list of file extensions that are subject to encryption by the malware:

113, 1cd, 3gp, 7z, accdb, arj, asm, bak, cdr, cer, cpt, csv, db3, dbf, doc, docx, dt, dwg, fbf, fbk, fbw, fbx, fdb, gbk, gho, gzip, jpeg, jpg, key, keystore, ldf, m2v, m3d, max, mdb, nbd, nrw, nx1, odb, odc, odp, ods, ods, odt, old, orf, p12, pdf, pef, ppsx, ppt, pptm, pptx, pst, ptx, pwm, pz3, qic, r3d, rar, raw, rtf, rwl, rx2, sbs, sn1, sna, spf, sr2, srf, srw, tbl, tib, tis, txt, wab, wps, wps, x3f, xls, xlsb, xlsk, xlsm, xlsx, zip.

This sample encrypts files of office applications (such as Microsoft Office and OpenOffice), archives, images, database files, cryptographic keys, the files of 1C:Enterprise and others.

Please be careful and not click on links within emails from unknown sources.

If you accidentally have executed the file, try as quickly as possible to terminate the process mail.exe via Task Manager (by pressing Ctrl + Alt + Del). If you do it fast enough, you can reduce the number of encrypted files.

After that (without restarting the computer, since the malware starts automatically after reboot), you need to install an anti-virus scan utility on your computer, which is installed without rebooting (e.g., Kaspersky Virus Removal Tool, or Dr.Web CureIt!) and check your computer.

If you unable to perform complex technical operations on the computer - after termination of mail.exe process, without shutting down and restarting your computer address this problem to technical experts.

General tips on protecting data against cryptographers:

Be sure to use an antivirus software with updated database of signatures.

At present day, in the world there is more than 300 thousand new malicious objects. So, if your databases are obsolete for one week - then your antivirus software is unable to detect more than two million malicious objects (except those that it will be able to determine based on their behavior).

You should have a current backup of your data – in particular, documents, critical databases and information systems (e.g., 1C: Enterprise, etc.).

These copies should be stored separately from active system on removable drive, or on another machine, which has no access rights to record from the host (so the malware unable to encrypt data on a network media, or plugged-in removable drive).

The frequency of backup should be chosen according to the frequency of data changes and their value (for example, the backup frequency of files of 1C: Enterprise should be not less than one day).

You should not open (at least, on a computer that has access to real operational data) files, received by mail (or downloaded from the Internet) from untrusted sources.

Even if you trust the sender, unusual letter (having unexpected topic that was not discussed earlier, not typical for the sender) should alert you (it is possible that account of your colleague was hacked and a malicious object has been sent on his name).

Especially dangerous letters, requiring urgent action (rush, coordinate, test), if they are received from unknown senders or with inappropriate context, e.g. no one told you of need for urgent action by telephone or other means other than e-mail and you get a letter with such requirements.

If you are working with very important data, and cannot ignore such letters (for example, you are processing incoming mail), in order to work with letters, you should use a separate computer that is not connected to the production network.

Recommendations for technical stuff serving the computers:

Configure proxy server of your Company to disable access to website http://localstrip.com

In important computers set up the security technologies based on the principle of default deny (default deny) - this technology is implemented in a large number of anti-virus products.

Every manufacturer of anti-virus tools can call this technology in different ways, if you cannot find in user kit (or administrator kit) information on setting up the feature – you should address this issue to technical support.

Of course, this technology imposes strict (but customizable) limitations. However, it provides a high level of security to computers processing important information.

You can also configure the program control (the name may change) feature such that antivirus program able to block the attempts of untrusted software to change the file types important to you (using extension).

If you detect any suspicious emails, suspicious pages in Internet, please report via telephone number 1400 or e-mail: info@kz-cert.kz.