Malware sent in .ace format

This one made me look twice. I’m intercepting a lot of malware spreading attempts with text that starts out thus:

Dear Sir or madam
 I'm milad and our company called UTIACHEM CO. located in Tehran-Iran.
 Following a telephone conversation with my colleague.
 I was going to send me your request.
 We have an inquiry from your products as attached file,please check.
 Please answer each request.
 Please certificate and an analysis and data sheet product send it to us.


They’re notable because they contain a pair of files of similar length (454K) which have names ending in .jpg.ace. It took me a while to figure this out; they’re compressed using a program called WinAce, a proprietary (paid for) German program from the late 1990’s. The only people likely to have a copy of this will likely be running Windows 98 – or so I thought. The company is still going, much to my surprise, and there are Linux and Mac versions too – although not UNIX, BSD, Android, Apple OS or anything else you’d need if you wanted to compete as a cross-platform archive format. There is, however, a DLL for unpacking that may be used in other people’s products, so perhaps decoders are more prevalent than might first appear.

I wonder how many they’ll have to spam out before they find someone (a) with an ACE decoder; and (b) dumb enough to use it?

Incidentally, most of these spams trace back to Mandril (aka Mailchimp), and are probably uploaded there by someone abusing an IOMart account (from Nottingham). In other words, zero abuse enforcement, based on previous attempts to contact them.

Leave a Reply

Your email address will not be published. Required fields are marked *