Malware spam: "Employee Documents - Internal Use" / "You have a new voice" / "BACS Transfer : Remittance for JSAG244GBP" / "New Fax"

Whoever is running this spam run is evolving it day after day, with different types of spam to increase clickthrough rates and now some tricky tools to prevent analysis of the malware.

Employee Documents - Internal Use

From:     victimdomain
Date:     26 September 2014 09:41
Subject:     Employee Documents - Internal Use

DOCUMENT NOTIFICATION, Powered by NetDocuments

DOCUMENT NAME: Employee Documents

DOCUMENT LINK: http://iqmaintenance.com.au/Documents/document26092014-20.pdf

Documents are encrypted in transit and store in a secure repository

---------------------------------------------------------------------------------
This message may contain information that is privileged and confidential. If you received this transmission in error, please notify the sender by reply email and delete the message and any attachments.

You have a new voice

From:     Voice Mail [Voice.Mail@victimdomain]
Date:     26 September 2014 09:30
Subject:     You have a new voice

You are receiving this message because we were unable to deliver it, voice message did not go through because the voicemail was unavailable at that moment.

* The reference number for this message is _qvs4004011004_001

The transmission length was 26
Receiving machine ID : ES7D-ZNA1D-QF3E

To download and listen your voice mail please follow the link below: http://www.sjorg.com/Documents/voice26092014-18

The link to this secure message will expire in 24 hours. If you would like to save a copy of the email or attachment, please save from the opened encrypted email. If an attachment is included, you will be given the option to download a copy of the attachment to your computer.

RBS: BACS Transfer : Remittance for JSAG244GBP

From:     Douglas Byers [creditdepart@rbs.co.uk]
Date:     26 September 2014 10:12
Subject:     BACS Transfer : Remittance for JSAG244GBP

We have arranged a BACS transfer to your bank for the following amount : 4596.00
Please find details at our secure link below:

http://plugdeals.com/Documents/payment26092014-15

New Fax

From:     FAX Message [fax@victimdomain]
Date:     26 September 2014 10:26
Subject:     New Fax

You have received a new fax .
Date/Time: Fri, 26 Sep 2014 16:26:36 +0700.
Your Fax message can be downloaded here : http://montfort.dk/Documents/faxmessage26092014-16

The links in the emails I have seen go to the following locations (there are probably many, many more):

http://plugdeals.com/Documents/payment26092014-15
http://iqmaintenance.com.au/Documents/document26092014-20.pdf
http://www.sjorg.com/Documents/voice26092014-18
http://montfort.dk/Documents/faxmessage26092014-16

The attack has evolved recently.. usually these malicious links forwarded on to another site which had the malicious payload. Because all the links tended to end up at the same site, it was quite easy to block that site and foil the attack. But recently the payload is spread around many different sites making it harder to block.

A new one today is that the landing page is somewhat obfuscated to make it harder to analyse, and this time the download is a plain old .scr file rather than a .zip. I've noticed that many anti-virus products are getting quite good at detecting the malicious ZIP files with a generic detection, but not the binary within. By removing the ZIP wrapper, the bad guys have given one less hook for AV engines to find.

The landing page script looks like this [pastebin] which is a bit harder to deal with, but nonetheless an malicious binary document7698124-86421_pdf.scr is downloaded from the remote site which has a VirusTotal detection rate of 2/55. The Anubis report shows the malware attempting to phone home to padav.com which is probably worth blocking.