From: eFax [email@example.com]The telephone number seems to very but is always in the 0208616xxxx format.
Date: 17 October 2014 11:36
Subject: eFax message from "02086160204" - 1 page(s), Caller-ID: 208-616-0204
Fax Message [Caller-ID: 208-616-0204]
You have received a 1 page fax at 2014-10-17 09:34:48 GMT.
* The reference number for this fax is lon2_did11-4056638710-9363579926-02.
Please visit https://www.efax.co.uk/myaccount/message/lon2_did11-4056638710-9363579926-02 to view this message in full.
Thank you for using the eFax service!
Home Contact Login
Powered by j2
© 2013 j2 Global, Inc. All rights reserved.
eFax® is a registered trademark of j2 Global, Inc.
This account is subject to the terms listed in the eFax® Customer Agreement.
The link in the email goes to some random hacked WordPress site or other with a URL with a format similar to the following:
Then (if your user agent and referrer are correct) it goes to a fake eFax page at http://184.108.40.206:8080/ord/ef.html which does look pretty convincing. (Incidentally if the UA or referrer are not right you seem to get dumped on a pills site of naturaldietpills4u.com).
The download link goes to http://220.127.116.11:8080/ord/FAX_20141008_1412786088_26.zip which is a ZIP file containing a malicious executable FAX_20141008_1412786088_26.exe which has a VirusTotal detection rate of 4/54.
The Malwr report is interesting because it contains many references to bacstel-ip which is the name of an online payment system used by UK businesses. The malware also contains the string
runas /profile /env /user:mydomain\admin "mmc %windir%\system32\dsa.mscIf you are a sysadmin then you might recognise this as being the "Active Directory Users and Computers" admin tool. So, are the bad guys probing for sysadmins?
The malware connects to the following URLs:
I recommend blocking 18.104.22.168 (Digital Ocean, US), 22.214.171.124 (IO-Hosts Ltd, Russia) and 126.96.36.199 (Arachnitec, US)