Sponsored by..

Friday 9 January 2015

Malware spam: "Employee Documents - Internal Use" / "Fax [no-replay@fax-voice.com]"

This fake fax run is a variation of this one from yesterday.
From:    Fax [no-replay@fax-voice.com]
Date:    9 January 2015 at 14:52
Subject:    Employee Documents - Internal Use

DOCUMENT NOTIFICATION, Powered by NetDocuments

DOCUMENT NAME: Fax Documents

DOCUMENT LINK: http://rehberhatay.com/files/get_msg.html
As before, there are several links leading to different download locations, the ones I have personally seen are:

http://isschennai.com/files/get_msg.html
http://java.bizhat.com/files/get_msg.html
http://tradedeal.in/files/get_msg.html
http://cecileandsimonswedding.com/files/get_msg.html
http://kimtrotman.com/files/get_msg.html
http://forum-adb.org/files/get_msg.html
http://munimejia.gob.pe/files/get_msg.html
http://rehberhatay.com/files/get_msg.html
http://marinethrusters.com/files/get_msg.html
http://homeworkhelpindia.com/files/get_msg.html

These landing pages lead to a pair of jjencoded javascripts hosted on different files. I explained a little about those last time, so I won't go into much more detail about how to handle those.

What is interesting though is that the download location that you coax out of the script is time-limited. If you wait too long, you get a nonsense script instead. And possibly even more interesting is that every time you download the target ZIP file "message.zip ;.zip ;.zip ;" it seems to be different.

Visiting the sites I listed above get ten different download locations:

http://hudsoncityholdings.com/js/jquery-1.6.39.js?get_message=4068432082
http://murillodesign.com.au/js/jquery-1.6.39.js?get_message=1390167085
http://murillodesign.com.au/js/jquery-1.6.39.js?get_message=337687660
http://hudsoncityholdings.com/js/jquery-1.6.39.js?get_message=3612499004
http://advancedhealthconnections.com/js/jquery-1.6.39.js?get_message=4238661099
http://murillodesign.com.au/js/jquery-1.6.39.js?get_message=2377682563
http://murillodesign.com.au/js/jquery-1.6.39.js?get_message=2792412553
http://murillodesign.com.au/js/jquery-1.6.39.js?get_message=1104895466
http://advancedhealthconnections.com/js/jquery-1.6.39.js?get_message=3161145159
http://advancedhealthconnections.com/js/jquery-1.6.39.js?get_message=138855569

That led to 10 different ZIP files containing different EXE files, each one with similar VT results [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] and in turn Malwr reports that they are almost identically functionally [1] [2] [3] [4] [5] [6] [7] [8] [9] [10].

Although those reports indicate some difference in the port numbers, we can see the following URLs being accessed:

http://202.153.35.133:55365/0901us1/HOME/0/51-SP3/0/
http://202.153.35.133:55365/0901us1/HOME/1/0/0/
http://crecrec.com/mandoc/nuts12.pdf
http://202.153.35.133:55350/0901us1/HOME/41/7/4/
http://samrhamburg.com/img/ml1.tar

202.153.35.133  (Excell Media Pvt Lt, India) is probably the key thing to block.

Despite the differences in the downloader, they all seem to drop a randomly-named file with identical characterstics in each case. This has a VirusTotal detection rate of 1/55 and you can see the Malwr report for that file here.

For researchers only, a copy of the file involved can be found here, password=infected

1 comment:

Lowson said...

More:

http://deedurhamdesign.com/files/get_msg.html
http://dehomefurniture.com/files/get_msg.html
http://forum-adb.org/files/get_msg.html
http://helico.com/files/get_msg.html
http://homeworkhelpindia.com/files/get_msg.html
http://java.bizhat.com/files/get_msg.html
http://kimtrotman.com/files/get_msg.html
http://marinethrusters.com/files/get_msg.html
http://obx-phone.com/files/get_msg.html
http://ordnancerta.com/files/get_msg.html
http://ptvalue.com/files/get_msg.html
http://rehberhatay.com/files/get_msg.html
http://tradedeal.in/files/get_msg.html
http://www.deedurhamdesign.com/files/get_msg.html
http://www.dehomefurniture.com/files/get_msg.html
http://www.forum-adb.org/files/get_msg.html
http://www.helico.com/files/get_msg.html
http://www.homeworkhelpindia.com/files/get_msg.html
http://www.kimtrotman.com/files/get_msg.html
http://www.marinethrusters.com/files/get_msg.html
http://www.obx-phone.com/files/get_msg.html
http://www.ordnancerta.com/files/get_msg.html
http://www.ptvalue.com/files/get_msg.html
http://www.rehberhatay.com/files/get_msg.html
http://www.tradedeal.in/files/get_msg.html