It begins with a simple fake fax message..
From: MyFax [email@example.com]There are *lots* of these download locations, the ones I have personally seen are:
Date: 8 January 2015 at 17:11
Subject: Fax #6117833
Sent date: Thu, 8 Jan 2015 17:11:53 +0000
Each one of these pages contains a script that looks like this:
<!DOCTYPE html>So far, so good. But the scripts seem insane, like this one.
Now, this script passes some browser variables to the next step (described here, I won't reinvent the wheel), and if you have all your ducks in a row you might get a "Read message" link.
The download link looks something like this - http://stylista.com.cy/js/jquery-1.7.50.js?get_message=2151693229 - which in this case downloads the curiously named file "message.zip ;.zip ;.zip ;" which contains a file fax_letter_pdf.exe which is of course malicious.
Now, it's worth pointing out that there is strong evidence that the EXE-in-ZIP file downloaded here has several different version. In this case it has a VirusTotal detection rate of 3/56. I have seen at least two other MD5s though, I think each download site might have a different variant.
The Malwr report for this binary takes us a little deeper down the rabbit hole. We can see that it communicates with the following URLs:
It also drops a file EXE1.EXE which has a detection rate of 4/56. That analysis indicates that the payload is the Dyreza banking trojan.
All this seems like a lot of effort to drop a ZIP file with a funny name, but it does go some way to obfuscating the payload.