Sponsored by..

Monday 24 August 2015

Malware spam: "Message from scanner" / "scanner.coventrycitycentre@brianholt.co.uk"

I don't have the body text for this particular message, but I can tell you this is not from Brian Holt (a property agent in Coventry, UK) but is instead a simple forgery with a malicious attachment.

Subject     Message from scanner
From     scanner.coventrycitycentre@brianholt.co.uk
X-Mailer     KONICA MINOLTA bizhub C360
Date     Wed, 12 Aug 2015 08:19:28 +0000
Message-Id     [55CB0190.015.00206B68D2CD.scanner.coventrycitycentre@brianholt.co.uk]
MIME-Version     1.0
Content-Type     multipart/mixed; boundary="KONICA_MINOLTA_Internet_Fax_Boundary"
Content-Transfer-Encoding     7bit

To show the level of detail the bad guys go to, they have even included extra mail headers (usually hidden) to attempt to identify the sender as a Konica MFD. It's a strange thing to do, considering that anyone skilled enough to examine the mail headers should also notice the malicious executable Sscanner15081208190.exe embedded into the attachment Sscanner15081208190.zip . This executable has a detection rate of just 5/54.

The Hybrid Analysis report shows the malware POSTing to:

smboy.su/mu/tasks.php

.SU (Soviet Union) domains are almost always bad news. If you can block them on your web filter then I recommend that you do so. This particular site is hosted on 95.172.146.73 (RTComm-Sibir, Russia). The  network range of 95.172.146.0/23 does seem to contain some legitimate Russian-language sites, but you might want to block the whole range to be on the safe side.

The payload is unknown, but typically malware like this will drop either the Dyre banking trojan or some sort of ransomware.

No comments: