Sponsored by..

Wednesday 26 August 2015

Malware spam: "Scanned image from MX-2600N" / "noreply@victimdomain.com"

NOTE:  As of December 2015 there is an updated version of this spam run.

This spam is not from a scanner, but it is instead a simple forgery with a malicious attachment:

From:    noreply@victimdomain.com
Reply-To:    noreply@victimdomain.com
To:    victim@victimdomain.com
Date:    19 May 2014 at 18:11
Subject:    Scanned image from MX-2600N

Reply to: noreply@victimdomain.com [noreply@victimdomain.com]
Device Name: Not Set
Device Model: MX-2600N
Location: Not Set

File Format: DOC MMR(G4)
Resolution: 200dpi x 200dpi

Attached file is scanned image in DOC format.
Use Microsoft(R)Word(R) of Microsoft Systems Incorporated
to view the document.
The email appears to come from the victim's own domain, but it does not. The "From" address on email is extremely easy to forge. So far I have seen three different malicious attachments, each one in the format noreply@victimdomain.com_20150826_181106.doc with detection rates of around 7/56 [1] [2] [3] containing one of three malicious macros [1] [2] [3] which attempt to download a malicious component from one of the following locations:

http://fotolagi.com/45ygege/097uj.exe
http://asterixpr.republika.pl/45ygege/097uj.exe
http://detocoffee.ojiji.net/45ygege/097uj.exe


This malicious binary currently has a VirusTotal detection rate of just 2/54. Automated analysis [1] [2] shows network traffic to 91.239.232.9 (Hostpro Ltd, Ukraine) which has been used in serveral attacks recently. The payload is almost definitely the Dridex banking trojan.

1 comment:

Unknown said...

Thanks - great information. The latest email I got was very good and sent to an old co-worker email account. Very clever!