Sponsored by..

Tuesday, 1 March 2016

Malware spam: "Emailing: MX62EDO 01.03.2016"

This fake document scan has a malicious attachment. It appears to come from within the victim's own domain.
From:    documents@victimdomain.tld
Date:    1 March 2016 at 13:43
Subject:    Emailing: MX62EDO 01.03.2016

Your message is ready to be sent with the following file or link
attachments:

MX62EDO  01.03.2016 SERVICE SHEET

Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments.  Check your e-mail
security settings to determine how attachments are handled.
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

I have seen two samples so far, with an attachment that has a similar name to MX62EDO20160301538482.zip which contains a malicious randomly-named script (e.g. PK5293425659.js). Detection rates on the scripts are fairly low [1] [2]. According to these Malwr reports [3] [4] the payload is the Locky ransomware. These two samples download malicious binaries from:

tianshilive.ru/vqmod/xml/87yhb54cdfy.exe
ubermensch.altervista.org/system/logs/87yhb54cdfy.exe


In turn, these attempt to phone home to:

31.184.197.119/main.php
5.34.183.195/main.php


These are the same C&C servers as seen here.

9 comments:

D Holloway said...

Received this phishing email "Emailing: MX62EDO 01.03.2016" as a document zip from my internet provider telus.com. Glad I found this alert before I opened it. Thanks a million!!!!!!!!!!!!!

Archa said...

If we receive an email from our own domain, does it mean there's a sending script somewhere in our website files? Should I be running malware checks or contact my website provider?

Jean said...

Thanks for this useful information !

D Sterling said...

If I have already opened the attachment, how do i go about removing the malware code?

Conrad Longmore said...

@Archa - no, this is just a simple forgery. Your server is not sending the email, it really is almost stupidly easy to forge who an email is "From"

@D Sterling - this impacts Windows PCs only. You would have to open the attachment and then run the .js file inside. If infected then your files will be encrypted and you''ll see a ransom notice. If you don't see that, then there is a chance you are not infected. Most anti-virus products will catch up with the threat in 24 to 48 hours, so running one later may clean your machine up.

kozaki said...

Hi,
I received such a message and attachment today evening:

> x-mailer: Microsoft Office Outlook 11
> date: Tue, 01 Mar 2016 22:36:07 +0430
> sujet: Emailing: MX62EDO 01.03.2016
> une pièce jointe: MX62EDO201603014484.zip (2,1 Ko)
> ...
> MX62EDO 01.03.2016 SERVICE SHEET

Wonder how the sender got the email: From emails lists or rather from bots scanning the Web, what do you think is the probable initial origin? Note: Mine is displayed on some websites for legal motives.

Thanks very much for publishing yoru inquiry report here!

Cyrille L "kozaki"

spotmom said...

Got one today, too. In Alaska and from my own address. Luckily I don't open attachments that don't make sense and it said it was from me, but I don't have Avast installed, another red flag.

Cliff Prince said...
This comment has been removed by the author.
Cliff Prince said...

Got one myself today (March 2) in my in-box. ... sender is "documents@[mydomain].com", but there's no such email address at that domain (and I should know, since I own and run it!). Topic is "Emailing: MX62EDO 01.03.2016." Attachment is "MX62EDO201603015669.zip". Didn't un-zip it (duh). Text says "scanned by Avast" but I don't use Avast. Scans by MBAM Anti-Malware Bytes and Windows Defender do NOT find this item to be problematic. Hope they update their definitions soon.