Sponsored by..

Friday 18 October 2013

Avaya "Voice Mail Message" spam with a malicious payload

This fake voice mail message appears to originate from within the victim's own domain (although that is just a forgery):

Date:      Fri, 18 Oct 2013 09:19:42 -0600 [11:19:42 EDT]
From:      Voice Mail Message [1c095eb9-fa18-74e5-b@victimdomain.com]
Subject:      Voice Mail Message ( 45 seconds )

This voice message was created by Avaya Modular Messaging. To listen to this voice
message,just open it.

Attached is a file VoiceATT0685424.zip which in turn contains a malicious executable VoiceMessageTT.exe with an icon to make it look like an audio file. This trick can work if users have decided to hide the extensions of files in Windows, a stupid default setting that has no doubt infected millions of Windows users over the years.

Of course, the .exe file is malware with a pretty low detection rate of just 3/48 at VirusTotal. Automated analysis [1] [2] [3] shows a connection to a domain called adamdevarney.com on 209.236.71.58 (Westhost, US) which has been seen twice before. This means that there are potentially hundreds of compromised domains on the same server, blocking traffic to the IP address will be the most effective way of giving yourself some protection.

No comments: