Sponsored by..

Thursday 17 October 2013

"Scan from a Xerox WorkCentre" spam / A136_Incoming_Money_Transfer_Form.exe

The malware spammers are suffering from a chronic lack of imagination with this familiar fake printer spam:

Date:      Thu, 17 Oct 2013 13:01:52 -0600 [15:01:52 EDT]
From:      Incoming Fax [Incoming.Fax3@victimdomain.com]
Subject:      Scan from a Xerox WorkCentre

Please download the document.  It was scanned and sent to you using a Xerox multifunction device.

File Type: pdf
Download: Scanned from a Xerox multi~9.pdf

multifunction device Location: machine location not set
Device Name: Xerox1552

For more information on Xerox products and solutions, please visit http://www.xerox.com
Attached is an executable file Scanned from a Xerox multi~6.zip which in turn contains a file A136_Incoming_Money_Transfer_Form.exe which has a VirusTotal detection rate of 6/48.

Automated analysis [1] [2] [3] shows a connection to cushinc.com on (Westhost, US). This is the same server as seen yesterday, so  my best guess is that the server is compromised and potentially all the 600+ domains on it are too. Blocking that IP address may be prudent.

No comments: