Sponsored by..

Wednesday 23 October 2013

"Voice Message from Unknown" spam / VoiceMessage.exe

These bogus voice message spams have a malicious attachment:

Date:      Wed, 23 Oct 2013 19:17:42 +0530 [09:47:42 EDT]
From:      Administrator [voice8@victimdomain]
Subject:      Voice Message from Unknown (553-843-8846)

- - -Original Message- - -

From: 553-843-8846
Sent: Wed, 23 Oct 2013 19:17:42 +0530
To: [recipient list at victimdomain]
Subject: Important: to all Employee



Date:      Wed, 23 Oct 2013 08:36:24 -0500 [09:36:24 EDT]
From:      Administrator [voice3@victimdomain]
Subject:      Voice Message from Unknown (586-898-9333)

- - -Original Message- - -

From: 586-898-9333
Sent: Wed, 23 Oct 2013 08:36:24 -0500
To: [recipient list at victimdomain]
Subject:  Employees Only 



Date:      Wed, 23 Oct 2013 16:40:22 +0300 [09:40:22 EDT]
From:      Administrator [voice2@victimdomain]
Subject:      Voice Message from Unknown (998-948-7548)

- - -Original Message- - -

From: 998-948-7548
Sent: Wed, 23 Oct 2013 16:40:22 +0300
To: [recipient list at victimdomain]
Subject:  Employees Only

In each case there is an attachment VoiceMessage.zip which in turn contains an executable VoiceMessage.exe with an icon to make it look like an audio file.

Obviously this is malicious, and the detection rate at VirusTotal is a pretty poor 5/46. Automated analysis [1] [2] shows an attempted connection to glyphs-design.com on 212.199.115.173 (012 Smile Communications Ltd, Israel). Blocking that domain is probably prudent, however there are several hundred legitimate domains on the same server, so bear that in mind if you choose to block it.

Added:
The mail goes as far to include fake mail headers to suggest that the spam comes from inside the victim's network (when it does not). For example..
from unknown (192.168.1.88) by filter8.******** with QMQP; 23 Oct 2013 13:47:40 -0000
from unknown (HELO aexp.com) (203.193.165.78) by mxin1.******** with SMTP; 23 Oct 2013 13:48:41 -0000
from voice903.******** (10.0.0.168) by ******** (10.0.0.109) with Microsoft SMTP Server (TLS) id FUOMD6AZ; Wed, 23 Oct 2013 19:17:42 +0530
from voice5005.******** (10.179.13.59) by smtp.******** (10.0.0.34) with Microsoft SMTP Server id YEP40NNY; Wed, 23 Oct 2013 19:17:42 +0530

7 comments:

Wurgl said...

I got a very similar mail. The interesting thing in this spam is the fact, thst the mailer-chain seems to be faked. Two lines at the end are added and those lines try to buffle me that the line is some in-house mail.

Similar to:
Received: from voice033.<mydomain>.de (10.0.0.51) by <mydomain>.de (10.0.0.180) with Microsoft SMTP Server (TLS) id <someid>; Wed, 23 Oct 2013 14:<xx>:<xx> +0100
Received: from voice6953.<mydomain>.de (10.37.56.88) by smtp.<mydomain>.de (10.0.0.108) with Microsoft SMTP Server id <someid>; Wed, 23 Oct 2013 14:<xx>:<xx> +0100

Do you see these two lines too?

Conrad Longmore said...

Wow, yes. I didn't notice that but the faked headers are there..

from unknown (192.168.1.88) by filter8.******** with QMQP; 23 Oct 2013 13:47:40 -0000
from unknown (HELO aexp.com) (203.193.165.78) by mxin1.******** with SMTP; 23 Oct 2013 13:48:41 -0000
from voice903.******** (10.0.0.168) by ******** (10.0.0.109) with Microsoft SMTP Server (TLS) id FUOMD6AZ; Wed, 23 Oct 2013 19:17:42 +0530
from voice5005.******** (10.179.13.59) by smtp.******** (10.0.0.34) with Microsoft SMTP Server id YEP40NNY; Wed, 23 Oct 2013 19:17:42 +0530

Unknown said...

The attachment contains a new variant of the CryptoLocker Trojan. Very Bad.

Julio said...

I ran the executable in a test machine and a new process called xeutad.exe showed up.
I looked for CryptoLocker in the registry but did not find it.
Anyone else seeing something else?

Julio said...

Other findings:

http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=28182

http://nakedsecurity.sophos.com/2013/10/12/destructive-malware-cryptolocker-on-the-loose/

Julio said...

So after some analysis, looks like the malware comes with many different names.
I found a file called xeutad.exe lurking in the processes and registry. The file could not be found by Malwarebytes nor Security Essentials.
Wireshark showed a kazaa connection attempt while idle so apparently the malware was attempting to "call home" to authenticate.

bexterinni said...

I got this email today and very stupidly clicked on the attached zip file thinking it was legit. I'm on a Mac ... now what do i do? Is there a way to tell if my machine is infected, and is there anything i can do at this point?