Sponsored by..

Tuesday 28 January 2014

RingCentral "New Fax Message on 01/22/2013" spam

This fake RingCentral fax spam has a malicious attachment:
Date:      Tue, 28 Jan 2014 14:28:24 +0000 [09:28:24 EST]
From:      Sheila Wise [client@financesup.ru]
Subject:      New Fax Message on 01/22/2013

You Have a New Fax Message
From:     (691) 770-2954
Received:     Wednesday, January 22, 2014 at 11:31 AM
Pages:     5

To view this message, please open the attachment

Thank you for using RingCentral.
Attached is a file fax.zip which in turn contains a malicious exectable fax.doc.exe with an icon to make it look like a Word document. The VirusTotal detection rate for the document is 10/50, and the Malwr analysis shows an attempted callback to ren7oaks.co.uk on (Enix Ltd, UK).

The executable then downloads an apparently encrypted file from [donotclick]ren7oaks.co.uk/images/al2701.enc which has defied my half-hearted attempts an analysis.


No comments: