Sponsored by..

Friday 25 April 2014

"Unity Messaging System - Internal Payroll" spam

This fake payroll spam comes with a malicious attachment:

Date:      Fri, 25 Apr 2014 12:36:43 +0900 [04/24/14 23:36:43 EDT]
From:      Unity Messaging System [Unity_UNITY9@victimdomain.com]
Subject:      Internal Payroll

File Validity: 24/04/2014
Company : http://victimdomain.com
File Format: Office - Excel
Internal Name: Payroll
Legal Copyright: ╘ Microsoft Corporation. All rights reserved.
Original Filename: Payroll.xls

********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the person(s) mentioned above as recipient(s).
This e-mail may contain confidential information and/or information protected by intellectual property rights or other rights. If you
are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or action taken
in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this
e-mail in error, please notify the sender and delete the original and any copies of this e-mail and any printouts immediately from
your system and destroy all copies of it.
The email appears to be from the victim's own domain and references it in the body of the email. A look at the mail headers shows that this deception runs more deeply..

    (qmail 19966 invoked from network); 25 Apr 2014 03:36:45 -0000
    from unknown ( by [redacted] with QMQP; 25 Apr 2014 03:36:45 -0000
    from kctv1142.ccnw.ne.jp ( by [redacted] with SMTP; 25 Apr 2014 03:36:45 -0000
    from voice533.victimdomain.com ( by victimdomain.com ( with Microsoft SMTP Server (TLS) id KFA60IPJ; Fri, 25 Apr 2014 12:36:43 +0900
    from message7154.victimdomain.com ( by smtp.victimdomain.com ( with Microsoft SMTP Server id C9PH5LWA; Fri, 25 Apr 2014 12:36:43 +0900

The actual origin of the spam is in Japan. The lines before that are all fake and are attempting to make it look like the email originated from inside the victim's own network (using a 10.x.x.x address). Quite why they bother with this level of detail is a mystery, because anyone technically savvy should spot that it comes with a malicious payload.

The attachment is Payroll.zip which in turn contains a malicious executable Payroll.scr which has an icon that makes it look like an Excel file (which it isn't). If you are hiding file extensions (which is the insecure default setting for Windows then you might be fooled.

If you haven't already done it.. when you have a folder open in Windows, go into Organize -> Folder and search options -> View and then untick Hide extensions for known file types.

Then it will become clear that this isn't an Excel spreadsheet at all (ending in .xlsx or .xls) but it something more sinister.

Yes, .scr is actually an executable file (a more typical one would be .exe). In this case the file is definitely malicious and has a VirusTotal detection rate of 26/51.

Automated analysis tools [1] [2] [3] show an attempted download from:

These download locations are the same as used in this "Balance Scheet" spam from yesterday and I recommend that you block the domains in question.

No comments: