Sponsored by..

Wednesday 28 May 2014

eFax message from "unknown" spam downloads malware from Dropbox

This fake eFax message downloads malicious content from a Dropbox link.

From:     eFax [message@inbound.efax.com]
Date:     28 May 2014 13:12
Subject:     eFax message from "unknown" - 1 page(s), Caller-ID: 1-949-698-5643

Fax Message [Caller-ID: 1-949-698-5643
You have received a 1 page fax at Wed, 28 May 2014 09:11:44 GMT.

* The reference number for this fax is atl_did1-1400166434-95058563842-154.

Click here to view this fax using your PDF reader.

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.

Thank you for using the eFax service!


j2 Global | eFax | eVoice | FuseMail | Campaigner | KeepItSafe | OneBox

2014 j2 Global, Inc. All rights reserved.
eFax is a registered trademark of j2 Global, Inc.

This account is subject to the terms listed in the eFax Customer Agreement.
The telephone number will vary from spam-to-spam, but the download link seems consistent and is [donotclick]dl.dropboxusercontent.com/s/uk0mlaixvbg52g2/Fax_938_391102933_1245561.zip?dl=1&token_hash=AAEUA5cH_mfvkp4l4CePv7t100XZKo4GBq6ZxY1UiElKyQ&expiry=1401269894 which leads to a ZIP file Fax_938_391102933_1245561.zip which unzips to a malicious executable Fax_938_391102933_1245561.scr.

This binary has a VirusTotal detection rate of 6/53. Automated reporting tools [1] [2] show a download from landscaping-myrtle-beach.com/wp-content/uploads/2014/05/2805UKdw.dkt which in turn drops the following files:
This last one makes a connection to innogate.co.kr for unknown reasons.

Recommended blocklist:

No comments: