Sponsored by..

Thursday 29 May 2014

More eFax / Dropbox malware spam

This fake eFax message downloads malware from Dropbox, similar to yesterday's attack but with different binaries:

From:     Incoming Fax [no-reply@efax.co.uk]
Date:     29 May 2014 10:26
Subject:     INCOMING FAX REPORT : Remote ID: 499-364-9797

*********************************************************
INCOMING FAX REPORT
*********************************************************

Date/Time: Thu, 29 May 2014 18:26:56 +0900
Speed: 4360bps
Connection time: 07:09
Pages: 9
Resolution: Normal
Remote ID: 915-162-0353
Line number: 0
DTMF/DID:
Description: Internal report

We have uploaded fax report on dropbox, please use the following link to download your file:

https://www.dropbox.com/meta_dl/[redacted]
The malicious download is from [donotclick]www.dropbox.com/meta_dl/eyJzdWJfcGF0aCI6ICIiLCAidGVzdF9saW5rIjogZmFsc2UsICJzZXJ2ZXIiOiAiZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbSIsICJpdGVtX2lkIjogbnVsbCwgImlzX2RpciI6IGZhbHNlLCAidGtleSI6ICJvempiZ256bDM2aGRlMTgifQ/AAKxr3bqwwmIfwE_cp_xalkzMz7tKRtiivmPhViZTBLBkA?dl=1 which is an archive file FAX-21651_7241.zip which in turn contains the malicious executable FAX-21651_7241.scr

This binary has a VirusTotal detection rate of 6/53 and the Malwr report shows that it downloads a file from soleilberbere.com/images/2905UKdw.tar which subsequently drops a file eucis.exe with a VirusTotal detection rate of just 3/51. Automated reports [1] [2] are pretty inconclusive as to what this does.

8 comments:

Ray Rogers said...

Yeap! two today, 5/29/14
Is there a dropbox url to send/report these?

Conrad Longmore said...

Emailing abuse -at- dropbox.com is the way Dropbox recommends.

RoughRabbit said...

On Mac it puts a file into /private/tmp which is impossible to delete or quarantine and keep replicating variants of AV-80-11....

The file it generates is about 6mb.

What can I do to get rid?

RoughRabbit said...

On Mac it puts a file into /private/tmp which is impossible to delete or quarantine and keep replicating variants of AV-80-11....

The file it generates is about 6mb.

What can I do to get rid?

lerca88 said...

Hello everyone, I can recommend to have a look at Popfax online fax- http://www.popfax.com, it is safe, reliable and highly professional. They never send any scam or fake faxes.

Michael Bell said...

That file performs an auto encrypt function using crytpowall. Basically ransomware. Do not open it.

Chris James said...

Had a client that got infected with this. Installed a file under c:\windows\system32\ called lmabcoms.exe

Acted as a variant of cryptolocker. Spread to My Documents and network shares. Undetected with malwarebytes, combofix, superantispyware and adaware3.

Avoid at all costs.

Chris James said...

Had a client that got infected with this. Installed a file under c:\windows\system32\ called lmabcoms.exe

Acted as a variant of cryptolocker. Spread to My Documents and network shares. Undetected with malwarebytes, combofix, superantispyware and adaware3.

Avoid at all costs.