This fake eFax message downloads malware from Dropbox, similar to yesterday's attack but with different binaries:From: Incoming Fax [no-reply@efax.co.uk]The malicious download is from [donotclick]www.dropbox.com/meta_dl/eyJzdWJfcGF0aCI6ICIiLCAidGVzdF9saW5rIjogZmFsc2UsICJzZXJ2ZXIiOiAiZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbSIsICJpdGVtX2lkIjogbnVsbCwgImlzX2RpciI6IGZhbHNlLCAidGtleSI6ICJvempiZ256bDM2aGRlMTgifQ/AAKxr3bqwwmIfwE_cp_xalkzMz7tKRtiivmPhViZTBLBkA?dl=1 which is an archive file FAX-21651_7241.zip which in turn contains the malicious executable FAX-21651_7241.scr
Date: 29 May 2014 10:26
Subject: INCOMING FAX REPORT : Remote ID: 499-364-9797
*********************************************************
INCOMING FAX REPORT
*********************************************************
Date/Time: Thu, 29 May 2014 18:26:56 +0900
Speed: 4360bps
Connection time: 07:09
Pages: 9
Resolution: Normal
Remote ID: 915-162-0353
Line number: 0
DTMF/DID:
Description: Internal report
We have uploaded fax report on dropbox, please use the following link to download your file:
https://www.dropbox.com/meta_dl/[redacted]
This binary has a VirusTotal detection rate of 6/53 and the Malwr report shows that it downloads a file from soleilberbere.com/images/2905UKdw.tar which subsequently drops a file eucis.exe with a VirusTotal detection rate of just 3/51. Automated reports [1] [2] are pretty inconclusive as to what this does.
8 comments:
Yeap! two today, 5/29/14
Is there a dropbox url to send/report these?
Emailing abuse -at- dropbox.com is the way Dropbox recommends.
On Mac it puts a file into /private/tmp which is impossible to delete or quarantine and keep replicating variants of AV-80-11....
The file it generates is about 6mb.
What can I do to get rid?
On Mac it puts a file into /private/tmp which is impossible to delete or quarantine and keep replicating variants of AV-80-11....
The file it generates is about 6mb.
What can I do to get rid?
Hello everyone, I can recommend to have a look at Popfax online fax- http://www.popfax.com, it is safe, reliable and highly professional. They never send any scam or fake faxes.
That file performs an auto encrypt function using crytpowall. Basically ransomware. Do not open it.
Had a client that got infected with this. Installed a file under c:\windows\system32\ called lmabcoms.exe
Acted as a variant of cryptolocker. Spread to My Documents and network shares. Undetected with malwarebytes, combofix, superantispyware and adaware3.
Avoid at all costs.
Had a client that got infected with this. Installed a file under c:\windows\system32\ called lmabcoms.exe
Acted as a variant of cryptolocker. Spread to My Documents and network shares. Undetected with malwarebytes, combofix, superantispyware and adaware3.
Avoid at all costs.
Post a Comment