Date: Thu, 31 Jul 2014 18:16:08 +0000 [14:16:08 EDT]
From: Local Scan [scan.614@victimdomain]
Subject: Scanned Image from a Xerox WorkCentre
You have a received a new image from Xerox WorkCentre.
Sent by: victimdomain
Number of Images: 5
Attachment File Type: ZIP [PDF]
WorkCentre Pro Location: Machine location not set
Device Name: victimdomain
Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http://www.adobe.com/
Guess what.. it isn't an image at all, but a ZIP file with the unusual name of Image_[_var=partorderb].zip which contain a malicious executable Image_07312014.scr, scoring a measly 1/54 at VirusTotal.
The Comodo CAMAS report shows that the malware downloads components from the following locations:
94.23.247.202/3107us2/SANDBOXA/0/51-SP2/0/
94.23.247.202/3107us2/SANDBOXA/1/0/0/
94.23.247.202/3107h2/SANDBOXA/1/0/0/
94.23.247.202/3107op2/SANDBOXA/1/0/0/
globe-runners.com/fichier_pdf/31u2.zip
lucantaru.it/docs/31u2.zip
mediamaster-2000.de/img/heap.zip
ig-engenharia.com/wp-content/uploads/2014/02/heap.zip
upscalebeauty.com/img/colors/teal/opened.zip
lagrimas.tuars.com/css/opened.zip
There are some further clues in the VirusTotal comments as to what the malware does. Sophos has also seen the 94.23.247.202 (OVH, France) IP before.
Recommended blocklist:
94.23.247.202
globe-runners.com
lucantaru.it
mediamaster-2000.de
ig-engenharia.com
upscalebeauty.com
lagrimas.tuars.com
No comments:
Post a Comment