Sponsored by..

Thursday 31 July 2014

"Scanned Image from a Xerox WorkCentre" spam

This is a thoroughly old school spam with a malicious attachment.

Date:      Thu, 31 Jul 2014 18:16:08 +0000 [14:16:08 EDT]
From:      Local Scan [scan.614@victimdomain]
Subject:      Scanned Image from a Xerox WorkCentre

You have a received a new image from Xerox WorkCentre.

Sent by: victimdomain
Number of Images: 5
Attachment File Type: ZIP [PDF]

WorkCentre Pro Location: Machine location not set
Device Name: victimdomain

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http://www.adobe.com/

Guess what.. it isn't an image at all, but a ZIP file with the unusual name of Image_[_var=partorderb].zip which contain a malicious executable Image_07312014.scr, scoring a measly 1/54 at VirusTotal.

The Comodo CAMAS report shows that the malware downloads components from the following locations:

94.23.247.202/3107us2/SANDBOXA/0/51-SP2/0/
94.23.247.202/3107us2/SANDBOXA/1/0/0/
94.23.247.202/3107h2/SANDBOXA/1/0/0/
94.23.247.202/3107op2/SANDBOXA/1/0/0/
globe-runners.com/fichier_pdf/31u2.zip
lucantaru.it/docs/31u2.zip
mediamaster-2000.de/img/heap.zip
ig-engenharia.com/wp-content/uploads/2014/02/heap.zip
upscalebeauty.com/img/colors/teal/opened.zip
lagrimas.tuars.com/css/opened.zip


There are some further clues in the VirusTotal comments as to what the malware does. Sophos has also seen the 94.23.247.202 (OVH, France) IP before.

Recommended blocklist:
94.23.247.202
globe-runners.com
lucantaru.it
mediamaster-2000.de
ig-engenharia.com
upscalebeauty.com
lagrimas.tuars.com

No comments: