Sponsored by..

Wednesday, 16 July 2014

"You've received a new fax" / "You have a new Secure Message" spam

This pair of spam messages leads to a malicious ZIP file downloaded via goo.gl (and not Dropbox as the spam says)

From:     Fax [fax@victimdomain]
Date:     16 July 2014 16:12
Subject:     You've received a new fax

New fax at SCAN7905518 from EPSON by https://victimdomain
Scan date: Wed, 16 Jul 2014 23:12:29 +0800

Number of pages: 2
Resolution: 400x400 DPI

You can download your fax message at:

https://goo.gl/8AanL9

(Dropbox is a file hosting service operated by Dropbox, Inc.)

-------------

From:     NatWest [secure.message@natwest.com]
Date:     16 July 2014 14:47
Subject:     You have a new Secure Message

You have received a encrypted message from NatWest Customer Support

In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )

Please download your ecnrypted message at:

https://goo.gl/8AanL9


(Dropbox is a file hosting service operated by Dropbox, Inc.)


If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 4612.
I have seen three goo.gl URLs leading to three different download locations, as follows

https://goo.gl/1dlcL3 leads to
http://webbedenterprisesinc.com/message/Document-6936124.zip

https://goo.gl/8AanL9 leads to
http://rollermodena.it/Document-2816409172.zip

https://goo.gl/pwgQID leads to
http://www.vetsaudeanimal.net/Document-9879091.zip

In all cases, the ZIP file contains a malicious .scr with the same name as the ZIP (e.g. Document-6936124.scr). The file is the same in all three locations and has a VirusTotal detection rate of exactly 0/54. The Malwr report shows that this then downloads components form the following locations (hosted by OVH France):
http://94.23.247.202/1607h/HOME/0/51Service%20Pack%203/0/
http://94.23.247.202/1607h/HOME/1/0/0/


An executable esoez.exe is then dropped onto the target system with a marginally better VT detection rate of 1/54. The Malwr report for that is inconclusive.

Recommended blocklist:
94.23.247.202
vetsaudeanimal.net
rollermodena.it
webbedenterprisesinc.com

No comments: