From: Fax [fax@victimdomain.com]The link in the email goes to a script which (if the the browser settings are correct) downloads a file document_92714-872_pdf.zip which in turn contains a malicious executable document_92714-872_pdf.exe which has a VirusTotal detection rate of 3/54. The Malwr report shows the following URLs are contacted:
To: luke.sanson@victimdomain.com
Date: 24 October 2014 10:54
Subject: You've received a new fax
New fax at SCAN2383840 from EPSON by https://victimdomain.com
Scan date: Fri, 24 Oct 2014 15:24:22 +0530
Number of pages: 2
Resolution: 400x400 DPI
You can secure download your fax message at:
http://galeriaslodkosci.pl/efax/document.php
(eFax Drive is a file hosting service operated by J2, Inc.)
http://188.165.214.6:20306/2410uk1/HOME/0/51-SP3/0/
http://188.165.214.6:20306/2410uk1/HOME/1/0/0/
http://188.165.214.6:20306/2410uk1/HOME/41/5/1/
http://rodgersmith.com/css/2410uk1.oss
The malware also drops two executables on the system, kcotk.exe (VT 0/53, Malwr report) and ptoma.exe (VT 2/51, Malwr report).
Recommended blocklist:
188.165.214.6
rodgersmith.com
1 comment:
I appreciate the information, but faxes are highly common today still, for sending medical records, and in other industries were too. Some industries by law they need to use fax, where it's preferred over e-mail, mainly for security purposes.
Post a Comment