Sponsored by..

Friday, 24 October 2014

"You've received a new fax" spam.. again.

Another day, another fake fax spam.
From:     Fax [fax@victimdomain.com]
To:     luke.sanson@victimdomain.com
Date:     24 October 2014 10:54
Subject:     You've received a new fax

New fax at SCAN2383840 from EPSON by https://victimdomain.com
Scan date: Fri, 24 Oct 2014 15:24:22 +0530
Number of pages: 2
Resolution: 400x400 DPI

You can secure download your fax message at:

http://galeriaslodkosci.pl/efax/document.php

(eFax Drive is a file hosting service operated by J2, Inc.)
The link in the email goes to a script which (if the the browser settings are correct) downloads a file document_92714-872_pdf.zip which in turn contains a malicious executable document_92714-872_pdf.exe which has a VirusTotal detection rate of 3/54. The Malwr report shows the following URLs are contacted:

http://188.165.214.6:20306/2410uk1/HOME/0/51-SP3/0/
http://188.165.214.6:20306/2410uk1/HOME/1/0/0/
http://188.165.214.6:20306/2410uk1/HOME/41/5/1/
http://rodgersmith.com/css/2410uk1.oss

The malware also drops two executables on the system, kcotk.exe (VT 0/53, Malwr report) and ptoma.exe (VT 2/51, Malwr report).

Recommended blocklist:
188.165.214.6
rodgersmith.com

1 comment:

Ming Kong! said...

I appreciate the information, but faxes are highly common today still, for sending medical records, and in other industries were too. Some industries by law they need to use fax, where it's preferred over e-mail, mainly for security purposes.