Sponsored by..

Monday 24 November 2014

MyFax message from "unknown" spam leads to poorly-detected malware

Fax spam again. How quaint. This spam appears to come from the person receiving it (which is an old trick).

From: victim@victimdomain.com
Sent: 24 November 2014 15:31
To: norep.c@mefax.com
Subject: MyFax message from "unknown" - 3 page(s)


Fax Message [Caller-ID: 1-407-067-7356]

http://159593.webhosting58.1blu.de/messages/get_message.php

You have received a 3 page fax at Mon, 24 Nov 2014 15:31:23 +0000.

* The reference number for this fax is chd_did11-14186364797-10847113200-628.

View this fax using your PDF reader.
Thank you for using the MyFax service!
The link in the message downloads a file faxmessage_7241_pdf61.zip which in turn contains a malicious executable faxmessage_7241_pdf.exe which has a VirusTotal detection rate of 4/53. The Malwr report shows that it connects to the following URLs:

http://95.211.199.37:16792/2411us3/HOME/0/51-SP3/0/
http://95.211.199.37:16792/2411us3/HOME/1/0/0/
http://lasuruguayas.com/images/refus3.pnk


A file EXE1.EXE is also dropped, with a VirusTotal detection rate of just 1/54. The Malwr report is here.



19 comments:

Justin said...

Question: I've gotten like 10 of these in the last hour. I'm really glad that you've documented it, but is there anything else you'd recommend I check, or just let it run its course?

lnrmodels said...

yes, I wonder how many people come here looking how to get rid of it. I must have had 20 in the last half hour

Anonymous said...

We're being bombarded with these at the moment. We've had to add a mail server rule to quarantine

d_mos said...

i just clicked on the link - took me to a page under 'conscruction' - nice spelling. have i now inadvertently infected my computer?

SteK said...

Me, too.
Hundreds of these in the last hour.
We have added a mail server rule as well.

Jan said...

@Justin you individually, or sent to users you support?

If just you, and you don't use MyFax, just block the subject line in your email client (e.g. an outlook inbox rule).

From an email admin perspective, you could run a quick search for emails with a subject of "MyFax message from" and see what kind of legitimate myfax traffic your organization has been receiving. If the answer is 'none', you may be able to safely put in a temporary rule at your filtering layer to stop these (as @test indicated s/he has done).

Unknown said...

May I ask what mail server rule you used? I have made one myself based on recipients but I would like to know if there is a better one, such as subject or the like.

Mike said...

Getting a lot of these this morning also. Have put a couple of rules in our spam filter but they seem to keep slipping by. Going to try a few more rules.

Justin said...

@Jan

Already added an outlook rule, but thanks for the advice! We don't actually use any digital fax software, and I believe I'm the only one getting the emails. I'll look into handling the server rule from that. Thanks again!

Anonymous said...

We've just added a basic mail rule on the server to redirect anything with 'Thank you for using the MyFax service!' in the body to the quarantine for review. We're getting about 100 per minute hitting us at the moment.

Unknown said...

Symantec quarantines this (nzsjq.exe) under SONAR.MalTRaffic!gen2

Zen Software said...

We've just turned on the option to block messages identified as 'bulk' spam using our SecurityGateway server.

We've also turned on IP shielding which is killing most of it where the 'from' header's being spoofed...

Info here from an old blog article -

http://www.zensoftware.co.uk/kb/Knowledgebase/Protecting-your-server-from-spoofing-using-MDaemons-IP-Shielding-feature?Keywords=protecting+your+server

Zen Software said...
This comment has been removed by the author.
Unknown said...

A lot of Exchange Online customers getting these, as well:

http://community.office365.com/en-us/f/148/t/279768.aspx?pi14176=1#855041

I added a rule to delete anything with "NoRep.c@MyFax.com" in the Return-Path header.

Anonymous said...

Same here ughhh Rule added to 365 exchange

Conrad Longmore said...

User education can also help. Fake Fax messages are an extremely common way of enticing people to click, but I bet most people don't ever get "fax by email" notifications.

Anonymous said...

I have this problem with my domains and email service run by one.com. They are being incredibly unherlpful and are telling me they can literally do nothing, no IP blocks, no mail filtering, nothing. Im sure this is completely untrue, unless the emails are just being spoofed from myfax.com and not going out through my mail servers at all. Can anyone shed any light on this?

Mike said...

I set a block rule for 'Thank you for using the MyFax service! in the body of the message and they seemed to have stopped. A custom rule in my Anti-Spam software.

Unknown said...

Does anyone experiencing spam from these have a virtual fax provider? I'm finding a pattern of the recipients being hit by this being the main contact listed on our virtual fax services. (We own 3 virtual fax lines and all 3 users being hit with this spam are on those lines)