Sponsored by..

Friday 19 December 2014

Malware spam: no-replay@my-fax.com / "Employee Documents - Internal Use"

This fake fax spam leads to malware:

From:    Fax [no-replay@my-fax.com]
Date:    19 December 2014 at 15:37
Subject:    Employee Documents - Internal Use

DOCUMENT NOTIFICATION, Powered by NetDocuments

DOCUMENT NAME: Fax Documents

DOCUMENT LINK: http://crematori.org/myfax/company.html

Documents are encrypted in transit and store in a secure repository

---------------------------------------------------------------------------------
This message may contain information that is privileged and confidential. If you received this transmission in error, please notify the sender by reply email and delete the message and any attachments.
The download locations in the email vary, so far I have seen:

http://newsurveyresults.com/myfax/company.html
http://ChallengingDomesticAbuse.co.uk/myfax/company.html
http://crematori.org/myfax/company.html
http://gnrcorbus.com/myfax/company.html
http://sonata-arctica.wz.cz/myfax/company.html

Clicking the link downloads a file fax8127480_924_pdf.zip which in turn contains a malicious executable fax8127480_924.exe which has a VirusTotal detection rate of 3/55. Most automated analysis tools are inconclusive [1] [2] but the VT report shows network connections to the following locations:

http://202.153.35.133:40542/1912uk22//0/51-SP3/0/
http://202.153.35.133:40542/1912uk22//1/0/0/
http://natural-anxiety-remedies.com/wp-includes/images/wlw/pack22.pne


Recommended blocklist:
202.153.35.133
natural-anxiety-remedies.com




No comments: