From: Fax [no-replay@my-fax.com]The download locations in the email vary, so far I have seen:
Date: 19 December 2014 at 15:37
Subject: Employee Documents - Internal Use
DOCUMENT NOTIFICATION, Powered by NetDocuments
DOCUMENT NAME: Fax Documents
DOCUMENT LINK: http://crematori.org/myfax/company.html
Documents are encrypted in transit and store in a secure repository
---------------------------------------------------------------------------------
This message may contain information that is privileged and confidential. If you received this transmission in error, please notify the sender by reply email and delete the message and any attachments.
http://newsurveyresults.com/myfax/company.html
http://ChallengingDomesticAbuse.co.uk/myfax/company.html
http://crematori.org/myfax/company.html
http://gnrcorbus.com/myfax/company.html
http://sonata-arctica.wz.cz/myfax/company.html
Clicking the link downloads a file fax8127480_924_pdf.zip which in turn contains a malicious executable fax8127480_924.exe which has a VirusTotal detection rate of 3/55. Most automated analysis tools are inconclusive [1] [2] but the VT report shows network connections to the following locations:
http://202.153.35.133:40542/1912uk22/
http://202.153.35.133:40542/1912uk22/
http://natural-anxiety-remedies.com/wp-includes/images/wlw/pack22.pne
Recommended blocklist:
202.153.35.133
natural-anxiety-remedies.com
No comments:
Post a Comment