Thursday, 8 January 2015

MyFax [no-replay@my-fax.com] spam campaign

I am endebted to several people for help with this (not all of whom I can mention). It is similar to this recent spam run analysed by TechHelpList.com.

It begins with a simple fake fax message..
From:    MyFax [no-replay@my-fax.com]
Date:    8 January 2015 at 17:11
Subject:    Fax #6117833

Fax message

http://raffandraff.com/docs/new_fax.html
Sent date: Thu, 8 Jan 2015 17:11:53 +0000
There are *lots* of these download locations, the ones I have personally seen are:

http://381main.com/docs/new_fax.html
http://blustoneentertainment.com/docs/new_fax.html
http://claimquest123.com/docs/new_fax.html
http://www.drhousesrl.it/docs/new_fax.html
http://dutawirautama.com/documents/message.html
http://espaceetconfort.free.fr/docs/new_fax.html
http://netsh105951.web13.net-server.de/docs/new_fax.html
http://njstangers.org/docs/new_fax.html
http://patresearch.com/docs/new_fax.html
http://powderroomplayground.com/docs/new_fax.html
http://prosperprogram.org/docs/new_fax.html
http://pyramidautomation.com/docs/new_fax.html
http://raffandraff.com/docs/new_fax.html
http://regimentalblues.co.uk/docs/new_fax.html
http://rewelacja.eu/docs/new_fax.html
http://stamfordicenter.com/docs/new_fax.html
http://stylista.com.cy/docs/new_fax.html
http://win.org.ro/docs/new_fax.html

Each one of these pages contains a script that looks like this:

<!DOCTYPE html>
<html>
<head>
  <title>Page Title</title>
<script type="text/javascript" src="http://girardimusicstudio.com/js/jquery-1.7.50.js"></script>
<script type="text/javascript" src="http://blackstonebikes.co.uk/js/jquery-1.7.50.js"></script>

</head>

<body>
</body>

</html>
So far, so good. But the scripts seem insane, like this one.


It looks a bit like Brainfuck but in fact it is something called jjencoding which I confess is way beyond my limited Javascript skillz. No worries, I used the code at this Github repository to decode it, and that leads to this script.

Now, this script passes some browser variables to the next step (described here, I won't reinvent the wheel), and if you have all your ducks in a row you might get a "Read message" link.

Get it wrong and you get another jjencoded script that turns out to be gobbledegook (like the message seen here).

The download link looks something like this - http://stylista.com.cy/js/jquery-1.7.50.js?get_message=2151693229 - which in this case downloads the curiously named file "message.zip ;.zip ;.zip ;" which contains a file fax_letter_pdf.exe which is of course malicious.

Now, it's worth pointing out that there is strong evidence that the EXE-in-ZIP file downloaded here has several different version. In this case it has a VirusTotal detection rate of 3/56. I have seen at least two other MD5s though, I think each download site might have a different variant.

The Malwr report for this binary takes us a little deeper down the rabbit hole. We can see that it communicates with the following URLs:

http://202.153.35.133:48472/0801us1/HOME/0/51-SP3/0/
http://202.153.35.133:48472/0801us1/HOME/1/0/0/
http://masterelectric.net/mandoc/1001.pdf


It also drops a file EXE1.EXE which has a detection rate of 4/56. That analysis indicates that the payload is the Dyreza banking trojan.

All this seems like a lot of effort to drop a ZIP file with a funny name, but it does go some way to obfuscating the payload.


No comments:

Post a Comment