Sponsored by..

Wednesday 26 August 2015

Fake fax spam spoofs multiple senders, has malicious payload

This fake fax spam comes from random senders - company names and attachment names vary from spam to spam.

From: "Heaney, Vandervort and Hilll"
Subject: Fax #AhnxlQ8 from Donny Kub
Date: Wed, 26 Aug 2015 14:02:30 +0000

You have a fax.
Data sent: Wed, 26 Aug 2015 14:03:30 +0000
TO: info@victimdomain.com

We are a new fax delivery service - Heaney, Vandervort and Hilll.
Our company develops rapidly and services remain fastest and open to everyone.
As our slogan goes: "Fast. Cheap. Best quality."
Attached is a ZIP file combining various elements from the spam (for example, in this case it was fax_AhnxlQ8_Heaney, Vandervort and Hilll_Donny Kub.zip). This contains a malicious executable (e.g. Invoice Lake Janeview.exe) which currently has a 2/56 detection rate at VirusTotal.

The Hybrid Analysis report shows it phoning home to:

This pattern marks the malware out as being Upatre/Dyre. is an IP address belonging to Cobranet in Nigeria which was also used in a similar attack yesterday.

No comments: