Subject Message from scanner
From scanner.coventrycitycentre@brianholt.co.uk
X-Mailer KONICA MINOLTA bizhub C360
Date Wed, 12 Aug 2015 08:19:28 +0000
Message-Id [55CB0190.015.00206B68D2CD.scanner.coventrycitycentre@brianholt.co.uk]
MIME-Version 1.0
Content-Type multipart/mixed; boundary="KONICA_MINOLTA_Internet_Fax_Boundary"
Content-Transfer-Encoding 7bit
To show the level of detail the bad guys go to, they have even included extra mail headers (usually hidden) to attempt to identify the sender as a Konica MFD. It's a strange thing to do, considering that anyone skilled enough to examine the mail headers should also notice the malicious executable Sscanner15081208190.exe embedded into the attachment Sscanner15081208190.zip . This executable has a detection rate of just 5/54.
The Hybrid Analysis report shows the malware POSTing to:
smboy.su/mu/tasks.php
.SU (Soviet Union) domains are almost always bad news. If you can block them on your web filter then I recommend that you do so. This particular site is hosted on 95.172.146.73 (RTComm-Sibir, Russia). The network range of 95.172.146.0/23 does seem to contain some legitimate Russian-language sites, but you might want to block the whole range to be on the safe side.
The payload is unknown, but typically malware like this will drop either the Dyre banking trojan or some sort of ransomware.
No comments:
Post a Comment