Sponsored by..

Monday 21 March 2016

Malware spam: "FX Service" / "Fax transmission" spoofing victim's domain

This fake fax spam appears to come from within the victim's own domain, but it doesn't. Instead is is just a simple forgery with a malicious attachment.

From:    FX Service [emailsend@w.e191.victimdomain.tld]
Date:    21 March 2016 at 14:32
Subject:    Fax transmission: -7172277033-1974602246-2016032111285-47417.tiff

Please find attached to this email a facsimile transmission we
have just received on your behalf

(Do not reply to this email as any reply will not be read by
a real person)
Details will vary from message to message. Attached s a ZIP file with a name that broadly matches the one referred to in the subject (e.g. F-7172277033-1974602246-2016032111285-47417.zip) which contains any one of a wide number of malicious scripts (some example VirusTotal results [1] [2] [3] [4] [5]). Malwr analysis of those samples [6] [7] [8] [9] [10] shows binary download locations at:

http://modaeli.com/89h766b.exe
http://spormixariza.com/89h766b.exe
http://sebastiansanni.org/wp-content/plugins/hello123/89h766b.exe
http://cideac.mx/wp-content/plugins/hello123/89h766b.exe


There are probably other download locations too. The dropped binary has a VirusTotal detection rate of just 2/56.  This Malwr report of the payload indicates that it is Locky ransomware.

All of those sources plus this Deepviz report show network traffic to the following IPs:

195.64.154.126 (Ukrainian Internet Names Center, Ukraine)
92.63.87.106 (MWTV, Latvia)
84.19.170.244 (Keyweb AG, Germany / 300GB.ru, Russia)
217.12.199.90 (ITL Company, Ukraine)


If I receive more information I will post it here.

Recommended blocklist:
195.64.154.126
92.63.87.106
84.19.170.244
217.12.199.90






No comments: