This fake fax leads to
TrickBot which appears to be similar to the Dyre banking trojan that we saw a lot of last year..
From: Administrator [administrator@local-fax.com]
To: annie@[redacted]
Date: 1 November 2016 at 13:28
Subject: New Fax Message
Signed by: local-fax.com
Confidential Fax
Date: 01/11/2016
Recipient: annie@[redacted]
From: +443021881211
Attn:
Important document: For internal use only
The documents are ready. Check attached file for more information.
[THIS IS AN AUTOMATED MESSAGE - PLEASE DO NOT REPLY DIRECTLY TO THIS EMAIL]
Confidentiality Notice: The information contained in this message may be confidential and legally privileged. It is intended only for use of the individual named. If you are not the intended recipient, you are hereby notified that the disclosure, copying, distribution, or taking of any action in regards to the contents of this fax - except its direct delivery to the intended recipient - is strictly prohibited. If you have received this fax in error, please notify the sender immediately and destroy this cover sheet along with its contents, and delete from your system, if applicable.
Attached is a Word document (in this case
Internal_Fax.doc) which has a pretty low detection rate at VirusTotal of
5/54. Both the
Malwr report and
Hybrid Analysis give some clues as to what is going on, but in fact the Malwr report comes out with a binary download location of:
www.tessaban.com/img/safafaasfasdddd.exe
This is a hacked legitimate website. Downloading that file manually and resubmitting it gives two rather more interesting
Malwr and
Hybrid Analysis reports give the following suspect traffic:
91.219.28.77 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
193.9.28.24 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
37.1.209.51 (3NT Solutions LLP, UK)
138.201.44.28 (Philip Diver, Australia / Hetzner, Germany)
23.23.107.79 (Amazon EC2, US)
I can match all those IPs except the last to this
ThreatGeek report,
those IPs are a mix of what looks like dynamic IPs for hacked home users and static ones (
highlighted):
5.12.28.0 (RCS & RDS Residential, Romania)
27.208.131.97 (China Unicom, China)
36.37.176.6 (VietTel, Cambodia)
37.1.209.51 (3NT Solutions LLP, UK)37.109.52.75 (Cyfrowy Polsat, Poland)
46.22.211.34 (Inferno Solutions aka 3NT Solutions LLP, UK)68.179.234.69 (ECTISP, US)
91.219.28.77 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
91.219.28.103 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
104.250.138.194 (Sean Sweeney, US / Gorillaservers, US)
138.201.44.28 (Philip Diver, Australia / Hetzner, Germany)
188.116.23.98 (NEPHAX, Poland)
188.138.1.53 (PlusServer, Germany)
193.9.28.24 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
3NT Solutions (aka
Inferno Solutions /
inferno.name) are
very, very bad news and I would recommend blocking any IPs you can find for this outfit.
FLP Kochenov Aleksej Vladislavovich aka
uadomen.com has appeared here so many times
[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [
12] that really I have to categorise that as an
Evil Network too.
If we excise the domestic IPs and blackhole the 3NT / Inferno / uadomen.com ranges we get a
recommended blocklist of:
37.1.208.0/21
46.22.211.0/24
91.219.28.0/22
104.250.138.192/27
138.201.44.28
188.116.23.98
188.138.1.53
193.9.28.0/24
However, there's more to this too. The original email message is actually
signed by
local-fax.com and it turns out that this domain was created just today with anonymous registration details. The sending IP was
104.130.246.8 (Rackspace, US) and it also turns out that this is
widely blacklisted and is probably worth blocking.
All the samples I have seen show a consistent MD5 of e6d2863e97523d2f0e398545989666e4 for the attachment, and all the recipients I have seen begin with the letter "a" curiously enough..