This fake fax spam leads to malware:
From: eFax [message@inbound.efax.com]
To: administrator@victimdomain
Date: 17 July 2015 at 10:42
Subject: eFax message from "unknown" - 1 page(s), Caller-ID: 1-357-457-4655
Fax Message [Caller-ID: 1-357-457-4655
You have received a 1 page fax at Fri, 17 Jul 2015 15:12:25 +0530.
* The reference number for this fax is atl_did1-1400166434-67874083637-154.
Click here to view this fax using your PDF reader.
Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!
j2 Global | eFax | eVoice | FuseMail | Campaigner | KeepItSafe | OneBox
2014 j2 Global, Inc. All rights reserved.
eFax is a registered trademark of j2 Global, Inc.
This account is subject to the terms listed in the eFax Customer Agreement.
Although the numbers and some other details change in the spam messages, in all cases the download location has been from a legitimate but hacked site at:
breedandco.com/fileshare/FAX-1400166434-707348006719-154.zip
The ZIP file has a detection rate of
6/55 and it contains a malicious exeuctable named
FAX-1400166434-707348006719-154.scr which has a detection rate of
4/55. Automated analysis
[1] [2] [3] shows a characterstic callback pattern that indicates Upatre (which always leads to the Dyre banking trojan):
93.185.4.90:12325/ETK7/<MACHINE_NAME>/0/51-SP3/0/GKBIMBFDBEEE
93.185.4.90:12325/ETK7/<MACHINE_NAME>/41/5/1/GKBIMBFDBEEE
This IP is allocated to C2NET in the Czech Republic. The malware also attempts to enumerate the IP address of the target by accessing
checkip.dyndns.org which is a legitimate service. It is worth looking for traffic to that domain because it is a good indicator of compromise.
The malware reaches out to some other malicious IPs (mostly parts of a botnet):
93.185.4.90 (C2NET, Czech Republic)
62.204.250.26 (TTNET, Czech Republic)
76.84.81.120 (Time Warner Cable, US)
159.224.194.188 (Content Delivery Network Ltd, Ukraine)
178.222.250.35 (Telekom Srbija, Serbia)
181.189.152.131 (Navega.com, Guatemala)
194.28.190.84 (AgaNet Agata Goleniewska, Poland)
194.28.191.213 (AgaNet Agata Goleniewska, Poland)
199.255.132.202 (Computer Sales & Services Inc., US)
208.123.135.106 (Secom Inc, US)
Among other things, the malware drops a file
XGwdKLWhYBDqWBb.exe [VT
10/55] and
vastuvut.exe [VT
6/55].
Recommended blocklist:
93.185.4.90
62.204.250.26
76.84.81.120
159.224.194.188
178.222.250.35
181.189.152.131
194.28.190.84
194.28.191.213
199.255.132.202
208.123.135.106
MD5s:
777ea29053d4e3e4eeb5689523a5ed11
2cb619f59c10a9877b672d66ab17edf9
efa2887ab892c34a5025aa3f943f49a9
debfdeb9b14dda4ed068a73b78ce5a24