Sponsored by..

Showing posts with label Fax Spam. Show all posts
Showing posts with label Fax Spam. Show all posts

Tuesday 1 November 2016

Malware spam: "New Fax Message" / administrator@local-fax.com leads to TrickBot

This fake fax leads to TrickBot which appears to be similar to the Dyre banking trojan that we saw a lot of last year..

From:    Administrator [administrator@local-fax.com]
To:    annie@[redacted]
Date:    1 November 2016 at 13:28
Subject:    New Fax Message
Signed by:    local-fax.com

Confidential Fax
Date: 01/11/2016
Recipient: annie@[redacted]
From: +443021881211
Attn:
Important document: For internal use only
The documents are ready. Check attached file for more information.

[THIS IS AN AUTOMATED MESSAGE - PLEASE DO NOT REPLY DIRECTLY TO THIS EMAIL]

Confidentiality Notice: The information contained in this message may be confidential and legally privileged. It is intended only for use of the individual named. If you are not the intended recipient, you are hereby notified that the disclosure, copying, distribution, or taking of any action in regards to the contents of this fax - except its direct delivery to the intended recipient - is strictly prohibited. If you have received this fax in error, please notify the sender immediately and destroy this cover sheet along with its contents, and delete from your system, if applicable.



Attached is a Word document (in this case Internal_Fax.doc) which has a pretty low detection rate at VirusTotal of 5/54. Both the Malwr report and Hybrid Analysis give some clues as to what is going on, but in fact the Malwr report comes out with a binary download location of:

www.tessaban.com/img/safafaasfasdddd.exe

This is a hacked legitimate website. Downloading that file manually and resubmitting it gives two rather more interesting Malwr and Hybrid Analysis reports give the following suspect traffic:

91.219.28.77 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
193.9.28.24 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
37.1.209.51 (3NT Solutions LLP, UK)
138.201.44.28 (Philip Diver, Australia / Hetzner, Germany)
23.23.107.79 (Amazon EC2, US)

I can match all those IPs except the last to this ThreatGeek report, those IPs are a mix of what looks like dynamic IPs for hacked home users and static ones (highlighted):

5.12.28.0 (RCS & RDS Residential, Romania)
27.208.131.97 (China Unicom, China)
36.37.176.6 (VietTel, Cambodia)
37.1.209.51 (3NT Solutions LLP, UK)
37.109.52.75 (Cyfrowy Polsat, Poland)
46.22.211.34 (Inferno Solutions aka 3NT Solutions LLP, UK)
68.179.234.69 (ECTISP, US)
91.219.28.77 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
91.219.28.103 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
104.250.138.194 (Sean Sweeney, US / Gorillaservers, US)
138.201.44.28 (Philip Diver, Australia / Hetzner, Germany)
188.116.23.98 (NEPHAX, Poland)
188.138.1.53 (PlusServer, Germany)
193.9.28.24 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)


3NT Solutions (aka Inferno Solutions / inferno.name) are very, very bad news and I would recommend blocking any IPs you can find for this outfit. FLP Kochenov Aleksej Vladislavovich aka uadomen.com has appeared here so many times [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] that really I have to categorise that as an Evil Network too.

If we excise the domestic IPs and blackhole the 3NT / Inferno / uadomen.com ranges we get a recommended blocklist of:

37.1.208.0/21
46.22.211.0/24
91.219.28.0/22
104.250.138.192/27
138.201.44.28
188.116.23.98
188.138.1.53
193.9.28.0/24


However, there's more to this too. The original email message is actually signed by local-fax.com and it turns out that this domain was created just today with anonymous registration details. The sending IP was 104.130.246.8 (Rackspace, US) and it also turns out that this is widely blacklisted and is probably worth blocking.

All the samples I have seen show a consistent MD5 of e6d2863e97523d2f0e398545989666e4 for the attachment, and all the recipients I have seen begin with the letter "a" curiously enough..


Monday 14 December 2015

Malware spam: "Invoice 14 12 15" / "THUNDERBOLTS LIMITED [enquiries@thunderbolts.co.uk]"

This terse fake financial spam is not from the awesomely-named Thunderbolts Limited but is instead a simple forgery with a malicious attachment:
From:    THUNDERBOLTS LIMITED [enquiries@thunderbolts.co.uk]
Date:    14 December 2015 at 11:15
Subject:    Invoice 14 12 15

This message contains 2 pages in PDF format.
Curiously, the bad guys have gone as far as to include a fake header to make it look like a fax:

X-Mailer: ActiveFax 3.92
 
Attached is a file fax00163721.xls which is fairly obviously not a PDF document. So far I have seen two versions of this with a detection rate of 6/55 [1] [2] and which these Malwr reports [3] [4] indicate download a malicious binary from:

exfabrica.org/437g8/43s5d6f7g.exe
test-cms.reactive.by/437g8/43s5d6f7g.exe


This binary has a detection rate of 0/54. That VirusTotal report and this Hybrid Analysis both show traffic to:

199.7.136.84 (Megawire, Canada)

This malware is likely to be Dridex. Given that it is similar to the one found here,  I would recommend blocking network traffic to:

199.7.136.84
221.132.35.56
202.69.40.173
78.47.66.169


MD5s:
a0de2560362cc6dfc53d1cd5ff50559b
bd22c4b0b6996a8405b2d33696e1e71e
b1fff594a8877042efd0ed4d67f6feb6




Thursday 10 September 2015

Malware spam: "New Fax - 3901535011" / "UK2Fax" [fax2@fax1.uk2fax.co.uk]

This fake fax spam comes with a malicious attachment:

From     "UK2Fax" [fax2@fax1.uk2fax.co.uk]
Date     Thu, 10 Sep 2015 14:07:11 +0100
Subject     New Fax - 3901535011

UK2Fax Fax2Email : New fax attached, received at 10/09/2015 10:26:29 GMT
Attached is a file Fax-3901535011.zip which in turn contains a malicious executable Fax-800312316.scr which is exactly the same Upatre/Dyre payload as seen it this attack also seen today.

Wednesday 26 August 2015

Fake fax spam spoofs multiple senders, has malicious payload

This fake fax spam comes from random senders - company names and attachment names vary from spam to spam.

From: "Heaney, Vandervort and Hilll"
Subject: Fax #AhnxlQ8 from Donny Kub
Date: Wed, 26 Aug 2015 14:02:30 +0000

You have a fax.
Data sent: Wed, 26 Aug 2015 14:03:30 +0000
TO: info@victimdomain.com

*********************************
We are a new fax delivery service - Heaney, Vandervort and Hilll.
Our company develops rapidly and services remain fastest and open to everyone.
As our slogan goes: "Fast. Cheap. Best quality."
*********************************
Attached is a ZIP file combining various elements from the spam (for example, in this case it was fax_AhnxlQ8_Heaney, Vandervort and Hilll_Donny Kub.zip). This contains a malicious executable (e.g. Invoice Lake Janeview.exe) which currently has a 2/56 detection rate at VirusTotal.

The Hybrid Analysis report shows it phoning home to:

197.149.90.166/260822U/Yd1D3h1R87/0/61-SP1/0/FDMBEFJBMKBEMM
197.149.90.166/260822U/Yd1D3h1R87/41/5/42/FDMBEFJBMKBEMM


This pattern marks the malware out as being Upatre/Dyre.  197.149.90.166 is an IP address belonging to Cobranet in Nigeria which was also used in a similar attack yesterday.



Tuesday 28 July 2015

Malware spam: "Incoming Fax" / "Internal ONLY"

This fake fax message leads to malware:

From:    Incoming Fax [Incoming.Fax@victimdomain]
Date:    18 September 2014 at 08:39
Subject:    Internal ONLY

**********Important - Internal ONLY**********

File Validity: 28/07/2015
Company : http://victimdomain
File Format: Microsoft word
Legal Copyright: Microsoft
Original Filename: (#2023171)Renewal Invite Letter sp.doc

********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the person(s) mentioned above as recipient(s).
This e-mail may contain confidential information and/or information protected by intellectual property rights or other rights. If you
are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or action taken
in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this
e-mail in error, please notify the sender and delete the original and any copies of this e-mail and any printouts immediately from
your system and destroy all copies of it.

(#2023171)Renewal Invite Letter sp.exe

Attached is a Word document with a malicious macro. The Hybrid Analysis report shows it downloading components from several locations, but doesn't quite catch the malicious binary being downloaded from:

http://umontreal-ca.com/word/word.exe

This has a VirusTotal detection rate of 2/55.

umontreal-ca.com (89.144.10.200 / ISP4P, Germany) is a known bad domain. Other analysis is pending, however the payload is likely to be the Dyre banking trojan.

UPDATE:
This Hybrid Analysis report shows traffic to the following IPs:

67.222.202.183 (Huntel.net, US)
195.154.163.4 (Online SAS, France)
192.99.35.126 (OVH, Canada)
95.211.189.208 (Leaseweb, Netherlands)

Recommended blocklist:
89.144.10.200
67.222.202.183
195.154.163.4
192.99.35.126
95.211.189.208

Tuesday 21 July 2015

Malware spam: "Administrator - EDCSRP earmarking (Update 07_21_2015).doc" / "Internal ONLY"

These two spam email messages have the same malicious payload:

From:    Administrator@badeleke [Administrator@victimdomain]
To:    badeleke@victimdomain
Date:    24 July 2014 at 10:30
Subject:    Administrator - EDCSRP earmarking (Update 07_21_2015).doc

badeleke,

This attachment(EDCSRP earmarking (Update 07_21_2015).doc) provides you with managing facilities for your mailboxes, public folders, distribution lists, contact and mail service general settings. Please save the attached file to your hard drive before deleting this message.


Thank you,
Administrator
http://www.victimdomain

----------------------

From:    Incoming Fax [Incoming.Fax@victimdomain]
To:    administrator@victimdomain
Date:    18 September 2014 at 08:35
Subject:    Internal ONLY

**********Important - Internal ONLY**********

File Validity: 07/21/2015
Company : http://victimdomain
File Format: Microsoft word
Legal Copyright: Microsoft
Original Filename: Internal_report_07212015_5542093.doc

********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the person(s) mentioned above as recipient(s).
This e-mail may contain confidential information and/or information protected by intellectual property rights or other rights. If you
are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or action taken
in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this
e-mail in error, please notify the sender and delete the original and any copies of this e-mail and any printouts immediately from
your system and destroy all copies of it.
Note the odd dates on the spam email. In all cases, the attachment is called EDCSRP earmarking (Update 08_21_2015).doc and at present it has a VirusTotal detection rate of 7/55. It contains a complex macro [pastebin] which (according to Hybrid Analysis) downloads additional components from:

phudge.ca/wordpress/wp-content/themes/canvas/includes/.svn/props/78672738612836.txt
kedros.ch//modules/mod_araticlhess/78672738612836.txt


Automated analysis didn't work on this and frankly instead of reinventing the wheel I refer you to this note from @Techhelplistcom which reveals an executable being downloaded from:

umontreal-ca.com/ualberta/philips.exe

This domain was registered just yesterday to an anonymous person and is hosted on 89.144.10.200  (ISP4P, Germany) so we can assume that it is malicious. But here's an interesting detail.. if you look at the Word document itself it does actually claim to be from the University of Montreal (click to enlarge).



That seems like a lot of effort to go to, more than is usual for this type of drive-by attack.The malicious executable philips.exe has a detection rate of 13/55 and again, the Comments field has a useful list of IP address to block thanks to @Techhelplistcom.

This whole thing is Upatre dropping the Dyre banking trojan, and it's quite clever stuff. Perhaps your best defence is a user education programme about not enabling active content on suspect emails..

Recommended minimum blocklist:
89.144.10.200

MD5s:
e945383e19955c420789bf5b3b415d00
015774e058bcb1828726848d2edd93f9

Friday 17 July 2015

Malware spam: eFax message from "unknown" - 1 page(s), Caller-ID: 1-123-456-7890

This fake fax spam leads to malware:

From:    eFax [message@inbound.efax.com]
To:    administrator@victimdomain
Date:    17 July 2015 at 10:42
Subject:    eFax message from "unknown" - 1 page(s), Caller-ID: 1-357-457-4655



Fax Message [Caller-ID: 1-357-457-4655
You have received a 1 page fax at Fri, 17 Jul 2015 15:12:25 +0530.

* The reference number for this fax is atl_did1-1400166434-67874083637-154.

Click here to view this fax using your PDF reader.

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.

Thank you for using the eFax service!


j2 Global | eFax | eVoice | FuseMail | Campaigner | KeepItSafe | OneBox

2014 j2 Global, Inc. All rights reserved.
eFax is a registered trademark of j2 Global, Inc.

This account is subject to the terms listed in the eFax Customer Agreement.

Although the numbers and some other details change in the spam messages, in all cases the download location has been from a legitimate but hacked site at:

breedandco.com/fileshare/FAX-1400166434-707348006719-154.zip

The ZIP file has a detection rate of 6/55 and it contains a malicious exeuctable named FAX-1400166434-707348006719-154.scr which has a detection rate of 4/55. Automated analysis [1] [2] [3] shows a characterstic callback pattern that indicates Upatre (which always leads to the Dyre banking trojan):

93.185.4.90:12325/ETK7/<MACHINE_NAME>/0/51-SP3/0/GKBIMBFDBEEE
93.185.4.90:12325/ETK7/<MACHINE_NAME>/41/5/1/GKBIMBFDBEEE


This IP is allocated to C2NET in the Czech Republic. The malware also attempts to enumerate the IP address of the target by accessing checkip.dyndns.org which is a legitimate service. It is worth looking for traffic to that domain because it is a good indicator of compromise.

The malware reaches out to some other malicious IPs (mostly parts of a botnet):

93.185.4.90 (C2NET, Czech Republic)
62.204.250.26 (TTNET, Czech Republic)
76.84.81.120 (Time Warner Cable, US)
159.224.194.188 (Content Delivery Network Ltd, Ukraine)
178.222.250.35 (Telekom Srbija, Serbia)
181.189.152.131 (Navega.com, Guatemala)
194.28.190.84 (AgaNet Agata Goleniewska, Poland)
194.28.191.213 (AgaNet Agata Goleniewska, Poland)
199.255.132.202 (Computer Sales & Services Inc., US)
208.123.135.106 (Secom Inc, US)

Among other things, the malware drops a file XGwdKLWhYBDqWBb.exe [VT 10/55] and vastuvut.exe [VT 6/55].

Recommended blocklist:
93.185.4.90
62.204.250.26
76.84.81.120
159.224.194.188
178.222.250.35
181.189.152.131
194.28.190.84
194.28.191.213
199.255.132.202
208.123.135.106

MD5s:
777ea29053d4e3e4eeb5689523a5ed11
2cb619f59c10a9877b672d66ab17edf9
efa2887ab892c34a5025aa3f943f49a9
debfdeb9b14dda4ed068a73b78ce5a24

Tuesday 19 May 2015

Malware spam: "Australian Taxation Office [noreply@ato.gov.au]" / "eFax message - 2 page(s)"

Apparently the Australian Taxation Office thinks I have a fax.. or perhaps it is something more sinister?

From:    Australian Taxation Office [noreply@ato.gov.au]
Date:    19 May 2015 at 12:48
Subject:    eFax message - 2 page(s)

Fax Message [Caller-ID: 408-342-0521]
You have received a 2 pages fax at 2015-05-19 08:18:16 AM EST.

* The reference number for this fax is
min2_did16-0884196800-3877504043-49.

View this fax using your PDF reader.

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!

Predictably, the link leads to a malicious download (this time at storage-ec2-24.sharefile.com) named Fax_00491175.zip and containing in turn a malicious executable Fax_00491175.scr.

This executable has a detection rate of 5/57. Automated analysis tools [1] [2] [3] shows that it downloads a further component from:

http://employmentrisk.com/images/1405uk77.exe

In turn, this has a detection rate of 4/57 and the Hybrid Analysis report indicates that it tries to communicate with 194.28.190.183 (AgaNet Agata Goleniewska, Poland).

Recommended blocklist:
employmentrisk.com
194.28.190.183

MD5s:
a6aa82995f4cb2bd29cdddedd3572461
b3b483c10d4f7eacd7cfa42f604968f8

Thursday 22 January 2015

Yet more MyFax malware spam

There's another batch of "MyFax" spam going around at the moment, for example:

From:    MyFax [no-replay@my-fax.com]
Date:    22 January 2015 at 15:08
Subject:    Fax #4356342

Fax message

http://[redacted]/.-NEW_RECEIVED.FAX/fax.html
Sent date: Thu, 22 Jan 2015 15:08:30 +0000
Clicking the link leads to a page like this:


The download leads to an EXE-in-ZIP download which is a little different every time [1] [2] [3] [virustotal]. Detection rates are around 6/55.

The Malwr report shows communication with the following URLs:

http://202.153.35.133:51025/2201us22/HOME/0/51-SP3/0/
http://202.153.35.133:51025/2201us22/HOME/1/0/0/
http://when-to-change-oil.com/mandoc/story_su22.pdf
http://202.153.35.133:51014/2201us22/HOME/41/7/4/


Of these 202.153.35.133 is the essential one to block traffic to, belonging to Excell Media Pvt Ltd in India. A file axybT95.exe is also dropped according to the report, which has a detection rate of 7/48.

I haven't seen a huge number of these, the format of the URLs looks something like this:
http://[redacted]/.-NEW_RECEIVED.FAX/fax.html
http://[redacted]/NEW_FAX-MESSAGES/fax.letter.html
http://[redacted]/_~NEW.FAX.MESSAGES/incoming.html


Friday 9 January 2015

Malware spam: "Employee Documents - Internal Use" / "Fax [no-replay@fax-voice.com]"

This fake fax run is a variation of this one from yesterday.
From:    Fax [no-replay@fax-voice.com]
Date:    9 January 2015 at 14:52
Subject:    Employee Documents - Internal Use

DOCUMENT NOTIFICATION, Powered by NetDocuments

DOCUMENT NAME: Fax Documents

DOCUMENT LINK: http://rehberhatay.com/files/get_msg.html
As before, there are several links leading to different download locations, the ones I have personally seen are:

http://isschennai.com/files/get_msg.html
http://java.bizhat.com/files/get_msg.html
http://tradedeal.in/files/get_msg.html
http://cecileandsimonswedding.com/files/get_msg.html
http://kimtrotman.com/files/get_msg.html
http://forum-adb.org/files/get_msg.html
http://munimejia.gob.pe/files/get_msg.html
http://rehberhatay.com/files/get_msg.html
http://marinethrusters.com/files/get_msg.html
http://homeworkhelpindia.com/files/get_msg.html

These landing pages lead to a pair of jjencoded javascripts hosted on different files. I explained a little about those last time, so I won't go into much more detail about how to handle those.

What is interesting though is that the download location that you coax out of the script is time-limited. If you wait too long, you get a nonsense script instead. And possibly even more interesting is that every time you download the target ZIP file "message.zip ;.zip ;.zip ;" it seems to be different.

Visiting the sites I listed above get ten different download locations:

http://hudsoncityholdings.com/js/jquery-1.6.39.js?get_message=4068432082
http://murillodesign.com.au/js/jquery-1.6.39.js?get_message=1390167085
http://murillodesign.com.au/js/jquery-1.6.39.js?get_message=337687660
http://hudsoncityholdings.com/js/jquery-1.6.39.js?get_message=3612499004
http://advancedhealthconnections.com/js/jquery-1.6.39.js?get_message=4238661099
http://murillodesign.com.au/js/jquery-1.6.39.js?get_message=2377682563
http://murillodesign.com.au/js/jquery-1.6.39.js?get_message=2792412553
http://murillodesign.com.au/js/jquery-1.6.39.js?get_message=1104895466
http://advancedhealthconnections.com/js/jquery-1.6.39.js?get_message=3161145159
http://advancedhealthconnections.com/js/jquery-1.6.39.js?get_message=138855569

That led to 10 different ZIP files containing different EXE files, each one with similar VT results [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] and in turn Malwr reports that they are almost identically functionally [1] [2] [3] [4] [5] [6] [7] [8] [9] [10].

Although those reports indicate some difference in the port numbers, we can see the following URLs being accessed:

http://202.153.35.133:55365/0901us1/HOME/0/51-SP3/0/
http://202.153.35.133:55365/0901us1/HOME/1/0/0/
http://crecrec.com/mandoc/nuts12.pdf
http://202.153.35.133:55350/0901us1/HOME/41/7/4/
http://samrhamburg.com/img/ml1.tar

202.153.35.133  (Excell Media Pvt Lt, India) is probably the key thing to block.

Despite the differences in the downloader, they all seem to drop a randomly-named file with identical characterstics in each case. This has a VirusTotal detection rate of 1/55 and you can see the Malwr report for that file here.

For researchers only, a copy of the file involved can be found here, password=infected

Thursday 8 January 2015

MyFax [no-replay@my-fax.com] spam campaign

I am endebted to several people for help with this (not all of whom I can mention). It is similar to this recent spam run analysed by TechHelpList.com.

It begins with a simple fake fax message..
From:    MyFax [no-replay@my-fax.com]
Date:    8 January 2015 at 17:11
Subject:    Fax #6117833

Fax message

http://raffandraff.com/docs/new_fax.html
Sent date: Thu, 8 Jan 2015 17:11:53 +0000
There are *lots* of these download locations, the ones I have personally seen are:

http://381main.com/docs/new_fax.html
http://blustoneentertainment.com/docs/new_fax.html
http://claimquest123.com/docs/new_fax.html
http://www.drhousesrl.it/docs/new_fax.html
http://dutawirautama.com/documents/message.html
http://espaceetconfort.free.fr/docs/new_fax.html
http://netsh105951.web13.net-server.de/docs/new_fax.html
http://njstangers.org/docs/new_fax.html
http://patresearch.com/docs/new_fax.html
http://powderroomplayground.com/docs/new_fax.html
http://prosperprogram.org/docs/new_fax.html
http://pyramidautomation.com/docs/new_fax.html
http://raffandraff.com/docs/new_fax.html
http://regimentalblues.co.uk/docs/new_fax.html
http://rewelacja.eu/docs/new_fax.html
http://stamfordicenter.com/docs/new_fax.html
http://stylista.com.cy/docs/new_fax.html
http://win.org.ro/docs/new_fax.html

Each one of these pages contains a script that looks like this:

<!DOCTYPE html>
<html>
<head>
  <title>Page Title</title>
<script type="text/javascript" src="http://girardimusicstudio.com/js/jquery-1.7.50.js"></script>
<script type="text/javascript" src="http://blackstonebikes.co.uk/js/jquery-1.7.50.js"></script>

</head>

<body>
</body>

</html>
So far, so good. But the scripts seem insane, like this one.


It looks a bit like Brainfuck but in fact it is something called jjencoding which I confess is way beyond my limited Javascript skillz. No worries, I used the code at this Github repository to decode it, and that leads to this script.

Now, this script passes some browser variables to the next step (described here, I won't reinvent the wheel), and if you have all your ducks in a row you might get a "Read message" link.

Get it wrong and you get another jjencoded script that turns out to be gobbledegook (like the message seen here).

The download link looks something like this - http://stylista.com.cy/js/jquery-1.7.50.js?get_message=2151693229 - which in this case downloads the curiously named file "message.zip ;.zip ;.zip ;" which contains a file fax_letter_pdf.exe which is of course malicious.

Now, it's worth pointing out that there is strong evidence that the EXE-in-ZIP file downloaded here has several different version. In this case it has a VirusTotal detection rate of 3/56. I have seen at least two other MD5s though, I think each download site might have a different variant.

The Malwr report for this binary takes us a little deeper down the rabbit hole. We can see that it communicates with the following URLs:

http://202.153.35.133:48472/0801us1/HOME/0/51-SP3/0/
http://202.153.35.133:48472/0801us1/HOME/1/0/0/
http://masterelectric.net/mandoc/1001.pdf


It also drops a file EXE1.EXE which has a detection rate of 4/56. That analysis indicates that the payload is the Dyreza banking trojan.

All this seems like a lot of effort to drop a ZIP file with a funny name, but it does go some way to obfuscating the payload.


Friday 19 December 2014

Malware spam: no-replay@my-fax.com / "Employee Documents - Internal Use"

This fake fax spam leads to malware:

From:    Fax [no-replay@my-fax.com]
Date:    19 December 2014 at 15:37
Subject:    Employee Documents - Internal Use

DOCUMENT NOTIFICATION, Powered by NetDocuments

DOCUMENT NAME: Fax Documents

DOCUMENT LINK: http://crematori.org/myfax/company.html

Documents are encrypted in transit and store in a secure repository

---------------------------------------------------------------------------------
This message may contain information that is privileged and confidential. If you received this transmission in error, please notify the sender by reply email and delete the message and any attachments.
The download locations in the email vary, so far I have seen:

http://newsurveyresults.com/myfax/company.html
http://ChallengingDomesticAbuse.co.uk/myfax/company.html
http://crematori.org/myfax/company.html
http://gnrcorbus.com/myfax/company.html
http://sonata-arctica.wz.cz/myfax/company.html

Clicking the link downloads a file fax8127480_924_pdf.zip which in turn contains a malicious executable fax8127480_924.exe which has a VirusTotal detection rate of 3/55. Most automated analysis tools are inconclusive [1] [2] but the VT report shows network connections to the following locations:

http://202.153.35.133:40542/1912uk22//0/51-SP3/0/
http://202.153.35.133:40542/1912uk22//1/0/0/
http://natural-anxiety-remedies.com/wp-includes/images/wlw/pack22.pne


Recommended blocklist:
202.153.35.133
natural-anxiety-remedies.com




Monday 24 November 2014

MyFax message from "unknown" spam leads to poorly-detected malware

Fax spam again. How quaint. This spam appears to come from the person receiving it (which is an old trick).

From: victim@victimdomain.com
Sent: 24 November 2014 15:31
To: norep.c@mefax.com
Subject: MyFax message from "unknown" - 3 page(s)


Fax Message [Caller-ID: 1-407-067-7356]

http://159593.webhosting58.1blu.de/messages/get_message.php

You have received a 3 page fax at Mon, 24 Nov 2014 15:31:23 +0000.

* The reference number for this fax is chd_did11-14186364797-10847113200-628.

View this fax using your PDF reader.
Thank you for using the MyFax service!
The link in the message downloads a file faxmessage_7241_pdf61.zip which in turn contains a malicious executable faxmessage_7241_pdf.exe which has a VirusTotal detection rate of 4/53. The Malwr report shows that it connects to the following URLs:

http://95.211.199.37:16792/2411us3/HOME/0/51-SP3/0/
http://95.211.199.37:16792/2411us3/HOME/1/0/0/
http://lasuruguayas.com/images/refus3.pnk


A file EXE1.EXE is also dropped, with a VirusTotal detection rate of just 1/54. The Malwr report is here.



Tuesday 18 November 2014

"INCOMING FAX REPORT" spam, let's party like it's 1999

Hang on, I think I need to load some more papyrus into the facsimile machine, the 1990s are back!

From:     Incoming Fax [no-reply@efax.co.uk]
Date:     18 November 2014 13:16
Subject:     INCOMING FAX REPORT : Remote ID: 766-868-5553

*********************************************************
INCOMING FAX REPORT
*********************************************************

Date/Time: Tue, 18 Nov 2014 14:16:58 +0100
Speed: 4222bps
Connection time: 01:09
Pages: 5
Resolution: Normal
Remote ID: 963-864-5728
Line number: 1
DTMF/DID:
Description: Internal report

We have uploaded fax report on dropbox, please use the following link to download your file:

http://mrconsultantpune.com/dropbox/document.php

********************************************************* 
This is (of course) utter bollocks, and the link in the email downloads a ZIP file document_8731_pdf.zip which in turn contains a malicious executable document_8731_pdf.exe which has a VirusTotal detection rate of 4/54. According to the Malwr report it makes these following HTTP requests:

http://108.61.229.224:13861/1811us1/HOME/0/51-SP3/0/
http://108.61.229.224:13861/1811us1/HOME/1/0/0/
http://159593.webhosting58.1blu.de/mandoc/narutus1.pmg

It also drops a file EXE1.EXE onto the target system which has a detection rate of 7/55. You can see the Malwr report for that here.

Recommended blocklist:
108.61.229.224
159593.webhosting58.1blu.de

Monday 17 November 2014

Interfax "Failed Fax Transmission" spam comes with malicious .DOCM file

This fake fax spam comes with a malicious attachment

From:     Interfax [uk@interfax.net]
Date:     13 November 2014 20:29
Subject:     Failed Fax Transmission to 01616133969@fax.tc<00441616133969>

Transmission Results
Destination Fax:  00441616133969
Contact Name:  01616133969@fax.tc
Start Time:  2014/11/13 20:05:27
End Time:  2014/11/13 20:29:00
Transmission Result:  3220 - Communication error
Pages sent:  0
Subject:  140186561.XLS
CSID:
Duration (In Seconds):  103
Message ID:  485646629

Thank you for using Interfax
E-mail: uk@interfax.net
Home page: http://www.interfax.net


Attached is a malicious Word macro file called 00000293.docm which is currently undetected at VirusTotal. The Malwr report doesn't say much (Malwr isn't great at analysis this type of threat). Inside this .DOCM file is a malicious macro [pastebin] which attempts to download a malicious binary from http://agro2000.cba.pl/js/bin.exe

This file is downloaded to %TEMP%\MRSWZZFEYPX.exe and the binary also has zero detections at VirusTotal, and the Malwr report shows that it tries to connect to the following URL:

http://84.40.9.34/lneinn/mo%26af.lipgs%2Bfn%7El%3Fboel%3D%3F+%3Fa%20%3F~pigc_k/ci$slf%2B%20l%3D%7E

It then drops a malicious DLL onto the target system which has a rather better detection rate of 12/53

If you are a corporate email admistrator they you might consider blocking .DOCM files at the perimeter as I can see no valid reason these to be sent by email. You should definitely block 84.40.9.34 (Hostway, Belgium) as this is a known bad server that has been used in several recent attacks.

Friday 24 October 2014

"You've received a new fax" spam.. again.

Another day, another fake fax spam.
From:     Fax [fax@victimdomain.com]
To:     luke.sanson@victimdomain.com
Date:     24 October 2014 10:54
Subject:     You've received a new fax

New fax at SCAN2383840 from EPSON by https://victimdomain.com
Scan date: Fri, 24 Oct 2014 15:24:22 +0530
Number of pages: 2
Resolution: 400x400 DPI

You can secure download your fax message at:

http://galeriaslodkosci.pl/efax/document.php

(eFax Drive is a file hosting service operated by J2, Inc.)
The link in the email goes to a script which (if the the browser settings are correct) downloads a file document_92714-872_pdf.zip which in turn contains a malicious executable document_92714-872_pdf.exe which has a VirusTotal detection rate of 3/54. The Malwr report shows the following URLs are contacted:

http://188.165.214.6:20306/2410uk1/HOME/0/51-SP3/0/
http://188.165.214.6:20306/2410uk1/HOME/1/0/0/
http://188.165.214.6:20306/2410uk1/HOME/41/5/1/
http://rodgersmith.com/css/2410uk1.oss

The malware also drops two executables on the system, kcotk.exe (VT 0/53, Malwr report) and ptoma.exe (VT 2/51, Malwr report).

Recommended blocklist:
188.165.214.6
rodgersmith.com

Monday 13 October 2014

Malware spam: "You have received a new secure message from BankLine" / "You've received a new fax"

A couple of unimaginative spam emails leading to a malicious payload.

You have received a new secure message from BankLine

From:     Bankline [secure.message@bankline.com]
Date:     13 October 2014 12:48
Subject:     You have received a new secure message from BankLine

You have received a secure message.

Read your secure message by following the link bellow:

http://losislotes.com/dropbox/document.php

You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.

If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk at 0131 556 7507.

First time users - will need to register after opening the attachment.
About Email Encryption - https://supportcentre.Bankline.com/app/answers/detail/a_id/1671/kw/secure%20message

You've received a new fax

From:     Fax [fax@victimdomain.com]
Date:     13 October 2014 13:07
Subject:     You've received a new fax

New fax at SCAN2166561 from EPSON by https://victimdomain.com
Scan date: Mon, 13 Oct 2014 20:07:31 +0800
Number of pages: 2
Resolution: 400x400 DPI

You can secure download your fax message at:

http://www.mezaya.ly/dropbox/document.php

(Dropbox Drive is a file hosting service operated by Google, Inc.)

Clicking the link downloads document_312_872_pdf.zip from the target site which in turn contains a malicious executable document_312_872_pdf.exe which has a VirusTotal detection rate of 3/54.

The Malwr analysis shows that the malware attempts to communicate with the following URLs:

http://94.75.233.13:40200/1310uk1/HOME/0/51-SP3/0/
http://94.75.233.13:40200/1310uk1/HOME/1/0/0/
http://94.75.233.13:40200/1310uk1/HOME/41/5/1/
http://carcomputer.co.uk/image/1310uk1.rtf
http://phyccess.com/Scripts/Pony.rtf
http://144.76.220.116/gate.php
http://hotelnuovo.com/css/heap_238_id2.rtf
http://wirelesssolutionsny.com/wp-content/themes/Wireless/js/heap_238_id2.rtf
http://isc-libya.com/js/Pony.rtf
http://85.25.152.238/

Also dropped are a couple of executables, egdil.exe (VT 2/54, Malwr report) and twoko.exe (VT 6/55, Malwr report).

Recommended blocklist:

94.75.233.13
144.76.220.116
85.25.152.238
carcomputer.co.uk
phyccess.com
hotelnuovo.com
wirelesssolutionsny.com
isc-libya.com


Friday 10 October 2014

Malware spam: "You've received a new fax" / "You have received a new secure message from BankLine"

A pair of malware spams this morning, both with the same payload:

"You've received a new fax"

From:     Fax [fax@victimdomain.com]
Date:     10 October 2014 11:34
Subject:     You've received a new fax

New fax at SCAN7097324 from EPSON by https://victimdomain.com
Scan date: Fri, 10 Oct 2014 18:34:56 +0800
Number of pages: 2
Resolution: 400x400 DPI

You can secure download your fax message at:

http://www.eialtd.com/kk/document.php

(Google Disk Drive is a file hosting service operated by Google, Inc.)

"You have received a new secure message from BankLine"

From:     Bankline [secure.message@bankline.com]
Date:     10 October 2014 10:29
Subject:     You have received a new secure message from BankLine

You have received a secure message.

Read your secure message by following the link bellow:

http://www.electromagneticsystems.com/kk/document.php

You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.

If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk at 0131 556 3297.

First time users - will need to register after opening the attachment.
About Email Encryption - https://supportcentre.Bankline.com/app/answers/detail/a_id/1671/kw/secure%20message

The malware downloads a file document_73128_91898_pdf.zip from the target site that contains a malicious executable document_73128_91898_pdf.exe which has a VirusTotal detection rate of 4/54.

According to the ThreatExpert report [pdf] the malware communicates with the following URLs which are probably worth blocking or monitoring:

94.75.233.13/1010uk1/NODE01/41/5/1/
94.75.233.13/private/sandbox_status.php
94.75.233.13/1010uk1/NODE01/0/51-SP3/0/
94.75.233.13/1010uk1/NODE01/1/0/0/
beanztech.com/beanz/1010uk1.rtf


Tuesday 30 September 2014

Malware spam: NatWest "You have a new Secure Message" / "You've received a new fax"

The daily mixed spam run has just started again, these two samples seen so far this morning:

NatWest: "You have a new Secure Message"

From:     NatWest [secure.message@natwest.com]
Date:     30 September 2014 09:58
Subject:     You have a new Secure Message - file-3800

You have received a encrypted message from NatWest Customer Support
In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )


Please download your ecnrypted message at:

http://binuli.ge/docs/document0679

(Google Disk Drive is a file hosting service operated by Google, Inc.)


If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 6002.

"You've received a new fax"

From:     Fax [fax@victimdomain.com]
Date:     30 September 2014 09:57
Subject:     You've received a new fax

New fax at SCAN4148711 from EPSON by https://victimdomain.com
Scan date: Tue, 30 Sep 2014 14:27:24 +0530
Number of pages: 2
Resolution: 400x400 DPI

You can secure download your fax message at:

http://www.brianhomesinc.com/docs/document5928

(Google Disk Drive is a file hosting service operated by Google, Inc.)
The link in the email goes through a script to ensure that you are using a Windows PC and then downloads a file document3009.zip which contains a malicious executable document3009.scr which has a VirusTotal detection rate of 3/54. The Comodo CAMAS report  and Anubis report are rather inconclusive.

UPDATE: the ThreatTrack report [pdf] shows that the malware attempts to communicate with the following locations:

188.165.198.52/3009uk1/NODE01/0/51-SP3/0/
188.165.198.52/3009uk1/NODE01/1/0/0/

188.165.198.52 is (unsurprisingly) allocated to OVH in France and is definitely worth blocking.



Friday 26 September 2014

Malware spam: "Employee Documents - Internal Use" / "You have a new voice" / "BACS Transfer : Remittance for JSAG244GBP" / "New Fax"

Whoever is running this spam run is evolving it day after day, with different types of spam to increase clickthrough rates and now some tricky tools to prevent analysis of the malware.

Employee Documents - Internal Use

From:     victimdomain
Date:     26 September 2014 09:41
Subject:     Employee Documents - Internal Use

DOCUMENT NOTIFICATION, Powered by NetDocuments

DOCUMENT NAME: Employee Documents

DOCUMENT LINK: http://iqmaintenance.com.au/Documents/document26092014-20.pdf

Documents are encrypted in transit and store in a secure repository

---------------------------------------------------------------------------------
This message may contain information that is privileged and confidential. If you received this transmission in error, please notify the sender by reply email and delete the message and any attachments.

You have a new voice

From:     Voice Mail [Voice.Mail@victimdomain]
Date:     26 September 2014 09:30
Subject:     You have a new voice

You are receiving this message because we were unable to deliver it, voice message did not go through because the voicemail was unavailable at that moment.

* The reference number for this message is _qvs4004011004_001

The transmission length was 26
Receiving machine ID : ES7D-ZNA1D-QF3E

To download and listen your voice mail please follow the link below: http://www.sjorg.com/Documents/voice26092014-18

The link to this secure message will expire in 24 hours. If you would like to save a copy of the email or attachment, please save from the opened encrypted email. If an attachment is included, you will be given the option to download a copy of the attachment to your computer.

RBS: BACS Transfer : Remittance for JSAG244GBP

From:     Douglas Byers [creditdepart@rbs.co.uk]
Date:     26 September 2014 10:12
Subject:     BACS Transfer : Remittance for JSAG244GBP

We have arranged a BACS transfer to your bank for the following amount : 4596.00
Please find details at our secure link below:

http://plugdeals.com/Documents/payment26092014-15

New Fax

From:     FAX Message [fax@victimdomain]
Date:     26 September 2014 10:26
Subject:     New Fax

You have received a new fax .
Date/Time: Fri, 26 Sep 2014 16:26:36 +0700.
Your Fax message can be downloaded here : http://montfort.dk/Documents/faxmessage26092014-16
The links in the emails I have seen go to the following locations (there are probably many, many more):

http://plugdeals.com/Documents/payment26092014-15
http://iqmaintenance.com.au/Documents/document26092014-20.pdf
http://www.sjorg.com/Documents/voice26092014-18
http://montfort.dk/Documents/faxmessage26092014-16


The attack has evolved recently.. usually these malicious links forwarded on to another site which had the malicious payload. Because all the links tended to end up at the same site, it was quite easy to block that site and foil the attack. But recently the payload is spread around many different sites making it harder to block.

A new one today is that the landing page is somewhat obfuscated to make it harder to analyse, and this time the download is a plain old .scr file rather than a .zip. I've noticed that many anti-virus products are getting quite good at detecting the malicious ZIP files with a generic detection, but not the binary within. By removing the ZIP wrapper, the bad guys have given one less hook for AV engines to find.

The landing page script looks like this [pastebin] which is a bit harder to deal with, but nonetheless an malicious binary document7698124-86421_pdf.scr is downloaded from the remote site which has a VirusTotal detection rate of 2/55. The Anubis report shows the malware attempting to phone home to padav.com which is probably worth blocking.