This fake fax run is a variation of
this one from yesterday.
From: Fax [no-replay@fax-voice.com]
Date: 9 January 2015 at 14:52
Subject: Employee Documents - Internal Use
DOCUMENT NOTIFICATION, Powered by NetDocuments
DOCUMENT NAME: Fax Documents
DOCUMENT LINK: http://rehberhatay.com/files/get_msg.html
As before, there are several links leading to different download locations, the ones I have personally seen are:
http://isschennai.com/files/get_msg.html
http://java.bizhat.com/files/get_msg.html
http://tradedeal.in/files/get_msg.html
http://cecileandsimonswedding.com/files/get_msg.html
http://kimtrotman.com/files/get_msg.html
http://forum-adb.org/files/get_msg.html
http://munimejia.gob.pe/files/get_msg.html
http://rehberhatay.com/files/get_msg.html
http://marinethrusters.com/files/get_msg.html
http://homeworkhelpindia.com/files/get_msg.html
These landing pages lead to a pair of jjencoded javascripts hosted on different files. I explained a little about those
last time, so I won't go into much more detail about how to handle those.
What is interesting though is that the download location that you coax out of the script is time-limited. If you wait too long, you get a nonsense script instead. And possibly even more interesting is that every time you download the target ZIP file "
message.zip ;.zip ;.zip ;" it seems to be different.
Visiting the sites I listed above get ten different download locations:
http://hudsoncityholdings.com/js/jquery-1.6.39.js?get_message=4068432082
http://murillodesign.com.au/js/jquery-1.6.39.js?get_message=1390167085
http://murillodesign.com.au/js/jquery-1.6.39.js?get_message=337687660
http://hudsoncityholdings.com/js/jquery-1.6.39.js?get_message=3612499004
http://advancedhealthconnections.com/js/jquery-1.6.39.js?get_message=4238661099
http://murillodesign.com.au/js/jquery-1.6.39.js?get_message=2377682563
http://murillodesign.com.au/js/jquery-1.6.39.js?get_message=2792412553
http://murillodesign.com.au/js/jquery-1.6.39.js?get_message=1104895466
http://advancedhealthconnections.com/js/jquery-1.6.39.js?get_message=3161145159
http://advancedhealthconnections.com/js/jquery-1.6.39.js?get_message=138855569
That led to 10 different ZIP files containing different EXE files, each one with similar VT results
[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] and in turn Malwr reports that they are almost identically functionally
[1] [2] [3] [4] [5] [6] [7] [8] [9] [10].
Although those reports indicate some difference in the port numbers, we can see the following URLs being accessed:
http://202.153.35.133:55365/0901us1/HOME/0/51-SP3/0/
http://202.153.35.133:55365/0901us1/HOME/1/0/0/
http://crecrec.com/mandoc/nuts12.pdf
http://202.153.35.133:55350/0901us1/HOME/41/7/4/
http://samrhamburg.com/img/ml1.tar
202.153.35.133 (Excell Media Pvt Lt, India) is probably the key thing to block.
Despite the differences in the downloader, they all seem to drop a randomly-named file with identical characterstics in each case. This has a VirusTotal detection rate of
1/55 and you can see the Malwr report for that file
here.
For researchers only, a copy of the file involved can be found
here, password=
infected