INCOMING FAX REPORT : Remote ID: ... Virus

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Email:

Fake incoming fax report email claims to be from a machine in your domain or from your email address.

Attached zip file contains exe virus or trojan horse. Some versions have a malware web link instead.

Mixed spoofing nacha.org and your domain.


Subject: INCOMING FAX REPORT : Remote ID: 665-366-6868

Subject: INCOMING FAX REPORT : Remote ID: 497-577-7743 .. (etc)

****************************
INCOMING FAX REPORT
****************************

Date/Time: 06/05/2013 05:33:11 CST
Speed: 81100 bps
Connection time: 07:07
Pages: 1
Resolution: Normal
Remote ID: 665-366-6868
Line number: 665-366-6868
DTMF/DID:
Description: Сonfidential - To All Employees .pdf

****************************

CONFIDENTIALITY NOTICE:
This electronic mail transmission and any attached
files contain information intended for the exclusive
use of the individual or entity to whom it is addressed
and may contain information blah blah blah
Thank You

IncomingFax.zip (136)

*******************************************
INCOMING FAX REPORT
*******************************************

Date/Time: 11/26/2013 05:14:23 EST
Speed: 07165 bps
Connection time: 08:08
Pages: 0
Resolution: Normal
Remote ID: 343-848-6365
Line number: 343-848-6365
DTMF/DID:
Description: Сost sheet for first half of 2013.pdf

******************************************

IncomingFax.zip (13)

Header samples:

Envelope from NACHA.org spoofing, header from your domain spoofing. Some versions spoofing aexp.com in envelope.

Received: from asy100.as192.sol.superonline.com [212.252.192.100]
X-Envelope-From: status-update @nacha.org
From: Xerox WorkCentre <Xerox.Device3 @[your domain]>
Subject: INCOMING FAX REPORT : Remote ID: 343-848-6365

Received: from p4300.mpm.edu [192.206.48.3]
X-Envelope-From: ach-status @nacha.org
From: Xerox WorkCentre <Xerox.Device0 @[my domain].com>

Received: from ...-cpennsylvania2.hfc.comcastbusiness.net [173.163.143.130]
X-Envelope-From: noreply @nacha.org
From: Xerox WorkCentre <Xerox.Device0 @[my domain].com>

Received: from 57.190-154-84.uio.satnet.net [190.154.84.57]
X-Envelope-From: no-reply @nacha.org
From: Xerox WorkCentre <Xerox.Device1 @[my domain].com>

Received: from ool-60390baa.static.optonline.net [96.57.11.170]
X-Envelope-From: no-reply @nacha.org
From: Xerox WorkCentre <Xerox.Device7 @[my domain].com>

Received: from ...nnsylvania2.hfc.comcastbusiness.net [173.163.143.130]
X-Envelope-From: no-reply @nacha.org
From: Xerox WorkCentre <Xerox.Device5 @[my domain].com>

Received: from poloniabank.com [65.219.238.34]
X-Envelope-From: no-reply @nacha.org
From: Xerox WorkCentre <Xerox.Device8 @[my domain].com>

Received: from [208.52.162.185]
X-Envelope-From: service @nacha.org
From: Xerox WorkCentre <Xerox.Device7 @[my domain].com>

Received: from rrcs-....nys.biz.rr.com [24.213.255.214]
X-Envelope-From: service @nacha.org
From: Xerox WorkCentre <Xerox.Device6 @[my domain].com>

Received: from ...70.bstnma.fios.verizon.net [98.110.147.170]
X-Envelope-From: ach-status @nacha.org
From: Xerox WorkCentre <Xerox.Device3 @[my domain].com>

Received: from 129.196.60.178.unassigned.mundo-r.com [178.60.196.129] X-Envelope-From: welcome @aexp.com From: "Xerox Workcentre" <Scan0 @[my domain]> Subject: INCOMING FAX REPORT : Remote ID: 556-988-5993

Received: from CT-PTR1.qns.it [31.221.41.181] X-Envelope-From: welcome @aexp.com From: "Xerox Workcentre" <Scan8 @sutc.com> Subject: INCOMING FAX REPORT : Remote ID: 344-786-9968

Attachment Examples:

June 2013

IncomingFax.zip containing IncomingFax.exe | VirusTotal report

September 2013

Incoming_FAX_0819.exe | VirusTotal report | Malwr report

November 2013

IncomingFax.zip containing IncomingFax.exe | VirusTotal report | Malwr report

23 January 2014

Scan_001_683-373-8395.zip containing Scan_001_23012014.exe

VirusTotal report 

Qihoo-360      Malware.QVM20.Gen

Malwr.com report 

Starts servers listening on 0.0.0.0:0, 0.0.0.0:2613, 0.0.0.0:3314
Performs some HTTP requests
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
Operates on local firewall's policies and settings
Steals private information from local Internet browsers
Installs itself for autorun at Windows startup
Generates some ICMP traffic

Contacts:
trudeausociety.com 209.239.113.172 <-- agora cosmopolitan, Canadian publisher. seen here before.

From the PCAP file, UDP traffic 

These addresses had back and forth udp communications.
107.196.239.26 UNITED STATES
121.6.46.119 SINGAPORE
172.245.217.122 UNITED STATES
207.251.45.31 CANADA
27.54.110.77 JAPAN
60.244.81.6 TAIWAN, PROVINCE OF CHINA
61.32.242.131 KOREA, REPUBLIC OF
62.49.180.189 UNITED KINGDOM
81.148.242.90 UNITED KINGDOM
84.59.129.23 GERMANY
88.104.169.182 UNITED KINGDOM

These addresses were sent udp but never answered back
110.233.103.240 JAPAN
124.5.53.61 KOREA, REPUBLIC OF
180.10.151.221 JAPAN
24.52.156.62 UNITED STATES
36.2.242.186 JAPAN
58.1.158.10 JAPAN
81.130.77.220 UNITED KINGDOM
81.136.182.103 UNITED KINGDOM
81.149.16.130 UNITED KINGDOM

File-Analyzer.net report 

Drops: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\freeupdater.exe
Binary may include packed or encrypted data
Enables driver privileges, Reads the hosts file
Checks for kernel debuggers

Contacts:
hortonnovak.com 194.28.87.121
trudeausociety.com 209.239.113.172

Malicious Link Variation:

****************************************
INCOMING FAX REPORT
****************************************

Date/Time: 09/18/2013 04:23:54 EST
Speed: 16214 bps
Connection time: 01:04
Pages: 7
Resolution: Normal
Remote ID: 3548925226
Line number: 7
DTMF/DID:
Description: August Payroll

Click here to view the file online

******************************************

The click here link goes to a compromised website like:

oakadventures.com /chimeras /index.html
agoodlookingman.com.au /lattices /index.html
31837.vws.magma.ca /environmentally /index.html
agoodlookingman.com.au /sledded /index.html
arlisnap.arlisna.org /seeking /index.html
oakadventures.com /ramona /index.html
arlisnap.arlisna.org /mummifying /index.html
kaindustries.comcastbiz.net /plagiarism /index.html
31837.vws.magma.ca /rheostats /index.html
kaindustries.comcastbiz.net /trammeled /index.html
31837.vws.magma.ca /payne /index.html

Each site loads 3 or so javascript files from more compromised websites:

0068421.netsolhost.com /partisanship /poached.js
ade-data.com /exuded /midyear.js
fangstudios.com /macedonian /piles.js

Which redirects to a malicious exploit like:

lesperancerenovations.com /topic /seconds-exist-foot.php

You may find an ofuscated javascript ball of crap that tests your java version, etc and gives you a malicious java applet. Or, some user-agents will get 301'ed someplace else to look benign.

HTTP/1.1 301 Moved Permanently
Server: nginx/0.7.67
Date: Wed, 18 Sep 2013 20:35:22 GMT
Content-Type: text/html
Connection: keep-alive
Content-Length: 178
Location: http://msn.com

...which is what I got for Mac, iPad, and Android.

 All links reported to Google Safe Browsing / StopBadware.org. All malware binaries sent to Microsoft MPC and ClamAV.

If this was at least a little helpful, how about a +1, Like, or Tweet?

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Found something bad?

Do your part to clean it up!

Report malicious links to:

StopBadware.org

Report phishing links to:

Google Safebrowsing - Phishing

Netcraft Anti-Phishing

Send Virus Samples to:

Clam AV Database

Microsoft Anti-Malware DB

But most importantly:

Follow THL on Twitter

 

Submitting an email to THL

Submissions welcome!

 j (a-t) techhelplist (d-o-t) com

password zips with "slick-banana"

Some other GREAT resources

StopMalvertising

MyOnlineSecurity