INCOMING FAX REPORT : Remote ID: ... Virus

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Email:

Fake incoming fax report email claims to be from a machine in your domain or from your email address.

Attached zip file contains exe virus or trojan horse. Some versions have a malware web link instead.

Mixed spoofing nacha.org and your domain.


Subject: INCOMING FAX REPORT : Remote ID: 665-366-6868

Subject: INCOMING FAX REPORT : Remote ID: 497-577-7743 .. (etc)

****************************
INCOMING FAX REPORT
****************************

Date/Time: 06/05/2013 05:33:11 CST
Speed: 81100 bps
Connection time: 07:07
Pages: 1
Resolution: Normal
Remote ID: 665-366-6868
Line number: 665-366-6868
DTMF/DID:
Description: Сonfidential - To All Employees .pdf

****************************

CONFIDENTIALITY NOTICE:
This electronic mail transmission and any attached
files contain information intended for the exclusive
use of the individual or entity to whom it is addressed
and may contain information blah blah blah
Thank You

IncomingFax.zip (136)

Subject: INCOMING FAX REPORT : Remote ID: 984-633-6856

*******************************************
INCOMING FAX REPORT
*******************************************

Date/Time: 11/26/2013 05:14:23 EST
Speed: 07165 bps
Connection time: 08:08
Pages: 0
Resolution: Normal
Remote ID: 343-848-6365
Line number: 343-848-6365
DTMF/DID:
Description: Сost sheet for first half of 2013.pdf

******************************************
IncomingFax.zip (13)

 

....
Remote ID: 984-633-6856
Line number: 984-633-6856
DTMF/DID:
Description: New Docs.pdf
....

Header samples:

Envelope from NACHA.org spoofing, header from your domain spoofing. Some versions spoofing aexp.com in envelope.

Received: from asy100.as192.sol.superonline.com [212.252.192.100]
X-Envelope-From: status-update @nacha.org
From: Xerox WorkCentre <Xerox.Device3 @[your domain]>
Subject: INCOMING FAX REPORT : Remote ID: 343-848-6365

Received: from p4300.mpm.edu [192.206.48.3]
X-Envelope-From: ach-status @nacha.org
From: Xerox WorkCentre <Xerox.Device0 @[my domain].com>

Received: from ...-cpennsylvania2.hfc.comcastbusiness.net [173.163.143.130]
X-Envelope-From: noreply @nacha.org
From: Xerox WorkCentre <Xerox.Device0 @[my domain].com>

Received: from 57.190-154-84.uio.satnet.net [190.154.84.57]
X-Envelope-From: no-reply @nacha.org
From: Xerox WorkCentre <Xerox.Device1 @[my domain].com>

Received: from ool-60390baa.static.optonline.net [96.57.11.170]
X-Envelope-From: no-reply @nacha.org
From: Xerox WorkCentre <Xerox.Device7 @[my domain].com>

Received: from ...nnsylvania2.hfc.comcastbusiness.net [173.163.143.130]
X-Envelope-From: no-reply @nacha.org
From: Xerox WorkCentre <Xerox.Device5 @[my domain].com>

Received: from poloniabank.com [65.219.238.34]
X-Envelope-From: no-reply @nacha.org
From: Xerox WorkCentre <Xerox.Device8 @[my domain].com>

Received: from [208.52.162.185]
X-Envelope-From: service @nacha.org
From: Xerox WorkCentre <Xerox.Device7 @[my domain].com>

Received: from rrcs-....nys.biz.rr.com [24.213.255.214]
X-Envelope-From: service @nacha.org
From: Xerox WorkCentre <Xerox.Device6 @[my domain].com>

Received: from ...70.bstnma.fios.verizon.net [98.110.147.170]
X-Envelope-From: ach-status @nacha.org
From: Xerox WorkCentre <Xerox.Device3 @[my domain].com>

Received: from 129.196.60.178.unassigned.mundo-r.com [178.60.196.129] X-Envelope-From: welcome @aexp.com From: "Xerox Workcentre" <Scan0 @[my domain]> Subject: INCOMING FAX REPORT : Remote ID: 556-988-5993

Received: from CT-PTR1.qns.it [31.221.41.181] X-Envelope-From: welcome @aexp.com From: "Xerox Workcentre" <Scan8 @sutc.com> Subject: INCOMING FAX REPORT : Remote ID: 344-786-9968

Attachment Examples:

12 June 2014

VirusTotal report 

AntiVir 				TR/Small.RTD.1 
Avast Win32:Malware-gen
Commtouch W32/Trojan.WKVS-9339
ESET-NOD32 Win32/TrojanDownloader.Waski.A
Emsisoft Trojan-Downloader.Win32.Agent (A)
F-Prot W32/Trojan3.IRP
Ikarus Trojan-Spy.Agent
Malwarebytes Trojan.Agent
Symantec Downloader.Upatre
TrendMicro-HouseCall TROJ_GEN.F0D1H00FC14

Other submitted File names:
Important Chase Private Banking Forms.scr
file-7112128_scr
latf1_did11-881721-86461.scr
Scan-29918-2873611-31.scr

Created process:
C:\WINDOWS\system32\drwtsn32 -p 1960 -e 176 -g

Malwr.com report 

Starts servers listening on 0.0.0.0:0
Performs some HTTP requests
Steals private information from local Internet browsers
Installs itself for autorun at Windows startup

HTTP GETs:
avazoo.com /wp-content/uploads/2014/06/1206in.jpeg <-- binary data file, not a jpeg

Anubis report

23 January 2014

Scan_001_683-373-8395.zip containing Scan_001_23012014.exe | VirusTotal report | Malwr.com report | File-Analyzer.net report

November 2013

IncomingFax.zip containing IncomingFax.exe | VirusTotal report | Malwr report

September 2013

Incoming_FAX_0819.exe | VirusTotal report | Malwr report

June 2013

IncomingFax.zip containing IncomingFax.exe | VirusTotal report

Malicious Link Variation:

****************************************
INCOMING FAX REPORT
****************************************

Date/Time: 09/18/2013 04:23:54 EST
Speed: 16214 bps
Connection time: 01:04
Pages: 7
Resolution: Normal
Remote ID: 3548925226
Line number: 7
DTMF/DID:
Description: August Payroll

Click here to view the file online

******************************************

The click here link goes to a compromised website like:

oakadventures.com /chimeras /index.html
agoodlookingman.com.au /lattices /index.html
31837.vws.magma.ca /environmentally /index.html
agoodlookingman.com.au /sledded /index.html
arlisnap.arlisna.org /seeking /index.html
oakadventures.com /ramona /index.html
arlisnap.arlisna.org /mummifying /index.html
kaindustries.comcastbiz.net /plagiarism /index.html
31837.vws.magma.ca /rheostats /index.html
kaindustries.comcastbiz.net /trammeled /index.html
31837.vws.magma.ca /payne /index.html

Each site loads 3 or so javascript files from more compromised websites:

0068421.netsolhost.com /partisanship /poached.js
ade-data.com /exuded /midyear.js
fangstudios.com /macedonian /piles.jsWhich redirects to a malicious exploit like:
lesperancerenovations.com /topic /seconds-exist-foot.php

You may find an ofuscated javascript ball of crap that tests your java version, etc and gives you a malicious java applet. Or, some user-agents will get 301'ed someplace else to look benign.

HTTP/1.1 301 Moved Permanently
Server: nginx/0.7.67
Date: Wed, 18 Sep 2013 20:35:22 GMT
Content-Type: text/html
Connection: keep-alive
Content-Length: 178
Location: http://msn.com

...which is what I got for Mac, iPad, and Android.

 All links reported to Google Safe Browsing / StopBadware.org. All malware binaries sent to Microsoft MPC and ClamAV.

If this was at least a little helpful, how about a +1, Like, or Tweet?

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Found something bad?

Do your part to clean it up!

Report malicious links to:

StopBadware.org

Report phishing links to:

Google Safebrowsing - Phishing

Netcraft Anti-Phishing

Send Virus Samples to:

Clam AV Database

Microsoft Anti-Malware DB

But most importantly:

Follow THL on Twitter

 

Submitting an email to THL

Submissions welcome!

 j (a-t) techhelplist (d-o-t) com

password zips with "slick-banana"

Some other GREAT resources

StopMalvertising

MyOnlineSecurity