Scanned Image from a Xerox WorkCentre - Virus

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Email:

A fake Xerox WorkCentre, WorkJet Pro (or other scanner / copier) malware scam email looks like it comes from your domain, claims it is a scanned image. Sometimes FROM suggest an HP scanner.

Attachment is a virus or trojan in a zip file.

Some variants have links instead, going to malicious websites.


Subject: Scanned Image from a Xerox WorkCentre

Subject: Re: Fwd: Re: Scan from a Xerox W. Pro #583932

Subject: Re: Fwd: Fwd: Scan from a Xerox W. Pro #13887733

Subject: Scan from a Xerox WorkCentre

Reply to: scanner@[my domain].com
Device Name: Not Set
Device Model: MX-8564N
Location: Not Set

File Format: PDF (Medium)
File Name: Scan_12-12-2012-23.zip
Resolution: 200dpi x 200dpi

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http:// www.adobe.com/

Scan_12-12-2012-23.zip (93)


Reply to: Xerox.WorkCentre@[my domain].com
Device Name: Not Set
Device Model: Scab-9396N
Location: Not Set

File Format: PDF (Medium)
File Name: Xerox_Scan_06-04-2013-390.zip
Resolution: 200dpi x 200dpi

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http:// www.adobe.com/

Xerox_Scan_06-04-2013-390.zip (82)


A Document was sent to you using a XEROX WorkJet PRO 0388000550.
SENT BY : WINIFRED IMAGES : 6
FORMAT (.JPEG) DOWNLOAD

Please open the attached document. It was scanned and sent to 
you using a Xerox WorkCentre Pro.

Sent by: [your domain]
Number of Images: 4
Attachment File Type: ZIP [PDF]

WorkCentre Pro Location: Machine location not set
Device Name: T6I4C2FRS5

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following
URL: http:// www.adobe.com/

Scan_883_19198206262013.zip (137)

Please download the document.  It was scanned and sent to you using a 
Xerox multifunction device.

File Type: pdf
Download: Scanned from a Xerox multi~8.pdf

multifunction device Location: machine location not set
Device Name: Xerox7723

For more information on Xerox products and solutions,
please visit http:// www.xerox.com

Scan_002_28378181_129.zip (16)

Headers samples:

Usually no HELO spoofing, Envolope spoofing whoever is cool at the time (NACHA, Fiserv, HSBC.co.uk, aexp.com). FROM header spoofing your domain so you will think it came from your Xerox machine. Securebank.com is a common one to see.

cbl.abuseat.org usually classifies these as cutwail spambots.

Received: from ...ologies-pa.hfc.comcastbusiness.net [70.89.52.138]
X-Envelope-From: ach-status @nacha.org
From: Xerox WorkCentre <Xerox.Device7 @[my domain].com>

Received: from fiserv.com ([222.124.204.178]
X-Envelope-From: notification @fiserv.com
From: Xerox WorkCentre <Xerox.Device4 @[my domain].com>

Received: from aexp.com [122.248.121.28]
X-Envelope-From: fraud @aexp.com
From: "Administrator" <Administrator @[your domain]>
Subject: Scan from a Xerox WorkCentre

Received: from ...nnesota.hfc.comcastbusiness.net [75.146.36.186]
X-Envelope-From: notification @fiserv.com
From: Xerox WorkCentre <Xerox.Device5 @[my domain].com>

Received: from ...ngton.hfc.comcastbusiness.net [66.208.251.141]
X-Envelope-From: ach.status @nacha.org
From: Xerox WorkCentre <Xerox.Device3 @[my domain].com>

Received: from ....1-225.static.3bb.co.th [110.164.71.225]
X-Envelope-From: service @fiserv.com
From: Xerox WorkCentre <Xerox.Device9 @[my domain].com>

Received: from 96-25-236-161.nyc.clearwire-wmx.net [96.25.236.161]
X-Envelope-From: service @nacha.org
From: Xerox WorkCentre <Xerox.Device9 @[my domain].com>

Received: from 068-213-247-146.sip.mia.bellsouth.net [68.213.247.146]
X-Envelope-From: ach-status @nacha.org
From: Xerox WorkCentre <Xerox.Device1 @[my domain].com>

Received: from ...09.in-addr.dolandirectional.com [209.33.165.82]
X-Envelope-From: support @nacha.org
From: Xerox WorkCentre <Xerox.Device4 @[my domain].com>

Received: from 71-86-45-66.static.stls.mo.charter.com [71.86.45.66]
X-Envelope-From: notification @ato.gov.au
From: Xerox WorkCentre <Xerox.Device5 @[my domain].com>

Received: from ...7-202.nwblwi.dedicated.static.tds.net [74.87.95.130]
X-Envelope-From: Order @staplesadvantage.com
From: Xerox WorkCentre <Xerox.Device2 @[my domain].com>

Received: from c-69-180-113-209.hsd1.fl.comcast.net [69.180.113.209]
X-Envelope-From: Orders @staplesadvantage.com
From: Xerox WorkCentre <Xerox.Device7 @[my domain].com>

Received: from securebank.com [181.48.64.74]
X-Envelope-From: message @securebank.com
From: Xerox WorkCentre <Xerox.Device4 @[my domain].com>

Received: from dnb.com ([41.84.156.26]) X-Envelope-From: alert @dnb.com From: "HP Digital Device" <HP.Digital4 @[my domain].com>

Received: from rrcs-64-183-233-39.sw.biz.rr.com [64.183.233.39] X-Envelope-From: alert @dnb.com From: "HP Digital Device" <HP.Digital6 @[my domain].net>

Attachment example:

April 2013

Xerox_Scan_04-29-2013-159.zip containing Xerox_Scan_04-29-2013-159.exe | VirusTotal report | Malwr.com report

15 Oct 2013

VirusTotal report | Malwr.com report

20 December 2013

Scan_001_12202013_911.zip containing Scan_001_12202013_911.exe | VirusTotal report  | Malwr.com report  | File-Analyzer.net  report

9 January 2014

Scan_091_20140901_001.zip containing Scan_091_20140901_001.exe

VirusTotal report 

AVG 			Win32/DH.FF9400AA{Mw} 
AntiVir TR/Crypt.XPACK.Gen8
Rising PE:Malware.FakePDF@CV!1.9C28
Symantec Suspicious.Cloud

Malwr report 

Starts servers listening on 0.0.0.0:0, 0.0.0.0:4015, 0.0.0.0:2156
Performs some HTTP requests
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
Operates on local firewall's policies and settings
Steals private information from local Internet browsers
Installs itself for autorun at Windows startup

Contacts via TCP:
dsrfpune.com 50.23.73.100

From the PCAP file, UDP traffic:

These addresses had back and forth udp communications.
108.225.133.75 UNITED STATES
148.88.196.106 UNITED KINGDOM
207.251.45.31 CANADA
213.219.135.113 BELGIUM

These addresses were sent udp but never answered back
1.232.164.156 KOREA, REPUBLIC OF
103.12.132.67 INDIA
109.203.69.42 FRANCE
109.63.109.218 BAHRAIN
119.234.130.200 SINGAPORE
174.69.108.186 UNITED STATES
188.9.141.222 ITALY
217.24.244.39 ALBANIA
49.248.149.242 UNITED STATES
79.29.195.111 ITALY
81.57.113.171 FRANCE
84.53.110.240 NETHERLANDS
87.25.166.71 ITALY
92.238.193.23 UNITED KINGDOM
92.54.14.134 SPAIN

File-Analyzer.net report

Drops: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\budha.exe
Binary may include packed or encrypted data
Reads the hosts file
Checks for kernel debuggers
Contains functionality to query windows version

Contacts:
hawkscool.com 103.13.96.219
dsrfpune.com 50.23.73.100

Advice for organizations with network scanners:

Utah State University's IT department has some good advice for those of us with networked multi-function scanner devices. Quoting [redacted], USU IT Sec:

We insure that all of our locally installed multifunction devices are 
customized so that scan-to-email messages have:

1) subject with sending office name instead of device brand
2) reply address that identifies the office
3) recognizable building location of the device
4) message body customized to include contact information for the sending office

As a result, our recipients tend to be a little bit skeptical of scan-to-email
messages with the factory default message format.

 If this was at least a little helpful, how about a +1 or a Like?

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Found something bad?

Do your part to clean it up!

Report malicious links to:

StopBadware.org

Report phishing links to:

Google Safebrowsing - Phishing

Netcraft Anti-Phishing

Send Virus Samples to:

Clam AV Database

Microsoft Anti-Malware DB

But most importantly:

Follow THL on Twitter

 

Submitting an email to THL

Submissions welcome!

 j (a-t) techhelplist (d-o-t) com

password zips with "slick-banana"

Some other GREAT resources

StopMalvertising

MyOnlineSecurity