Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email

A fake Xerox WorkCentre, WorkJet Pro (or other scanner / copier) malware scam email looks like it comes from your domain, claims it is a scanned image. Sometimes FROM suggest an HP scanner.

Attachment is a virus or trojan in a zip file.

Some variants have links instead, going to malicious websites.


Subject: Scanned Image from a Xerox WorkCentre

Subject: Re: Fwd: Re: Scan from a Xerox W. Pro #583932

Subject: Re: Fwd: Fwd: Scan from a Xerox W. Pro #13887733

Subject: Scan from a Xerox WorkCentre

Subject: Scanned from a Xerox Multifunction Device

 Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.

Sent by: [your domain]
Number of Images: 4
Attachment File Type: ZIP [PDF]

WorkCentre Pro Location: Machine location not set
Device Name: T6I4C2FRS5

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http:// www.adobe.com/

Scan_883_19198206262013.zip (137)

 

 Reply to: scanner@[my domain].com
Device Name: Not Set
Device Model: MX-8564N
Location: Not Set

File Format: PDF (Medium)
File Name: Scan_12-12-2012-23.zip
Resolution: 200dpi x 200dpi

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http:// www.adobe.com/

Scan_12-12-2012-23.zip (93)

  

Reply to: Xerox.WorkCentre@[my domain].com 
Device Name: Not Set
Device Model: Scab-9396N
Location: Not Set

File Format: PDF (Medium)
File Name: Xerox_Scan_06-04-2013-390.zip
Resolution: 200dpi x 200dpi

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http:// www.adobe.com/

Xerox_Scan_06-04-2013-390.zip (82)

 

A Document was sent to you using a XEROX WorkJet PRO 0388000550.    
SENT BY : WINIFRED IMAGES : 6
FORMAT (.JPEG) DOWNLOAD

 

Please download the document.  It was scanned and sent to you using a Xerox multifunction device.

File Type: pdf
Download: Scanned from a Xerox multi~8.pdf

multifunction device Location: machine location not set
Device Name: Xerox7723

For more information on Xerox products and solutions,
please visit http:// www.xerox.com

Scan_002_28378181_129.zip (16)

Headers samples:

This is a high-mileage spam template. They have gone through many variations of spoofing the recipient, aexp.com, fiserv.com, etc in various headers.

cbl.abuseat.org usually classifies these as cutwail spambots.

These ones spoof the recipient domain in From headers and random junk in the Envelope (MAIL FROM) headers so it looks like it is coming from YOUR scanner or copier.

Received: from public71334.cdma.centertel.pl [188.47.150.166]
X-Envelope-From: xhqfkruk @boxingcollectors.com
From: "Xerox WorkCentre" <Xerox.294 @ [ your domain] >
Subject: Scanned Image from a Xerox WorkCentre

Received: from rrcs-71-40-68-254.sw.biz.rr.com [71.40.68.254]
X-Envelope-From: txtpe @bosjon.com.au
From: "Xerox WorkCentre" <Xerox.803 @ [ your domain] >
Subject: Scanned Image from a Xerox WorkCentre

Received: from crlspr-24.233.183.79.myacc.net [24.233.183.79]
X-Envelope-From: amwjs @bnbuilders.com
From: "Xerox WorkCentre" <Xerox.632 @ [ your domain] >
Subject: Scanned Image from a Xerox WorkCentre

Received: from 05478ac3.skybroadband.com [5.71.138.195]
X-Envelope-From: unemsrws @bottin.com
From: "Xerox WorkCentre" <Xerox.220 @ [ your domain] >
Subject: Scanned Image from a Xerox WorkCentre

Received: from 68-205-20-139.res.bhn.net [68.205.20.139]
X-Envelope-From: vdogmhxiywlr @bpei.com.br
From: "Xerox WorkCentre" <Xerox.973 @ [ your domain] >
Subject: Scanned Image from a Xerox WorkCentre

Malware

18 December 2014

Attachment : Scan001_7383571_052.zip containing Scan001_823718_052.scr ( upatre )

VirusTotal report 

ByteHero 	Virus.Win32.Heur.c
McAfee Upatre-FAAJ!A8AC8FDA6BFF
Norman Upatre.FN
Qihoo-360 Malware.QVM19.Gen
TrendMicro Possible_Arkam
TrendMicro HB_Arkam

VirusTotal report 

Performs some HTTP requests
Steals private information from local Internet browsers
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
Creates an Alternate Data Stream (ADS)
Installs itself for autorun at Windows startup

Drops after download and decypting : EXE1.exe

TotalHash report 

Check-in : 
202.153.35.133:36570

Download encrypted executables (not really pdf's)
omgcoding.com/mandoc/guid22.pdf
magictherapy.com/pdfs/guid22.pdf

2 July 2014

Attachment : Scanned from a Xerox Multifunction Device.zip containing Scanned from a Xerox Multifunction Device.exe

VirusTotal report 

Qihoo-360 	Malware.QVM07.Gen
Rising PE:Malware.XPACK-HIE/Heur!1.9C48

LegalCopyright : Free license 2011
InternalName : Dodofot
FileDescription : Dodofer Application
OriginalFilename : dodofer.exe
CompanyName : Dodofot
ProductName : Dodofot Application

Malwr.com report 

Installs itself for autorun at Windows startup

Anubis report 

Files Created: 	 
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OdigItzah
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OdigItzah\IwdoDwefk.dat

Directories Created:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OdigItzah

Files Renamed:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OdigItzah\
to
C:\Documents and Settings\All Users\Application Data\IwdoDwefk

Keyboard Keys Monitored:
VK_ESCAPE (27)

Mutexes Created:
CTF.Asm.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500
CTF.Compart.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500
CTF.LBES.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500
CTF.Layouts.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500
CTF.TMD.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500
CTF.TimListCache.FMPDefaultS-1-5-21-842925246-1425521274-308236825-500M.....

9 January 2014

Scan_091_20140901_001.zip containing Scan_091_20140901_001.exe

VirusTotal report | Malwr report | File-Analyzer.net report

20 December 2013

Scan_001_12202013_911.zip containing Scan_001_12202013_911.exe

 VirusTotal report  | Malwr.com report  | File-Analyzer.net  report

15 Oct 2013

I didn't take very good notes that day, huh?

VirusTotal report | Malwr.com report

April 2013

Xerox_Scan_04-29-2013-159.zip containing Xerox_Scan_04-29-2013-159.exe

VirusTotal report | Malwr.com report


Advice for organizations with network scanners:

Utah State University's IT department has some good advice for those of us with networked multi-function scanner devices. Quoting [redacted], USU IT Sec:

We insure that all of our locally installed multifunction devices are 
customized so that scan-to-email messages have:

1) subject with sending office name instead of device brand
2) reply address that identifies the office
3) recognizable building location of the device
4) message body customized to include contact information for the sending office

As a result, our recipients tend to be a little bit skeptical of scan-to-email
messages with the factory default message format.

 If this was at least a little helpful, how about a +1 or a Like?

{jcomments on}