Another email scam. This time, a bit insistent, as I’ve been getting 6 similar emails in 2 days already, that are informing me that I’ve received a new fax.
Surprisingly, they all ended in the inbox , which triggered my attention further. The all have the following structure, followed by an attached file (the one mentioned in the email but zipped)
A new fax document for you. You can find your fax document in the attachment. Author: Salvador Rollins Quality: 300 DPI Fax name: scanned-00000498682.doc Date: Sun, 1 Nov 2015 14:44:04 +0300 Filesize: 255 Kb Scan duration: 25 seconds Pages: 9 Thanks for using Interfax service!
The following mail servers were being used to send emails :
$ cat $FILES | grep -i "Received: from" Received: from gator4022.hostgator.com ([18.104.22.168]:60815) Received: from ace by gator4022.hostgator.com with local (Exim 4.85) Received: from [22.214.171.124] (port=44121 helo=netea.pl) Received: from apache by netea.pl with local (Exim 4.73) Received: from [126.96.36.199] (port=40436 helo=server.scwirrel.com) Received: from li1259-49.members.linode.com ([188.8.131.52]:48081 helo=server1.earth.com) Received: from iphone6sus by server1.earth.com with local (Exim 4.86) Received: from in1.hostitaly.net ([184.108.40.206]:48646) Received: from labcasa by in1.hostitaly.net with local (Exim 4.80) Received: from mail2.hucr.cz ([220.127.116.11]:57859 helo=webhosting.humlnet.cz) Received: from localhost (localhost [127.0.0.1]) Received: from webhosting.humlnet.cz ([127.0.0.1])
Subjects are being slightly modfied, again, probably to evade spam filters by not having the exact same format.
Subject: You have 1 new fax, document 00000465107 Subject: You have new fax, document 00000597087 Subject: You have new fax, document 000186919 Subject: You have received a new fax, document 00827975 Subject: You have received fax, document 00000498682 Subject: You have received fax, document 00000646559
They use different variations for attached files, probably to evade spam filters. The ones that I’ve got so far are the following :
name="fax00000465107.zip" name="scanned00000597087.zip" name="document_000186919.zip" name="task_00827975.zip" name="scanned-00000498682.zip" name="scanned_00000646559.zip"
The code is sending GET requests to a list of 3 websites in the following form :
From the 6 emails received I have the following list of referenced websites. Is yours there ?
If the request is successful, it will download 3 .gif files to folder associated with the %TEMP% Windows environment variable the and will execute them as .exe by appending a “.exe” to the filename.
%TEMP%\950964.gif + .exe
People already have scanned these files on VirusTotal, but they are still relatively fresh (scanned 1 day ago at the moment of writing) You can see info about them at the links below.
- File 1 – https://www.virustotal.com/en/file/6df02401c129666141d3ffcf009de300895f79180dd5cc8e15ef4ab853548e9e/analysis/
- File 2 – https://www.virustotal.com/en/file/2f19d3c5e119fa6c172c17c00f92af008bcd45f76cd31e20ad714a68ff269630/analysis/
- File 3 – https://www.virustotal.com/en/file/47f4105cd981857f9eb1a039b60fe72b3189890abdb93798af9326c532c93c8d/analysis/
Normally, on Windows 7 (my sanbox environment) TEMP would be C:\Users\username\AppData\Local . After executing the initial version of the file (obfuscated version that is – the deobfuscated version posted on pastebin below just didn’t want to execute properly) I could notice that a lot of DNS requests via Googles 18.104.22.168 DNS server asking to resolve the IP address for randomly generated dynamic-DNS domains like the following :
An entire list can be found pastebin.
- fax bait 0 ugly – http://pastebin.com/Wmtqn8eL
- fax bait 0 prettified – http://pastebin.com/zNWCTmq7
- fax bait 1 ugly – http://pastebin.com/y7eaa8C6
- fax bait 1 prettified – http://pastebin.com/asbhVLYd
Other references of the same or similar scam or linking to one of the factors above :