Email scams – you have received a new fax

Another email scam. This time, a bit insistent, as I’ve been getting 6 similar emails in 2 days already, that are informing me that I’ve received a new fax.

Email analysis

Surprisingly, they all ended in the inbox , which triggered my attention further. The all have the following structure, followed by an attached file (the one mentioned in the email but zipped)

A new fax document for you.

You can find your fax document in the attachment.

Author:                Salvador Rollins
Quality:               300 DPI
Fax name:              scanned-00000498682.doc
Date:                  Sun, 1 Nov 2015 14:44:04 +0300
Filesize:              255 Kb
Scan duration:         25 seconds
Pages:                 9

Thanks for using Interfax service!

The following mail servers were being used to send emails :

$ cat $FILES | grep -i "Received: from"
Received: from gator4022.hostgator.com ([192.185.4.33]:60815)
Received: from ace by gator4022.hostgator.com with local (Exim 4.85)
Received: from [195.34.179.71] (port=44121 helo=netea.pl)
Received: from apache by netea.pl with local (Exim 4.73)
Received: from [88.208.210.74] (port=40436 helo=server.scwirrel.com)
Received: from li1259-49.members.linode.com ([45.79.160.49]:48081 helo=server1.earth.com)
Received: from iphone6sus by server1.earth.com with local (Exim 4.86)
Received: from in1.hostitaly.net ([77.93.255.238]:48646)
Received: from labcasa by in1.hostitaly.net with local (Exim 4.80)
Received: from mail2.hucr.cz ([194.12.32.201]:57859 helo=webhosting.humlnet.cz)
Received: from localhost (localhost [127.0.0.1])
Received: from webhosting.humlnet.cz ([127.0.0.1])

Subjects are being slightly modfied, again, probably to evade spam filters by not having the exact same format.

Subject: You have 1 new fax, document 00000465107
Subject: You have new fax, document 00000597087
Subject: You have new fax, document 000186919
Subject: You have received a new fax, document 00827975
Subject: You have received fax, document 00000498682
Subject: You have received fax, document 00000646559

They use different variations for attached files, probably to evade spam filters. The ones that I’ve got so far are the following :

name="fax00000465107.zip"
name="scanned00000597087.zip"
name="document_000186919.zip"
name="task_00827975.zip"
name="scanned-00000498682.zip"
name="scanned_00000646559.zip"

scam

Malware analysis

Attachments include the mentioned file but with a different extension. Instead of filename.doc they would be filename.doc.js, which is a one line obfuscated javascript file. I’ve added some spaces for readability, but they would normally have the format found here. At first, I tried to dig through it manually, initially to identify mentioned domains, but that’s just overkill. The solution was to deobfuscate the code and if not successful, execute it in a sandbox environment to see the actual code that was ran. I tried several online tools like JSbeautifier and Webpawet but ended up running JSDetox in a VM. From the file mentioned earlier I ended up with this.

The code is sending GET requests to a list of 3 websites in the following form :

http://domain.tld/counter/?id=string&rnd=3382831

From the 6 emails received I have the following list of referenced websites. Is yours there ?

  • www.flowarrior.com
  • hourlywhy.com
  • www.videodifficulties.com
  • yoakumdentalcare.com
  • ncdivers.com
  • pdeluxedesign.com
  • monarchexcess2.com
  • cjet.com.br
  • arivusampark.com
  • j-hsu.com
  • rambh.com.br
  • arivusampark.com
  • cdkproperties.com
  • vidyaprakashpublicschool.org

If the request is successful, it will download 3 .gif files to folder associated with the %TEMP% Windows environment variable the and will execute them as .exe by appending a “.exe” to the filename.

%TEMP%\950964.gif + .exe

People already have scanned these files on VirusTotal, but they are still relatively fresh (scanned 1 day ago at the moment of writing) You can see info about them at the links below.

Normally, on Windows 7 (my sanbox environment) TEMP would be C:\Users\username\AppData\Local . After executing the initial version of the file (obfuscated version that is – the deobfuscated version posted on pastebin below just didn’t want to execute properly) I could notice that a lot of DNS requests via Googles 8.8.8.8 DNS server asking to resolve the IP address for randomly generated dynamic-DNS domains like the following :

  • 3f5to2m4et1bur3videpupq.ddns.net
  • ejkv5tuxe45tkfmb5ly.ddns.net
  • kfodatu8onu2evops8a4ipg.ddns.net
  • chstoxcxk8y6s87.ddns.net
  • onk8c0gxo6qt361pgvgpsnw.ddns.net

An entire list can be found pastebin.

Sample javascripts :

Other references of the same or similar scam or linking to one of the factors above :