Another email scam. This time, a bit insistent, as I’ve been getting 6 similar emails in 2 days already, that are informing me that I’ve received a new fax.
Email analysis
Surprisingly, they all ended in the inbox , which triggered my attention further. The all have the following structure, followed by an attached file (the one mentioned in the email but zipped)
A new fax document for you. You can find your fax document in the attachment. Author: Salvador Rollins Quality: 300 DPI Fax name: scanned-00000498682.doc Date: Sun, 1 Nov 2015 14:44:04 +0300 Filesize: 255 Kb Scan duration: 25 seconds Pages: 9 Thanks for using Interfax service!
The following mail servers were being used to send emails :
$ cat $FILES | grep -i "Received: from" Received: from gator4022.hostgator.com ([192.185.4.33]:60815) Received: from ace by gator4022.hostgator.com with local (Exim 4.85) Received: from [195.34.179.71] (port=44121 helo=netea.pl) Received: from apache by netea.pl with local (Exim 4.73) Received: from [88.208.210.74] (port=40436 helo=server.scwirrel.com) Received: from li1259-49.members.linode.com ([45.79.160.49]:48081 helo=server1.earth.com) Received: from iphone6sus by server1.earth.com with local (Exim 4.86) Received: from in1.hostitaly.net ([77.93.255.238]:48646) Received: from labcasa by in1.hostitaly.net with local (Exim 4.80) Received: from mail2.hucr.cz ([194.12.32.201]:57859 helo=webhosting.humlnet.cz) Received: from localhost (localhost [127.0.0.1]) Received: from webhosting.humlnet.cz ([127.0.0.1])
Subjects are being slightly modfied, again, probably to evade spam filters by not having the exact same format.
Subject: You have 1 new fax, document 00000465107 Subject: You have new fax, document 00000597087 Subject: You have new fax, document 000186919 Subject: You have received a new fax, document 00827975 Subject: You have received fax, document 00000498682 Subject: You have received fax, document 00000646559
They use different variations for attached files, probably to evade spam filters. The ones that I’ve got so far are the following :
name="fax00000465107.zip" name="scanned00000597087.zip" name="document_000186919.zip" name="task_00827975.zip" name="scanned-00000498682.zip" name="scanned_00000646559.zip"
Malware analysis
Attachments include the mentioned file but with a different extension. Instead of filename.doc they would be filename.doc.js, which is a one line obfuscated javascript file. I’ve added some spaces for readability, but they would normally have the format found here. At first, I tried to dig through it manually, initially to identify mentioned domains, but that’s just overkill. The solution was to deobfuscate the code and if not successful, execute it in a sandbox environment to see the actual code that was ran. I tried several online tools like JSbeautifier and Webpawet but ended up running JSDetox in a VM. From the file mentioned earlier I ended up with this.
The code is sending GET requests to a list of 3 websites in the following form :
http://domain.tld/counter/?id=string&rnd=3382831
From the 6 emails received I have the following list of referenced websites. Is yours there ?
- www.flowarrior.com
- hourlywhy.com
- www.videodifficulties.com
- yoakumdentalcare.com
- ncdivers.com
- pdeluxedesign.com
- monarchexcess2.com
- cjet.com.br
- arivusampark.com
- j-hsu.com
- rambh.com.br
- arivusampark.com
- cdkproperties.com
- vidyaprakashpublicschool.org
If the request is successful, it will download 3 .gif files to folder associated with the %TEMP% Windows environment variable the and will execute them as .exe by appending a “.exe” to the filename.
%TEMP%\950964.gif + .exe
People already have scanned these files on VirusTotal, but they are still relatively fresh (scanned 1 day ago at the moment of writing) You can see info about them at the links below.
- File 1 – https://www.virustotal.com/en/file/6df02401c129666141d3ffcf009de300895f79180dd5cc8e15ef4ab853548e9e/analysis/
- File 2 – https://www.virustotal.com/en/file/2f19d3c5e119fa6c172c17c00f92af008bcd45f76cd31e20ad714a68ff269630/analysis/
- File 3 – https://www.virustotal.com/en/file/47f4105cd981857f9eb1a039b60fe72b3189890abdb93798af9326c532c93c8d/analysis/
Normally, on Windows 7 (my sanbox environment) TEMP would be C:\Users\username\AppData\Local . After executing the initial version of the file (obfuscated version that is – the deobfuscated version posted on pastebin below just didn’t want to execute properly) I could notice that a lot of DNS requests via Googles 8.8.8.8 DNS server asking to resolve the IP address for randomly generated dynamic-DNS domains like the following :
- 3f5to2m4et1bur3videpupq.ddns.net
- ejkv5tuxe45tkfmb5ly.ddns.net
- kfodatu8onu2evops8a4ipg.ddns.net
- chstoxcxk8y6s87.ddns.net
- onk8c0gxo6qt361pgvgpsnw.ddns.net
An entire list can be found pastebin.
Sample javascripts :
- fax bait 0 ugly – http://pastebin.com/Wmtqn8eL
- fax bait 0 prettified – http://pastebin.com/zNWCTmq7
- fax bait 1 ugly – http://pastebin.com/y7eaa8C6
- fax bait 1 prettified – http://pastebin.com/asbhVLYd
Other references of the same or similar scam or linking to one of the factors above :