Update 10 July 2014 Back to the more usual zip files attchment today
27 July 2014: today they are using google short url links http://goo.gl/random characters which is diverted to what could easily be mistaken for a genuine eFax location http://efax-download.com/downloadfax.html. The malware downloaded Fax_002_25201407211.scr (23 kb) has a virus total detection of 0/53 Google have very quickly disabled the short links, so hopefully very few people will have been infected by this
28 May 2014 Todays new approach is to have links to dropbox in the spoofed Corporate eFax message email rather than the more usual attachment
16 April 2014: new version today Corporate eFax message from “468-938-9743” – 27 page(s) As usual the alleged sending number changes with each email and so does the number of pages. Todays offering pretends to come from email@example.com but of course that is a spoofed address and they actually come via compromised, infected computers and servers that have been taken over by one of the botnets
20 Feb 2014: This is another one from the encrypted upatre zbot downloaders that uses a specific encryption that is decoded only by the original file in the email. That phones out to a website and the file on that website is encrypted so malware scans on the site won’t detect any malware. As the encrypted file is downloaded, it si decoded on the fly & a working viable copy is dropped on the victims computer. Today’s site is khushilogistics.net/images/HK.but They are using all sorts of weird and wonderful suffixes to attempt to confuse any antimalware product or gateway filtering system, which often blocks known suffixes that can be used by malware ( executable files) but allows others
20 February 2014: A second batch of these Corporate eFax message emails has arrived.The malware delivery method has changed today and these fake Corporate eFax message emails are being recycled and re-used by the new blackhole exploit runs that are described in THIS post
21 February 2014: a different malware version this morning to both of yesterday’s ones, which looks a lot like a Zbot with a definite password stealing component
25 February 2014: a different malware version this morning , which looks a lot like a tepfer password stealing malware, that definitely attempts to steal your email and FTP credentials. A second version this afternoon that is about double the size of this morning’s offering.
Carrying on from https://myonlinesecurity.co.uk/spoofed-efax-fax-transmission-fake-pdf-malware/ The phone number in the subject line is different with each email. Out of 40 emails, I have only seen 2 duplicate phone numbers
A new version of the malware attached to these Corporate eFax message is spreading. Needless to say the emails do not come from E-fax corporation and don’t contain a fax message when unzipped. They are another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. Most of these are using email addresses and subjects that are appropriate for the time of year.
This one in particular along with almost all of these have a password stealing component, with the aim of stealing your email and FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details.
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.
today’s message 16 April 2014 look like
You have received a 27 page(s) fax at 2014-04-16 03:13:22 EST.
* The reference number for this fax is latf1_did11-1281562306-8412112271-12.
Please visit www.efaxcorporate.com/corp/twa/page/customerSupport if you have any questions regarding this message or your service. You may also e-mail our corporate support department at firstname.lastname@example.org.
Thank you for using the eFax Corporate service! 2014 j2 Global, Inc. All rights reserved. eFax Corporate is a registered trademark of j2 Global, Inc.
Updated version 28 May 2014 : now has multiple links to dropbox in email rather than the more usual attachment
Fax Message [Caller-ID: 1-786-439-8336 You have received a 1 page fax at Wed, 28 May 2014 09:68:81 GMT. * The reference number for this fax is atl_did1-1400166434-31309133229-154. Click here to view this fax using your PDF reader. Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service. Thank you for using the eFax service! 2014 j2 Global, Inc. All rights reserved. eFax is a registered trademark of j2 Global, Inc. This account is subject to the terms listed in the eFax Customer Agreement.
Attachment zip name: eFaxD33F63D8D8.zip Extracted file name: eFax_Corp_234548732490846-580567324-074569586723423490345.pdf.exe
Current Virus total detections: 5/49 https://www.virustotal.com/en/file/fb89fc5e7836013a33bbf30f6b0c9253f005da8d3f60b9f1fe7764265f99c29b/analysis/
MALWR Auto Analysis: https://malwr.com/analysis/OWE4NzFiZDRlM2Q3NDNkNTlhYWQxNDJlMzM1ODcxYmY/
20 Feb 2014: FAX_20130731_3276507267_085.zip( 11kb) extracts to newfaxmessage.exe Virus total 5/50
25 Feb 2014: efax_5CE6D81F10.zip ( 70kb) extracts to mes_4835634778534987593489.pdf.exe Virus total 3/48
2nd version 25 Feb 2014: efax_422145FD93.zip ( 147kb) extracts to eFax_723645.9428754.pdf.exe Virus total 2/49
16April 2014: Fax-001-latf1_did11-1740377984-3769330781-04.zip (12kb) extracts to Fax-001-16042014.scr Virus total 2/50
28 May 2014: Fax_938_391102933_1245561.zip (11kb) extracts to Fax_938_391102933_1245561.scr Virus total 2/50
10 July 2014: chd_did9-92162037884-45066126722-110.zip (10kb) extracts to new_fax_message.exeVirus total 2/53
This Corporate eFax message is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected.
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.