Let's look at the message (some items redacted)
From hqkojrw@brainspinepro.com Thu Jul 30 12:05:30 2015 Received: from [116.58.202.20] (port=52406 helo=banglalinkgsm.com) by www.slcsecurity.com with esmtp (Exim 4.85) (envelope-from <hqkojrw@brainspinepro.com>) id 1ZKqKh-0003xS-Pv; Thu, 30 Jul 2015 12:05:29 -0400 Received: from 9197.slcsecurity.com (10.34.222.15) by slcsecurity.com (10.0.0.89) with Microsoft SMTP Server id 2Z31JORQ; Thu, 30 Jul 2015 21:11:59 +0600 Date: Thu, 30 Jul 2015 21:11:59 +0600 From: "Incoming Fax" <Incoming.Fax@slcsecurity.com> X-MS-Has-Attach: yes X-MS-Exchange-Organization-SCL: -1 X-MS-TNEF-Correlator: <31DA69X079P7LBBJSZI4VZ7CIPTWMO758HB32B@slcsecurity.com> X-MS-Exchange-Organization-AuthSource: N1H9TKQAUB454EE@slcsecurity.com X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 08 X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;8;0;0 0 0 X-Priority: 3 (Normal) Message-ID: <M3GL0YSLTX1N4Q9Q9OBT1X1PMHSYE0S37QZ6GW@slcsecurity.com> To: docs8@slcsecurity.com Subject: Incoming Fax MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Next_13154_4863437313.0814823955998" X-Spam-Status: No, score=0.3 X-Spam-Score: 3 X-Spam-Bar: / X-Ham-Report: Spam detection software, running on the system "www.slcsecurity.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see root\@localhost for details. Content preview: INCOMING FAX REPORT Date/Time: Thu, 30 Jul 2015 21:11:59 +0600 Speed: 4393bps Connection time: 03:07 Pages: 5 Resolution: Normal Remote ID: 496-347-5344 Line number: 2 DTMF/DID: Description: Internal only [...] Content analysis details: (0.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?s=helo;id=banglalinkgsm.com;ip=116.58.202.20;r=www.slcsecurity.com] -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.0 RCVD_IN_MSPIKE_BL Mailspike blacklisted 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS 1.4 RCVD_IN_MSPIKE_ZBI No description available. X-Spam-Flag: NO X-BoxTrapper-Match: white: 99: incoming.fax@slcsecurity.com ------=_Next_13154_4863437313.0814823955998 Content-Type: text/plain; Content-Transfer-Encoding: 8bit ********************************************************* INCOMING FAX REPORT ********************************************************* Date/Time: Thu, 30 Jul 2015 21:11:59 +0600 Speed: 4393bps Connection time: 03:07 Pages: 5 Resolution: Normal Remote ID: 496-347-5344 Line number: 2 DTMF/DID: Description: Internal only To download / view please download attached file ********************************************************* ------=_Next_13154_4863437313.0814823955998 Content-Type: application/zip; name="Incoming Fax_496-347-5344.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="Incoming Fax_496-347-5344.zip"
As you can see the message makes it through the spam filter. It also makes it by boxtrapper without detection because of the spoofed domain. So let's have a look and see what we can find out about the incoming "fax" message.
A phone number appears as 496-347-5344. Well we can tell you right off that if this is an SLC Security Services employee we must have an office in cyberspace somewhere because area code 496 doesn't exist. This just goes to show that these actors are blindly making up information to try and make it look legit. Normally I would just stop here but let's keep going and have a closer look.
The source of the message is 116.58.202.20 so let's look and see what SLC Security Services LLC Threat Intelligence Platform knows about this IP.
So after a quick search by IP source here is what we find:
Event ID 454 Org SLC Security Services LLC Email soc@slcsecurity.com Tags TLP:AMBER Source Malware Description Upatre Sample Received by Customers
So as you can see it's not the first time we have seen this particular malware from this source.
Let's look at the binary attachment:
When sending this to the sandbox immediately the file is identified as a threat:
Incoming Fax_496-347-5344.zip Submitted on August 3rd 2015 17:27:24 (CDT) with target system Windows 7 32 bit Report generated by VxStream Sandbox v2.10 © Payload Security
41/55 Antivirus vendors marked sample as malicious (74% detection rate) Filename Incoming Fax_496-347-5344.zip Size 47KiB (47616 bytes) Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows Architecture 32 Bit MD5 7e01d9705da0a983af63906edffb5b08 SHA1 63433b4a2ced77ed330327b0cdb6704edc811654 SHA256 e11575f7d8abee81f345f6a754d0d42b2bf42f6b05b3a9c64b531830b4268d24 SHA512 436f98941b3627bf1eb38a992aee58e3c2a1122ff3fd566a53847e5aba87fad4d287f4545a43edfbf4f9b6ab008d6bb5fbe42cce124680763e562ef58ea390f9 SSDEEP 768:OpVuoqbBLfCei7s8sOY5JvW5JxVIAA3FLH6UVrx:OqPbA1sOwJvW5JvIAA3dH IMPHASH b477cb958ff28fadb9e15660c99a77fe
We are so over these incoming fax messages...
No comments:
Post a Comment