Wednesday, August 5, 2015

Are we tired of this already??? - A look at the notorious Inbound Fax Messages

As most of you already know the incoming fax messages that show up in your email are infected. Many admins already block the content (as do we). Over the past few years we have noted several different malware variants being emailed into organizations in this way so we wanted to revisit it.

Let's look at the message (some items redacted)
From hqkojrw@brainspinepro.com Thu Jul 30 12:05:30 2015
Received: from [116.58.202.20] (port=52406 helo=banglalinkgsm.com)
 by www.slcsecurity.com with esmtp (Exim 4.85)
 (envelope-from <hqkojrw@brainspinepro.com>)
 id 1ZKqKh-0003xS-Pv; Thu, 30 Jul 2015 12:05:29 -0400
Received: from 9197.slcsecurity.com (10.34.222.15) by slcsecurity.com (10.0.0.89) with Microsoft SMTP Server id 2Z31JORQ; Thu, 30 Jul 2015 21:11:59 +0600
Date: Thu, 30 Jul 2015 21:11:59 +0600
From: "Incoming Fax" <Incoming.Fax@slcsecurity.com>
X-MS-Has-Attach: yes
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator: <31DA69X079P7LBBJSZI4VZ7CIPTWMO758HB32B@slcsecurity.com>
X-MS-Exchange-Organization-AuthSource: N1H9TKQAUB454EE@slcsecurity.com
X-MS-Exchange-Organization-AuthAs: Internal
X-MS-Exchange-Organization-AuthMechanism: 08
X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;8;0;0 0 0
X-Priority: 3 (Normal)
Message-ID: <M3GL0YSLTX1N4Q9Q9OBT1X1PMHSYE0S37QZ6GW@slcsecurity.com>
To: docs8@slcsecurity.com
Subject: Incoming Fax
MIME-Version: 1.0
Content-Type: multipart/mixed;
  boundary="----=_Next_13154_4863437313.0814823955998"
X-Spam-Status: No, score=0.3
X-Spam-Score: 3
X-Spam-Bar: /
X-Ham-Report: Spam detection software, running on the system "www.slcsecurity.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 root\@localhost for details.
 
 Content preview:  INCOMING FAX REPORT Date/Time: Thu, 30 Jul 2015 21:11:59
   +0600 Speed: 4393bps Connection time: 03:07 Pages: 5 Resolution: Normal Remote
    ID: 496-347-5344 Line number: 2 DTMF/DID: Description: Internal only [...]
    
 
 Content analysis details:   (0.3 points, 5.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
                             domains are different
  0.0 SPF_HELO_FAIL          SPF: HELO does not match SPF record (fail)
 [SPF failed: Please see http://www.openspf.org/Why?s=helo;id=banglalinkgsm.com;ip=116.58.202.20;r=www.slcsecurity.com]
 -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                             [score: 0.0000]
  0.0 RCVD_IN_MSPIKE_BL      Mailspike blacklisted
  0.8 RDNS_NONE              Delivered to internal network by a host with no rDNS
  1.4 RCVD_IN_MSPIKE_ZBI     No description available.
X-Spam-Flag: NO
X-BoxTrapper-Match: white: 99: incoming.fax@slcsecurity.com

------=_Next_13154_4863437313.0814823955998
Content-Type: text/plain; 
Content-Transfer-Encoding: 8bit

*********************************************************
INCOMING FAX REPORT
*********************************************************

Date/Time: Thu, 30 Jul 2015 21:11:59 +0600
Speed: 4393bps
Connection time: 03:07
Pages: 5
Resolution: Normal
Remote ID: 496-347-5344
Line number: 2
DTMF/DID:
Description: Internal only

To download / view please download attached file

*********************************************************

------=_Next_13154_4863437313.0814823955998
Content-Type: application/zip; name="Incoming Fax_496-347-5344.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Incoming Fax_496-347-5344.zip"


As you can see the message makes it through the spam filter. It also makes it by boxtrapper without detection because of the spoofed domain. So let's have a look and see what we can find out about the incoming "fax" message. 

A phone number appears as 496-347-5344. Well we can tell you right off that if this is an SLC Security Services employee we must have an office in cyberspace somewhere because area code 496 doesn't exist. This just goes to show that these actors are blindly making up information to try and make it look legit. Normally I would just stop here but let's keep going and have a closer look. 

The source of the message is 116.58.202.20 so let's look and see what SLC Security Services LLC Threat Intelligence Platform knows about this IP. 

So after a quick search by IP source here is what we find:

Event ID 454  
Org SLC Security Services LLC   
Email
soc@slcsecurity.com  
Tags
TLP:AMBER 
Source Malware   
Description
Upatre Sample Received by Customers

So as you can see it's not the first time we have seen this particular malware from this source. 

Let's look at the binary attachment:

When sending this to the sandbox immediately the file is identified as a threat:
Incoming Fax_496-347-5344.zip
Submitted on August 3rd 2015 17:27:24 (CDT) with target system Windows 7 32 bit
Report generated by VxStream Sandbox v2.10 © Payload Security

41/55 Antivirus vendors marked sample as malicious (74% detection rate)

Filename Incoming Fax_496-347-5344.zip
Size 47KiB (47616 bytes)
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Architecture 32 Bit
MD5 7e01d9705da0a983af63906edffb5b08
SHA1 63433b4a2ced77ed330327b0cdb6704edc811654
SHA256 e11575f7d8abee81f345f6a754d0d42b2bf42f6b05b3a9c64b531830b4268d24
SHA512 436f98941b3627bf1eb38a992aee58e3c2a1122ff3fd566a53847e5aba87fad4d287f4545a43edfbf4f9b6ab008d6bb5fbe42cce124680763e562ef58ea390f9
SSDEEP 768:OpVuoqbBLfCei7s8sOY5JvW5JxVIAA3FLH6UVrx:OqPbA1sOwJvW5JvIAA3dH
IMPHASH b477cb958ff28fadb9e15660c99a77fe

We are so over these incoming fax messages...

No comments:

Post a Comment