MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “eFax message from “02086164497” – 1 page(s), Caller-ID: 208-616-4497″.
This email is send from the spoofed address “eFax <message@inbound.*******>” and has the following body:
Fax Message [Caller-ID: 208-616-4497]
You have received a 1 page fax at 2014-10-05 11:34:48 GMT.
* The reference number for this fax is lon2_did11-2974913177-8345459349-35.
Please visit https://www.efax.co.uk/myaccount/message/lon2_did11-2974913177-8345459349-35 to view this message in full.
Thank you for using the eFax service!
Screenshot of the email:
The embedded URL hxxp://lanuez.cl/wp-content/themes/cityhub/mess.html leads to a redirect page with the following script:
This script clearly shows that it is targeting Windows users. In all other cases, you’re redirected towards Google with a search query on eFax. The site hxxp://188.8.131.52:8080/ord/ef.html shows us the following layout and allows us to download the malicious fax in ZIP format.
The downloaded ZIP file has the name FAX_20141008_1412786088_26.zip and contains the folder FAX_20141008_1412786088_26 with the 61 kB large file FAX_20141008_1412786088_26.exe. Numbers may vary in the file names.
The trojan is known as Malware.QVM20.Gen.
At the time of writing, 1 of the 54 AV engines did detect the trojan at Virus Total so de not download any files from this host.
Use the Virus Total permalink for more detailed information.