Fake eFax spam uses hacked Sharepoint to spread malware

This fake fax leads to a malicious ZIP file:

From:    eFax [message@inbound-efax.org]
Date:    29 November 2016 at 16:01
Subject:    eFax message from “61 2 97855412” – 2 page(s)

Fax Message

You have received a 2 page fax at 11/29/2016 5:01:13 PM.

* The reference number for this fax is syd1_did12-5405183509-083357256-5.

Click here to view this fax message.

Please visit www.efax.com/en/online_fax_FAQ if you have any questions regarding this message or your service.

Thank you for using the eFax service!
Home     Contact     Login
Powered by j2

© 2012 j2 Global Communications, Inc. All rights reserved.
eFax® is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax® Customer Agreement.

The link in the email goes to a hacked Sharepoint account, in this case:

https://supremeselfstorage-my.sharepoint.com/personal/andrew_supremeselfstorage_com_au/_layouts/15/guestaccess.aspx?guestaccesstoken=GTQPc%2brKLAsKHba4nXtvl0hXrBsUmCUxoYGuu9msk0U%3d&docid=0c4b96dfd3319496a8feb1a56d88de679&rev=1

It seems to belong to a

legitimate company

, but maybe one that has suffered an Office 365 compromise.

The ZIP file it leads to is named Fax_11292016.zip (there may be other versions) containing two identical scripts named

Fax_11292016_page1.js
Fax_11292016_page2.js

that look like

this

.

Hybrid Analysis

of the script indicates this is Nymaim, downloading a component from:

siliguribarassociation.org/images/staffs/documetns.png

A malicious EXE is dropped with an MD5 of bdf952b2388bf429097b771746395a4c and a detection rate of

9/56

. The malware then phones home to:

stengeling.com/20aml/index.php

The domain

stengeling.com

appears to have been created for this malware and has anonymous registration details. It is apparently multihomed on the following IPs:

4.77.129.110

18.17.224.92

31.209.107.100

37.15.90.12

43.132.208.7

45.249.111.213

52.61.200.235

61.25.216.8

67.25.164.206

74.174.194.169

88.214.198.162

92.74.29.236

111.241.115.90

115.249.171.24

119.71.196.177

135.55.94.211

143.99.241.18

147.89.60.135

156.180.11.60

162.74.9.51

168.227.171.254

176.114.21.171

184.131.179.44

207.77.174.212

Each of those IPs appears to be a hacked legitimate host, with a high turnover of IPs. Those IPs appear to be associated with the following domains that may be worth blocking:

butestsis.com
sievecnda.com
specsotch.com
crileliste.com
stengeling.com

Source: Dynamoo’s Blog @ November 29, 2016 at 12:34PM

0
Share