Fax notification email aims to infect your PC

Computer users have often been warned to be wary of opening unsolicited email attachments because of the risk of malware infection, and yet many continue to be infected via precisely this method.

In other words, the malicious hackers attempting to infect your PC don’t need to take advantage of any zero-day exploits in your software, all they need to do is concoct the right camouflage for their email to fool you into clicking without thinking.

One of the most common disguises seen in spammed-out malware campaigns in recent years is that of the “incoming fax”.

Now, if you’re anything like me, then chances are that you no longer find yourself regularly interacting with a fax machine, but that doesn’t mean that fax machines have entirely disappeared.

Fax machines today are often connected to business networks, and give you the ability to send faxes just as simply as sending an email message, and they also allow you to receive faxes from the outside world directly in your email inbox.

And that’s why you need to be on your guard for attacks like the one I found in my inbox this week.

Subject: You have received a new fax, document 00319563

Attached file: scan_00319653.zip

Message body:

You have a new fax!

Please download attached fax document.

Scanned: Mon, 26 Oct 2015 03:02:15 +0300
Scan duration: 12 seconds
Resolution: 400 DPI
File name: scan_00319563.doc
Number of pages: 12
Scanned by: Arthur Lawson
Filesize: 137 Kb

Thank you for using Interfax!

Of course, it’s possible that the precise wording and details may be different in any samples that you might see.

So, the big question is – would you click on the attachment to open the ZIP file?

Hopefully you would be more cautious than that, but if you were to investigate the alleged fax you would find a file inside with a .DOC.JS double-extension.

The file, which contains malware detected by Bitdefender as JS:Trojan.JS.Downloader.AR, exploits the age-old problem of how Windows handles files with more than one extension. It probably seemed like a good idea to Bill Gates once, but the truth of the matter is that for many years criminals have been taking advantage of the fact that Windows will, by default, hide the last extension of files.

Malware authors take advantage of this fact by giving their creations more than one extension. For instance, .DOC.JS, in order to disguise the real contents of the file.

A classic example of this is the Love Bug worm which spread in May 2000, using a file called LOVE-LETTER-FOR-YOU.txt.vbs. Recipients receive the Love Bug email and mistook it for a harmless text file rather than a potentially dangerous Visual Basic Script.

In this case the JS file is double-obfuscated, in an attempt to hide its true purpose from computer users. However, once decrypted it becomes clear that it attempts to reach three separate domains on the web (one presumes of hacked websites) in order to download further malware onto users’ computers.

Bitdefender researchers have identified that the malware which is downloaded relates to Boaxxe/Miuref (detected by Bitdefender as Trojan.GenericKD.2827496), CoreBot (detected as Gen:Variant.Kazy.759022), and Jaik (detected as Gen:Variant.Jaik.9143).

It should go without saying that keeping the security of your computer up-to-date is an important defence in the fight against malware attacks, but so is best practice and common sense.

If you’re not expecting a fax, and if you don’t recognise fax notifications like the one used in this attack as technology running on your network, then you should instantly be suspicious and not make life easy for the hackers.

Sadly there are many others out there who might fall for malicious campaigns like this. Just don’t let your computer be the next malware casualty.

Thanks to Bitdefender senior analyst Bogdan Botezatu for his assistance with this article.

Leave a Reply