{"id":14820,"date":"2013-10-22T12:00:26","date_gmt":"2013-10-22T18:00:26","guid":{"rendered":"https://www.webroot.com/blog/?p=14820"},"modified":"2018-10-05T12:59:12","modified_gmt":"2018-10-05T18:59:12","slug":"fake-scanned-image-xerox-workcentre-themed-emails-lead-malware","status":"publish","type":"post","link":"https://www.webroot.com/blog/2013\/10\/22\/fake-scanned-image-xerox-workcentre-themed-emails-lead-malware\/","title":{"rendered":"Fake ‘Scanned Image from a Xerox WorkCentre’ themed emails lead to malware"},"content":{"rendered":"

We’ve intercepted a currently circulating malicious spam campaign, tricking users into thinking that they’ve received a scanned document sent from a Xerox WorkCentre Pro device<\/strong><\/a>. In reality, once users execute the malicious attachment, the cybercriminal(s) behind the campaign gain complete control over the now infected host.<\/p>\n

<\/p>\n

Sample screenshots of the spamvertised malicious email:<\/strong><\/p>\n

\"Email_Spam_Malicious_Fake_Social_Engineering_Malware_Malicious_Software_Xerox_WorkCentre_Pro\"<\/a><\/p>\n

Detection rate for the malicious attachment:<\/strong> MD5: 1a339ecfac8d2446e2f9c7e7ff639c56<\/strong><\/a> – detected by 17 out of 48 antivirus scanners as TROJ_UPATRE.AX; Heuristic.LooksLike.Win32.SuspiciousPE.J!89.<\/p>\n

Once executed, the sample starts listening on ports 2544 and 7718.<\/p>\n

It then creates the following Mutexes on the affected hosts:
\nLocal\\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
\nLocal\\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
\nGlobal\\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
\nGlobal\\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
\nGlobal\\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
\nGlobal\\{DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A}
\nGlobal\\{BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A}
\nGlobal\\{5492A9EF-998E-AF7F-11EB-B06D3016937F}
\nGlobal\\{5492A9EF-998E-AF7F-75EA-B06D5417937F}
\nGlobal\\{5492A9EF-998E-AF7F-4DE9-B06D6C14937F}
\nGlobal\\{5492A9EF-998E-AF7F-65E9-B06D4414937F}
\nGlobal\\{5492A9EF-998E-AF7F-89E9-B06DA814937F}
\nGlobal\\{5492A9EF-998E-AF7F-BDE9-B06D9C14937F}
\nGlobal\\{5492A9EF-998E-AF7F-51E8-B06D7015937F}
\nGlobal\\{5492A9EF-998E-AF7F-81E8-B06DA015937F}
\nGlobal\\{5492A9EF-998E-AF7F-FDE8-B06DDC15937F}
\nGlobal\\{5492A9EF-998E-AF7F-0DEF-B06D2C12937F}
\nGlobal\\{5492A9EF-998E-AF7F-5DEF-B06D7C12937F}
\nGlobal\\{5492A9EF-998E-AF7F-F1EE-B06DD013937F}
\nGlobal\\{5492A9EF-998E-AF7F-89EB-B06DA816937F}
\nGlobal\\{5492A9EF-998E-AF7F-F9EF-B06DD812937F}
\nGlobal\\{5492A9EF-998E-AF7F-E5EF-B06DC412937F}
\nGlobal\\{5492A9EF-998E-AF7F-0DEE-B06D2C13937F}
\nGlobal\\{5492A9EF-998E-AF7F-09ED-B06D2810937F}
\nGlobal\\{5492A9EF-998E-AF7F-51EF-B06D7012937F}
\nGlobal\\{5492A9EF-998E-AF7F-35EC-B06D1411937F}
\nGlobal\\{2E1C200D-106C-D5F1-DBC9-BE58FA349D4A}<\/p>\n

Drops the following MD5s:<\/strong>
\nMD5: 1a339ecfac8d2446e2f9c7e7ff639c56
\nMD5: 17c78eb30d31161e9aed1ea25889e423
\nMD5: 09bbe8cd0cfe7770a62faa68723c8804
\nMD5: d1a55715c1360daab7882bf45e820b31<\/p>\n

And phones back to:<\/strong>
\nsmclan.com – 209.236.71.58<\/p>\n

The following malicious domains are also currently responding to the same IP:<\/strong>
\nbeebled.com
\ncoffeeofgold.com
\nlearnpkpd.com
\nsmclan.com
\nwordpressonwindows.com
\nadgnow.com
\neddietobey.com
\nkestrel.aero<\/p>\n

And the following malicious domains are known to have responded to the same IP:<\/strong>
\natrocitycomplex.com
\ngetdailypaymentsnow.com
\ngiltnetwork.com
\nheartlessbastardseo.com
\njuanherreraplaza.com
\nlandings.romancesdiscretos.com
\nmydecay.com
\nrevoluza-coupon.com
\nteam4048.org
\ncareerfortune.com
\njustsaylovemovie.com
\nkassysgroup.com
\nstagewrightfilms.com
\nzachary-scott.com<\/p>\n

Webroot\u00a0SecureAnywhere<\/a><\/strong>\u00a0users are proactively protected from these threats.<\/p>\n","protected":false},"excerpt":{"rendered":"

We’ve intercepted a currently circulating malicious spam campaign, tricking users into thinking that they’ve received a scanned document sent from a Xerox WorkCentre Pro device. In reality, once users execute the malicious attachment, the cybercriminal(s) behind the campaign gain complete control over the now infected host.<\/p>\n","protected":false},"author":65,"featured_media":17052,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[6151,5593,3881,4045,4043,4065,5723,5727,5717,5725,4029,3875,6153,3529],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/14820"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=14820"}],"version-history":[{"count":12,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/14820\/revisions"}],"predecessor-version":[{"id":25739,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/14820\/revisions\/25739"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17052"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=14820"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=14820"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=14820"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=14820"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}