Threat Outbreak Alert: Fake eFax Message Notification E-mail Messages

Description

Cisco Security Intelligence Operations has detected significant activity related to spam e-mail messages that claim to contain a fax message notification for the recipient. The text in the e-mail message attempts to persuade the recipient to open the attachment and view the details. However, the .zip attachment contains a malicious .exe file that, when executed, attempts to infect the system with malicious code.

E-mail messages that are related to this threat (RuleID5068) may contain the following files:
FAX_20130114_1354584611.zip
FAX_20130114_1354584611.exe

The FAX_20130114_1354584611.exe file in the FAX_20130114_1354584611.zip attachment has a file size of 112,128 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x289C6A8C221C62AFC38B60696D26B1D3

The following text is a sample of the e-mail message that is associated with this threat outbreak:
Subject: Corporate eFax message from "954-797-7448" - 16 page(s)

Message Body:

You have received a 16 page(s) fax at 2013-01-14 03:14:32 CST.
* The reference number for this fax is latf1_did11-1380619108-3440868160-49.
Please visit www.efaxcorporate.com/corp/twa/page/customerSupport if you have
any questions regarding this message or your service. You may also e-mail
our corporate support department at corporatesupport@mail.efax.com.
Thank you for using the eFax Corporate service!
2013 j2 Global, Inc. All rights reserved.
eFax Corporate is a registered trademark of j2 Global, Inc

and


E-mail messages that are related to this threat (RuleID5072) may contain the following files:
Efax_Corporate_MSG_FX_N9927399274.exe
Efax_Corporate_fax.zip
The Efax_Corporate_MSG_FX_N9927399274.exe  file in the Efax_Corporate_fax.zip attachment has a file size of 151,552 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x542F693D3BDD3BD548D6E24C283E3E70.

The following text section is a sample of the e-mail message that is associated with this threat outbreak:
Subject: Efax Corporate

Message Body:

Fax Message [Caller-ID: 113032238]
You have received a 25 pages fax at Tue, 15 Jan 2013 02:23:15
* The reference number for this fax is [eFAX-755996467].
View attached fax using your PDF reader.




Source: Cisco