Subtleties of Deception

November 26, 2013 | by Fred Touchette | AppRiver, Digital Degenerate, fax, malware, RingCentral, securetide, Zeus

When you get right down to it, a major focus of cybercriminals is on social engineering. It's with these tools and techniques that they are able to separate their targets from their money or data (which also ends up translating to money in the end). It has become a very common occurrence to attach a malicious file to an email that's been cleverly themed in order to trick its recipients into executing the attachment. Often times the authour tries to use fear as their motive. Such is the case when they send fake invoices for things the recipient never ordered prompting a stressed out feeling that perhaps someone has gotten a hold of one of their credit cards and is making fraudulent charges on their account.

fax1 resized 600

Other times, however, they're more subtle instead trying to fly under the radar. Such is the case with one of several techniques we're seeing hit our filters as we speak. This particular campaign is looking to target users of the cloud communications company RingCentral. RingCentral is a VoIP communications system hosted in the cloud. Companies will use services like this when they're trying to avoid purchasing extra hardware or the staff required to operate a new phone/communications network. One great feature of today's VoIP systems such as RingCentral's is the ability for the system itself to collect missed messages and send them to your email address so that if you're out of the office you can still get your missed voice mails or faxes in near real time and continue with business without missing a beat. This malware campaign is mimicking notifications from RingCentral. The idea here is not to alarm the recipient, as a receipt for a thousand dollar purchase would do, but instead to get the intended victim on auto-pilot and just click through as they normally would when they received one of these common notification emails.

fax2This particular attack comes with an attachment built to look like a pdf document named "fax.pdf". However, there is another hidden extension at the end making it "fax.pdf.exe" which is never a normal thing. Notifications will never be in an executable file.

This file has all of the same characteristics as a Zeus downloader, checks for a debugger, injects itself into running processes, copies itself into startup areas, modifies the local firewall policy and makes a connection to its command and control server for further payloads and instructions.

Concurrent with this campaign we're also seeing similar themes posing as JConnect, eFax, Xerox, and DocuSign all pretending to be voicemails and faxes but in reality have something a little more sinister in mind. Currently we at AppRiver have all of these blocked and our clients won't have to see these.