Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: efax Spam Containing Malware - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
efax Spam Containing Malware

Beware of efax that may come to your email inbox. This week I receive my first efax spam with a source address of "Fax Message []" which contained a link to that contained malware. The link has since been removed.

efax Spam

On efax's website, the indicate that you are receiving fax spam to submit the fax via to online form and they "will attempt to prevent further transmission of junk faxes from the source.[2]



Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu


522 Posts
ISC Handler
Jun 8th 2014
Would you mind sharing the hash of malware involved? One of these hit my mail server from a Tampa, FL, Verizon FIOS on 28 May, but by the time I had a chance to review the spoofed email, the email's DropBox link had been taken down/disabled.

Edited, dupe post
Been seeing a few dropbox linked malware, Bank ones too...

ClamAV Sanesecurity signatures are blocking them...

21 Posts
I no longer have the hash for this file and the link is now dead. The link was:

https:// www[dot]dropbox[dot]com/meta_dl/eyJzdWJfcGF0aCI6ICIiLCAidGVzdF9saW5rIjogZmFsc2UsICJzZXJ2ZXIiOiAiZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbSIsICJpdGVtX2lkIjogbnVsbCwgImlzX2RpciI6IGZhbHNlLCAidGtleSI6ICJpcWVxeDdocmpobnJpeHoifQ/AANvZsHohmMz8XZLiCizpVrbOVy_Unf1bJ2NSGSwCy9E5w?dl=1

522 Posts
ISC Handler
What's the point of submitting a spam report to The email didn't originate from their systems.

1 Posts
Several users of my company received the exact same email (verified the link was 100% equal), and fell for it.
It ended up being cryptolocker.
We are now implementing the protections in a reactive way.
4 Posts
The malware being dropped in these samples was CryptoWall. I did a deep-dive into their infrastructure here:

Let me know if you need the malware sample.


2 Posts
One thing to keep in mind is these messages are not coming from eFax servers; there is very little eFax can do to stop these messages.

BTW one of my users here at the office got hit by one of these... at least one of the playloads was CryptoLocker.
3 Posts
Nice, thanks, Ronnie. Your interesting analysis was so thorough that it sufficiently quenched my thirst for the sample. Still, posting a hash would be appreciated.
Interesting. A handful of my users received this today claiming to be a voicemail. Testing shows the link is not valid.

From: Voice Mail []
Sent: Tuesday, June 10, 2014 8:29 AM
Subject: [BULK] voice message from 765-398-7466 for mailbox 215
Importance: Low

You have received a voice mail message from 765-398-7466 Message length is 00:00:33. Message size is 290 KB.

Download your voicemail message from dropbox service (Dropbox Inc.):

1 Posts
eFax could implement DMARC and eliminate spoofed mails.

7 Posts

Sign Up for Free or Log In to start participating in the conversation!