efax Spam Containing Malware

Published: 2014-06-08
Last Updated: 2014-06-08 22:03:39 UTC
by Guy Bruneau (Version: 1)
11 comment(s)

Beware of efax that may come to your email inbox. This week I receive my first efax spam with a source address of "Fax Message [message@inbound.efax.com]" which contained a link to www.dropbox.com that contained malware. The link has since been removed.

efax Spam

On efax's website, the indicate that you are receiving fax spam to submit the fax via to online form and they "will attempt to prevent further transmission of junk faxes from the source.[2]

[1] http://www.efax.com/help/faq
[2] http://www.efax.com/privacy?tab=reportSpam


Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

Keywords: efax Malware Spam
11 comment(s)


Would you mind sharing the hash of malware involved? One of these hit my mail server from a Tampa, FL, Verizon FIOS on 28 May, but by the time I had a chance to review the spoofed email, the email's DropBox link had been taken down/disabled.

Edited, dupe post
Been seeing a few dropbox linked malware, Bank ones too...


ClamAV Sanesecurity signatures are blocking them...
I no longer have the hash for this file and the link is now dead. The link was:

https:// www[dot]dropbox[dot]com/meta_dl/eyJzdWJfcGF0aCI6ICIiLCAidGVzdF9saW5rIjogZmFsc2UsICJzZXJ2ZXIiOiAiZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbSIsICJpdGVtX2lkIjogbnVsbCwgImlzX2RpciI6IGZhbHNlLCAidGtleSI6ICJpcWVxeDdocmpobnJpeHoifQ/AANvZsHohmMz8XZLiCizpVrbOVy_Unf1bJ2NSGSwCy9E5w?dl=1
What's the point of submitting a spam report to eFax.com? The email didn't originate from their systems.
Several users of my company received the exact same email (verified the link was 100% equal), and fell for it.
It ended up being cryptolocker.
We are now implementing the protections in a reactive way.
The malware being dropped in these samples was CryptoWall. I did a deep-dive into their infrastructure here:


Let me know if you need the malware sample.


One thing to keep in mind is these messages are not coming from eFax servers; there is very little eFax can do to stop these messages.

BTW one of my users here at the office got hit by one of these... at least one of the playloads was CryptoLocker.
Nice, thanks, Ronnie. Your interesting analysis was so thorough that it sufficiently quenched my thirst for the sample. Still, posting a hash would be appreciated.
Interesting. A handful of my users received this today claiming to be a voicemail. Testing shows the link is not valid.

From: Voice Mail [mailto:voicemail_sender@voicemail.com]
Sent: Tuesday, June 10, 2014 8:29 AM
Subject: [BULK] voice message from 765-398-7466 for mailbox 215
Importance: Low

You have received a voice mail message from 765-398-7466 Message length is 00:00:33. Message size is 290 KB.

Download your voicemail message from dropbox service (Dropbox Inc.):


Diary Archives