Most office network printers and scanners have a feature that sends scanned documents over email. Cyber crooks however, have imitated email templates used by these devices for malicious purposes. This week we noticed a malicious spam email that purports to be a scanned document sent using a Xerox WorkCentre Pro scanner.
Variations of subject lines were used like “Scan from XER0X”, “Scan from XER0X ZIP Office”, “Scan from XER0X Center Office” or “Scan from XER0X Center Office”. In the image above, the attachment is actually not a Xerox WorkCentre Pro scanned document but instead a PDF exploit file that utilizes old Adobe Acrobat Reader vulnerabilities:
- Collab.collectEmailInfo (CVE-2007-5659) – Adobe Reader and Acrobat Multiple Stack-based Buffer Overflow Vulnerabilities
- Utilprintf (CVE-2008-2992) – Adobe Reader ‘util.printf()’ JavaScript Function Stack Buffer Overflow Vulnerability
- Collab.getIcon (CVE-2009-0927) – Adobe Acrobat and Reader Collab ‘getIcon()’ JavaScript Method Remote Code Execution Vulnerability
- mediaNewplayer (CVE-2009-4324) – Adobe Reader and Acrobat ‘newplayer()’ JavaScript Method Remote Code Execution Vulnerability
Closer look of the attached PDF exploit
The payload of the PDF exploit downloads a Trojan downloader installing additional malware such as Fake AV in the victims machine.
Cyber criminals will always strive to find ways to spread their malware. The first time we saw this Xerox spam campaign was in the middle of last year, where almost the exact same spam template was used. The only difference between the two was the malicious attachment used at that time was compressed in ZIP format. Xerox WorkCentre Pro however doesn’t send ZIP file attachments. It’s possible that the cyber criminals realized that PDF format looks more realistic and could deceive more users especially in an office environment.
Related Posts
- Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign
Over the weekend, a "Scan from a Xerox WorkCentre Pro" themed malware campaign relying on zip archives, was actively spamvertised by cybecriminals seeking to infect gullible end/corporate users.
What... - Malware Masquerading as Xerox WorkCentre Pro Scanned Documents
CA ISBU came across an active spam email campaign containing a malware as file attachment, as seen on [Figure 1]. This spam campaign masquerading as scanned documents from Xerox WorkCentre Pro machine... - Poisoned Google image searches becoming a problem
If you are a regular user of Google's search engine you might have noticed that poisoned search results have practically become a common occurrence. Google has, of course, noticed this and does its be... - Firefox 4 gets its first security update
Yesterday, five weeks after shipping Firefox 4, the Mozilla project published the new browser's first-ever security update. The Firefox version number bumps up to 4.0.1.The update fixes 50-odd bugs in... - Web Security Gets Another Reality Check
On April 11, Malaysian hackers embarrassed Barracuda Networks by exploiting code vulnerability through an SQL injection and triumphantly posting names, email addresses, and passwords belonging to Barr... - Limit Flash Exploit Exposure, Uninstall ActiveX Version
Yesterday, Adobe issued Security Advisory APSA11-02. The advisory states that:"A critical vulnerability exists in Flash Player 10.2.153.1 and earlier versions (Adobe Flash Player 10.2.154.25 a... - USPS.gov Website Infected with Blackhole Exploit Kit
Update (04/07/2011 10:03am PST): USPS officials have taken the http://ribbs.usps.gov web site down to address the infection.
A United States Postal Service website (http://ribbs.usps.gov) has b... - Zbot and Black Hole Exploit Kit “all in one” fake Facebook notification Emails
Websense® Security Labs™ Threatseeker® network has detected a new malicious email campaign that masquerades as originating from Facebook. The campaign appears to ... - Excel File Containing Adobe Zero-Day Exploit Found
We got hold of an exploit targeting the vulnerability Adobe reported in its most recent security advisory.
The exploit, detected as TROJ_ADOBFP.B (now detected as TROJ_ADOBFP.SM), takes advantage of t... - k0desploit Exploit Kit and Stolen Credit Cards Discovered
During our investigative research into existing and emerging threats, we tend to make new discoveries. One of the most recent cases involved the discovery of a new toolkit:
k0de Sploit Pack
The phras...
Posted on 08 February 2011. Tags: Disguised, Document, Exploit, Scanned, Xerox
