Part of a scareware distribution schemeA new spam campaign attempts to trick users into executing malicious files by claiming they are scanned documents. The fake emails masquerade as automatic messages sent by Xerox WorkCentre Pro machines.
The spam emails come with a subject of “Scan from a Xerox WorkCentre Pro #0713393” and have an archive file called “XeroxN45586.zip” attached. The message contained within reads:
“Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.
Sent by: Guest
Number of Images: 1
Attachment File Type: ZIP [DOC]
WorkCentre Pro Location: machine location not set
Device Name: XRX0847AA7ACDB49675923
For more information on Xerox products and solutions, please visit http://www.xerox.com”
It appears that the spammers copied the real email template used by Xerox scanning devices and only modified the listed file type. The Tech Herald, reports that while Xerox WorkCentre Pro can transmit scanned documents via email, these are never sent in ZIP format.
Opening the file archive will reveal an executable file called Xerox_doc.exe, which is a new variant of the Oficla trojan. Trojans in the Oficla family of malware act as botnet clients and are primarily used as distribution platform for other threats, like adware or scareware.
Selling distribution services is a profitable business for botnet runners. According to the results of research into the botnet-based underground economy published by Kaspersky last year, adware developers pay $1.50 per install, while malware authors between $3 and $120, depending on the computer's location.
In this case, after it infects the computer, the trojan queries an external server and proceeds to installing a FakeAV variant. These types of programs, also referred to as scareware or rogueware, bombard users with fake security alerts in order to trick them into paying a license fee. Unfortunately, people who fall for these scams also compromise their credit card details in the process.