14 DAY TRIAL // A new malware distribution campaign is generating emails that pose as automatic messages from Xerox WorkCentre Pro machines and try to pass a trojan as a scanned document.
The Xerox WorkCentre Pro is a multifunction peripheral, which is relatively popular in business environments and incorporates printing, scanning, copying and faxing functionality.
The device is capable of sending scanned documents via email at predefined addresses, a feature that cybercriminals behind this attack are trying to exploit.
According to security vendor MX Lab, the fake emails bear a subject of "Scan from a Xerox WorkCentre P9275821," where the final number can vary. The contained message reads:
Good morning, Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.
Sent by: Guest Number of Images: 1 Attachment File Type: ZIP [DOC]
WorkCentre Pro Location: machine location not set Device Name: XRX2090AA7ACD7299422.
The attached archive is called Scanned_Documents.zip and contains an executable named Scanned_Documents.DOC.exe.
The file has a Word document icon its double extension attemnpts to trick users into opening it on newer versions of Windows that hide known extensions by default.
In reality, the executable installs an Oficla variant currently detected by 19 out of 43 antivirus engines on VirusTotal via signatures.
Oficla is a family of trojans used as a malware distribution platform in pay-per-install schemes. The most common type of threats installed by this trojan are fake antivirus programs (scareware), but spam botnet clients have also been observed occasionally.
This is not the first time when Oficla peddlers are using fake Xerox WorkCentre scans as lure. We have observed almost identical campaigns both in July and August.
Unfortunately, the fact that cybercriminals continue to reuse this trick, suggests that it has a relatively high rate of success.
Users are strongly advised to exercise extra caution when dealing with emails that carry attachments, even when they appear to originate from trusted sources.