ALERT : If you come across an email entitled “Inbound Fax,”eFax, “RapidFAX: Inbound Fax” or “RapidFax: New Inbound Fax” in your inbox, don’t open the attachment it contains since it hides a new variant of a Trojan.
The messages, which purport to come from email@example.com, contain information such as MCFID, the time at which it was received, fax number, ANI, number of pages, CSID, and the fax status code.
They only inform recipients that “a fax have been received” and urge them not to reply to the email.
The attached ZIP file has the name rapidfax-E4C935577EDD.zip and contains the 117 kB large file RapidFAX_MCID_000_LOTS_OF_NUMBERS__13341.pdf.exe.
Malware is identified as TR/Dldr.Kryptik.H, Trojan.Generic.8337227, Win32/Kryptik.APZB or Trojan-PSW.Win32.Tepfer.cqaj, depending on the antivirus vendor.
The trojan is also known as UDS:DangerousObject.Multi.Generic or Trojan.Lameshield.
Virus Total Analysis Here
This isn’t the only spam campaign that relies on bogus fax messages. Emails pretending to come from eFaxCorporate are also making the rounds these days.
The emails appear to come from firstname.lastname@example.org (the default eFax account) and they’re entitled “Corporate eFax message – (xyz) pages .