Most office network printers and scanners have a feature that sends scanned documents over email. Cyber crooks however, have imitated email templates used by these devices for malicious purposes. This week we noticed a malicious spam email that purports to be a scanned document sent using a Xerox WorkCentre Pro scanner.
Variations of subject lines were used like “Scan from XER0X”, “Scan from XER0X ZIP Office”, “Scan from XER0X Center Office” or “Scan from XER0X Center Office”. In the image above, the attachment is actually not a Xerox WorkCentre Pro scanned document but instead a PDF exploit file that utilizes old Adobe Acrobat Reader vulnerabilities:
- Collab.collectEmailInfo (CVE-2007-5659) – Adobe Reader and Acrobat Multiple Stack-based Buffer Overflow Vulnerabilities
The payload of the PDF exploit downloads a Trojan downloader installing additional malware such as Fake AV in the victims machine.
Cyber criminals will always strive to find ways to spread their malware. The first time we saw this Xerox spam campaign was in the middle of last year, where almost the exact same spam template was used. The only difference between the two was the malicious attachment used at that time was compressed in ZIP format. Xerox WorkCentre Pro however doesn’t send ZIP file attachments. It’s possible that the cyber criminals realized that PDF format looks more realistic and could deceive more users especially in an office environment.