Video Screencast Help
Symantec Intelligence

Malicious emails masquerade as office printer messages

Created: 27 Sep 2011 • 1 comment
Bhaskar Krishna's picture
+2 2 Votes
Login to vote

Some of the newest printers have scan-to-email ability, a feature that allows users to email scanned documents to a specified email address on demand. Symantec Intelligence has identified malware authors using social engineering tactics that take advantage of this, sending executables in a compressed “.zip” archive via email. The attachment contains an executable disguised as a scanned document from a printer, as shown in the example in figure 1, below.

Figure 1: Example of malicious email masquerading as a scanned document sent from an office printer

In each case the sender domain was spoofed to match the recipient domain, sometimes appearing as though forwarded to the recipient by a colleague at the same organization, implying that this email originated internally.
To be clear, office printers and scanners will not send malware-laden files, and many are unlikely to be able to send scanned documents as “.zip” file attachments. No printer or scanner hardware was involved in the distribution process, and in general, users should always be careful when opening email attachments, especially from an unknown sender.

Some examples are shown in figure 2, below.

Figure 2: Examples of malicious emails spoofing smart office printer/scanners

In figure 3, Symantec Intelligence gathered some interesting statistics from observing these emails during a 24-hour period beginning 13 September 2011.

Subjects Frequency Unique Attachments
Scan from a [printer name A] #{6-8 random digits} 742 1,393
Scan from a [printer name B] #{6-8 random digits} 41 779

Figure 3: Table showing the frequency and number of different attachments spoofing a printer

In these examples, the attacker has also changed the file extension of the archived file in such a way as to display a “.doc” extension when viewed using certain archiving tools, as shown in figure 4, below.  

Figure 4: Example of “.zip” archive incorrectly displaying contents with “.doc” extension

The actual file name stored in the “.zip” archive is comprised of a “cod.exe” extension, but this is incorrectly displayed by some archiving tools because of a special hidden character (hex code 0xAB, highlighted below), which precedes the “cod.exe” part of the file name. This will result in the file being incorrectly displayed with “exe.doc” appended in the archive viewer.

In addition to the above examples, we have also seen the following example, which was the same strain of malware distributed using a number of different subjects and two different filenames; in one case a supposed document and another as a photograph, shown in figure 5, below.

File Name Frequency
Document_NR727875272_Coll=d4=c7=abcod.exe 410
photo_W71765413082011_Coll=d4=c7=abgpj.exe 149

Figure 5: Table showing the frequency of another example

As before, the file name ending with “cod.exe” will be incorrectly displayed using some “.zip” archive viewing tools as “exe.doc” and similarly, “gpj.exe” will display as “exe.jpg.”

In figure 6, below are some examples of other interesting subject lines that were also used to distribute this particular malware run during the same 24-hour period, beginning 13 September.

Figure 6: Examples of other social engineering subjects used to spread the same malware

Some Other Interesting Subjects Frequency
Pornographic mail 85
Company Contract doc 40
Tax debt notification 34
Revenue ( IRS ) Department 25
Printer Scanned doc 21
domain suspension mail 9
pornographic picture   3

Figure 7: 24-hour snapshot showing variety of subject frequencies in use to distribute malware

It is evident from the variety shown in these examples that the attackers are trying a wide number of different possible social engineering strategies in order to trick the recipient into opening the malicious attachment.

Comments 1 CommentJump to latest comment

MattSpencer's picture

Any one with a network enabled printer should take note of this as sometimes the emails generated look very legit and the users unwittingly open the attachments thinking it was the document they scanned.

Login to vote