twitter facebook rss

Malicious Photocopier: not the Internet of Things

Posted by on February 2, 2016.

[Update: Zscaler reports that similar messages are being used to drop Kasidet as well as Dridex. Commentary by Kaspersky here.]

This may surprise you, given the business I’m in, but I don’t often see malware. After all, ESET has lots of people better qualified than I am to analyse malcode or maintain product code. And while it’s not unusual to find malware and scam messages lurking in the junk and ‘infected’ folders of my email accounts, I rarely go looking for them. So when I received a highly suspicious email a few days ago, I was more interested in the social engineering implications than I was in the bits and bytes. The message is the medium…

It was sent to an obsolete work address of mine, apparently from copier@[company domain]. Which was a bit of a giveaway even before I looked at the headers. Which were, of course, also instructive.

Here’s what the message looked like:

Device Name: COPIER Device Model: MX-2310U

File Format: DOC (Medium)

Resolution: 200dpi x 200dpi

Attached file is scanned document in DOC format.

Use Microsoft(R)Word(R) of Microsoft Systems Incorporated to view the document.

The malware is detected by ESET as VBA/TrojanDownloader.Agent.ARB trojan, and according to Dynamoo’s Conrad Longmore the payload is the Dridex banking Trojan. The headers indicated that the message was sent via India. Well, I don’t think I’ve ever used a photocopier in India and certainly not recently. (I’ve only been there once, and that was in 2008.) A cursory look at the document showed some text in Spanish. A Malwr report is cited by Longmore as indicating that the macro is downloaded from a site hosted in Vietnam.  However, the payload phones home not to India, or Spain, or Vietnam, but to Russia: (System Projects LLC, Russia).

Graham Cluley, who received a similar message, includes some information on the all-singing/all-dancing Sharp MX-2310u copier/printer/fax/scanner. No, he doesn’t have one either. (HT to Graham for the link to the Dynamoo blog.)

In fact, the scammer’s may have scored something of an own goal by mailing so many security people – ESET’s Stephen Cobb received one too, though not to an ESET account. In view of the number of office devices that do communicate with their users by email nowadays, let’s hope that companies are making the effort to inform their staff of what messages they might expect from their little corner of the Internet of Things, and what format they should take.

Now, if you’ll excuse me, I have to take a phone call: apparently my laptop has been sending messages again to a call centre in India about a virus it’s been infected with. 😉

David Harley





3 thoughts on “Malicious Photocopier: not the Internet of Things

  1. It is rare to get malware affecting photocopiers, but good article raising awareness

  2. After all, ESET has lots of people better qualified than I am to analyse malcode or maintain product code. Where such information?

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: David Harley | Tags: , , , ,