The Electronic Frontier Foundation (EFF) is reporting on a recently intercepted malicious documents distributed over Skype, apparently targeting Syrian activists.
Upon viewing the document, it drops additional files on the infected hosts, and opens a backdoor allowing the cyber spies behind the campaign access to the infected PC.
Webroot has obtained a copy of the malware and analyzed its malicious payload.
More details:
Screenshot of the spamvertised malicious document:
The malicious document has a MD5 of bc403bef3c2372cb4c76428d42e8d188 and is currently detected by 11 out of 42 antivirus scanners as Backdoor:Win32/Fynloski.A; TROJ_GEN.R47B5F1.
Upon viewing it, it displays the above shown document, next to dropping the following files on the infected host:
- Aleppo plan.pdf – MD5: 6B0711F56086BAD87D214B6BDC94EAC8
- explorer.exe – MD5: EC99A9BA6FD95B806FCE0FE51538910E
- Firefox.dll – MD5: 646F3831C9988021DC292173DBC75B06
- Startup(empty).lnk – MD5: 78C7F53D4098D9AB4141D7636CAC443E
- Firefox.dll – MD5: D41D8CD98F00B204E9800998ECF8427E
Once the infection takes place, the affected host wil attempt to connect to 216.6.0.28 on port 880. Another MD5 is known to have used this C&C IP before, for instance:
MD5: AF77B9BBA26100EA133C55385C50AFE9 attempts to obtain hxxp://216.6.0.28/Update/Update.bin – detected by 31 out of 42 antivirus scanners as Trojan-Dropper.Win32.Injector.avvq; Trojan:Win32/Meroweq.A
The same C&C was previously used in February, 2012, again in an attempt by cyber spies to target Syrian activists.
Webroot SecureAnywhere users are proactively protected from this threat.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.