Cybercriminals are currently mass mailing millions of emails trying to trick recipients into executing malicious attachments pitched as recently arrived fax messages. Upon running the malicious executables, users are exposed to a variety of dropped malware variants in a clear attempt by the cybercriminals to add additional layers of monetization to the campaign.
More details:
Sample screenshot of the spamvertised email:
Detection rate for the malicious executable: MD5: 16625f5ee30ba33945b807fb0b8b2f9e – detected by 37 out of 43 antivirus scanners as Trojan-PSW.Win32.Tepfer.blbl
Upon execution, it attempts to connect to the following domains:
192.5.5.241
ser.foryourcatonly.com
ser.luckypetspetsitting.com
dechotheband.gr
barisdogalurunler.com
alpertarimurunleri.com
oneglobalexchange.com
rumanas.org
www.10130138.wavelearn.de
visiosofttechnologies.com
sgisolution.com.br
plusloinart.be
marengoit.pl
It then downloads additional malicious payload from the following URLs:
hxxp://dechotheband.gr/5Wjm3iV2.exe
hxxp://barisdogalurunler.com/9BMu2.exe
hxxp://alpertarimurunleri.com/rRq.exe
hxxp://oneglobalexchange.com/19J.exe – ACTIVE
hxxp://rumanas.org/1vAWoxz3.exe
hxxp://www.10130138.wavelearn.de/4pxp.exe
hxxp://visiosofttechnologies.com/iDm9vs.exe
hxxp://sgisolution.com.br/jq5.exe – ACTIVE
hxxp://plusloinart.be/Ue7cHNm.exe – ACTIVE
hxxp://marengoit.pl/ZBrBpBh2.exe
Detection rate for a sample downloaded executable: 19J.exe – MD5: 1dc5c0ee228354b2e11aefbd119ef852 – detected by 36 out of 44 antivirus scanners as Trojan-Spy.Win32.Zbot.ggfs
This sample creates the following MD5s on the affected host:
tykiy.exe – MD5: 69A45269B0A43F4FE65B81C1833A2B3B
cafaha.yja – MD5: 507A43E36DB0F1A918C674874D72C9F3
tmp61346667.bat – MD5: 8F7B621E6AEB966B9C2005940498A404
Detection rate for the second downloaded executable: jq5.exe – MD5: c9f5d0ba1caa54d0537d60eead26534e – detected by 36 out of 43 antivirus scanners as Trojan-Spy.Win32.Zbot.gbga
Detection rate for the third downloaded executable: Ue7cHNm.exe – MD5: a7772183d2650d9d4f26ffa02fd41d64 – detected by 33 out of 44 antivirus scanners as Trojan-Spy.Win32.Zbot.gfrt
It creates the following MD5s on the affected host:
vaimhi.exe – MD5: 185F9F098069FE0C77DF524E7495CBFF
urliz.jew – MD5: C05DB33DA1109C86787C3AB314D14BE6
tmp291a82a0.bat – MD5: FF2E914D76BDA16724875294B1EE7327
The following MD5s are also known to have been downloaded by an affected host in a similar fashion:
MD5: 25098F408CFA013FA246B94622D1044A – detected by 32 out of 44 antivirus scanners as Trojan-Spy.Win32.Zbot.gazz
MD5: 79090DE7377E7CCB06DC26634EA914A6 – detected by 34 out of 43 antivirus scanners as Trojan-Spy.Win32.Zbot.gawd
The following MD5 also downloaded in the campaign is known to have phoned back to the following C&C server:
MD5: 2FC39B95A36BDD61C44BAAD205BCC2EC – detected by 30 out of 44 antivirus scanners as VirTool:Win32/CeeInject
Phone back URL:
hxxp://oftechnologies.co.in/update/777/img.php?gimmeImg – 130.185.73.102, AS48434 – Email: melody_mccarroll38@indyracers.com
Name Server:NS1.INVITEDNS.COM
Name Server:NS2.INVITEDNS.COM
The following malicious domain responds to the same IP:
updateswindowspc.net
The following malicious domains are also known to have responded to the same IP (130.185.73.102) in the past:
warrantynetwork.co.in – MD5: c80c3e16b17309fbcabdd402649faab5 is known to have phoned back there – detected by 33 out of 44 antivirus scanners as Trojan:Win32/Grymegat.B
amendenhancements.net.in – MD5: B1206CB15B85DDBF6FC411FE9C1FB808 is known to have phoned back there – detected by 17 out of 44 antivirus scanners as Trojan:Win32/Grymegat.B
homedrakx.net.in
Webroot SecureAnywhere users are proactively protected from these threats.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.