Cybercriminals are mass mailing malicious emails about a meeting you wouldn’t want to attend – unless you want to compromise the integrity of your computer.
Once executed, the malicious attachment opens a backdoor on the affected host, allowing the cybercriminals behind the campaign to gain complete access to the affected host. Naturally, we’ve been monitoring their operations for quite some time, and are easily able to identify multiple connections between their previously launched campaigns.
More details:
Sample screenshot of the spamvertised email:
Sample detection rate for the malicious executable: MD5: a684feff699bb7e3b8814c32c1da8277 – detected by 38 out of 44 antivirus scanners as Worm:Win32/Cridex.E.
PEiD Signature of the sample: PureBasic 4.x -> Neil Hodgson
It also creates the following registry keys:
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCFBDC89D4
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTS25BC2D7B
The newly created Registry Value is:
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
KB00121600.exe = “”%AppData%KB00121600.exe” so that KB00121600.exe runs every time Windows starts.
Upon execution, the sample phones back to 64.150.187.72:8080/AJw/UCygrDAA/Ud+asDAA (AS10316).
We’ve seen the same pseudo-random characters used in command and control communications profiled in several campaigns – “‘American Express Alert: Your Transaction is Aborted’ themed emails serve client-side exploits and malware“; “Bogus IRS ‘Your tax return appeal is declined’ themed emails lead to malware“; “Cybercriminals spamvertise bogus ‘Microsoft License Orders’ serve client-side exploits and malware“.
We’ve also seen the same IP (64.150.187.72) used as name server in a previously profiled malicious campaign (ns37.ceredinopl.ru – 64.150.187.72) – “Bogus Facebook ‘pending notifications’ themed emails serve client-side exploits and malware“, indicating that these campaigns are also connected.
More MD5s are known to have phoned back to the same IP in the past:
MD5: 87a22699e0e6dfc89c57d7ad3483f264 – detected by 12 out of 42 antivirus scanners as VirTool:Win32/Obfuscator.ACP
MD5: 8229f69bc416cdca7f314f19fe7b4e18 – detected by 28 out of 44 antivirus scanners as Worm:Win32/Cridex.E
MD5: f739f99f978290f5fc9a812f2a559bbb – detected by 23 out of 43 antivirus scanners as VirTool:Win32/CeeInject.EW
MD5: cb69622f8188ae1b2a2b67e9153aaed4
Webroot SecureAnywhere users are proactively protected from these threats.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.