Fake ‘Export License/Payment Invoice’ themed emails lead to malware

Fake ‘Export License/Payment Invoice’ themed emails lead to malware

by | May 23, 2013 | Industry Intel, Threat Lab

Reading Time: ~ 2 min.

By Dancho Danchev

We have just intercepted yet another currently ongoing malicious spam campaign, enticing users into executing a fake Export License/Payment Invoice. Once gullible and socially engineering users do so, their PCs automatically join the botnet operated by the cybercriminals.

More details:

Detection rate for the malicious executable: MD5: 4e7dc191117a6f30dd429cc619041552 – detected by 33 out of 47 antivirus scanners as Trojan.Win32.Inject.foiq; Trojan.Zbot.

Once executed, the sample starts listening on port 28723.

It then creates the following files on the affected hosts:
%AppData%Wyifdylo.exe

The following Registry Keys:
HKEY_CURRENT_USERSoftwareMicrosoftUfoda

The following Registry Values:
[HKEY_CURRENT_USERIdentities] -> Identity Login = 0x00098053
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] -> {3DFA1AE4-115C-AD7B-A6BA-A75086AF8442} = “”%AppData%Wyifdylo.exe””
[HKEY_CURRENT_USERSoftwareMicrosoftUfoda] -> 298j5icj = 19 F6 D3 3E 87 FA CB 0A F4 B2; 25cdfb7h = 25 F6 B2 3E; 6hj5ac9 = CB C5 B2 3E D7 A1 F9 0A C4 B2 7D 39

The following Mutexes:
Global{CB561546-E774-D5EA-8F92-61FCBA8C42EE}
Local{744F300D-C23F-6AF3-8F92-61FCBA8C42EE}
Global{FD2CEE5F-1C6D-E390-0508-B06D3016937F}
Global{FD2CEE5F-1C6D-E390-7109-B06D4417937F}
Global{FD2CEE5F-1C6D-E390-490A-B06D7C14937F}
Global{FD2CEE5F-1C6D-E390-610A-B06D5414937F}
Global{FD2CEE5F-1C6D-E390-8D0A-B06DB814937F}
Global{FD2CEE5F-1C6D-E390-990A-B06DAC14937F}
Global{FD2CEE5F-1C6D-E390-350B-B06D0015937F}
Global{FD2CEE5F-1C6D-E390-610B-B06D5415937F}
Global{FD2CEE5F-1C6D-E390-B90B-B06D8C15937F}
Global{FD2CEE5F-1C6D-E390-190C-B06D2C12937F}
Global{FD2CEE5F-1C6D-E390-4D0C-B06D7812937F}
Global{FD2CEE5F-1C6D-E390-650C-B06D5012937F}
Global{FD2CEE5F-1C6D-E390-B50D-B06D8013937F}
Global{FD2CEE5F-1C6D-E390-310E-B06D0410937F}
Global{FD2CEE5F-1C6D-E390-610E-B06D5410937F}
Global{FD2CEE5F-1C6D-E390-E90F-B06DDC11937F}
Global{FD2CEE5F-1C6D-E390-ED0B-B06DD815937F}
Global{FD2CEE5F-1C6D-E390-ED0C-B06DD812937F}
Global{FD2CEE5F-1C6D-E390-B10E-B06D8410937F}
Global{FD2CEE5F-1C6D-E390-6D0F-B06D5811937F}
Global{5E370004-F236-408B-8F92-61FCBA8C42EE}
Local{55E9553C-A70E-4B55-8F92-61FCBA8C42EE}
Local{55E9553D-A70F-4B55-8F92-61FCBA8C42EE}
Global{FD2CEE5F-1C6D-E390-D10F-B06DE411937F}
Global{EEE5022F-F01D-F059-8F92-61FCBA8C42EE}
Global{38E3341C-C62E-265F-8F92-61FCBA8C42EE}
Global{340FE32E-111C-2AB3-8F92-61FCBA8C42EE}
Global{340FE329-111B-2AB3-8F92-61FCBA8C42EE}
MidiMapper_modLongMessage_RefCnt
MidiMapper_Configure
MPSWabDataAccessMutex
MPSWABOlkStoreNotifyMutex
MSIdent Logon

It then phones back to the following C&C servers:
213.230.101.174:11137
87.203.65.0:12721
180.241.97.79:16114
83.7.104.50:13647
84.59.222.81:10378
194.94.127.98:25549
98.201.143.22:19595
78.139.187.6:14384
180.183.178.134:20898

We’ve also seen the following C&C server IP (194.94.127.98) in previously profiled malicious campaigns:

As well as 78.139.187.6, in the following previously profiled malicious campaign:

We’re aware of more MD5s that phoned back to the same IPs over the last couple of days. For instance:
MD5: f55412ecb47cd64528dc1942d46331bf
MD5: 9d96157b5ae4e0546b7f510bcc1ac174
MD5: 9ea0a3efe62e175046048ca812c87158
MD5: 2b1657cee8dfec489b7fd00113b9bb4c
MD5: 28b8ad5e84f8541c716abbdb8f575c7d
MD5: 03ce491d25b68597d06cdcfe316431c6
MD5: 70768ea3273f360781f2e1d5f00eb715
MD5: ccabfea47b6d2bddf8a2090a641e5b75
MD5: 94ca03ab7c414ed347be34618804dc25
MD5: 3eaecc4bac464708d64c621b62b707e2
MD5: 3fbcd1bd6452877d883245d09b7768ea
MD5: 9f027af381bf757ba9d506e82a770bff
MD5: 8f7bfa8f1b7652d0f4f1fab93a7c63b0
MD5: a6815e3d2e53117c738f7a5370daafcc
MD5: cc2eaf9df2608e07aa2ba39fa1c2912e
MD5: fb1e76fbc43753912a4937f32d5f9c58
MD5: 4e7dc191117a6f30dd429cc619041552
MD5: d1c4179ea3b9af795e5169c244ff8c31
MD5: 694a6783866f5d43b85e93e70caaa37c
MD5: 73f85a49c2a7f1b71a087018307146c1
MD5: 8f9599e3989cc19e19fa4971b1386520
MD5: c012f6646b801a916c0b1a5235688a7a
MD5: 379ee5b9d022b13d3c919d11999b7dff
MD5: e2c18303bfca70692f85181d4a86a954
MD5: 289049f65a85cbe02d3ed6fa7e0008f6
MD5: ee3f8e7d94b801d635cbc2575ff3b3dc
MD5: 42b4d077ff3e7a9077b14f762cd2063f
MD5: a9e2f26d5e4456710f608b1f37ad2c0d
MD5: 7d7307d32e8711a2c6a261e5870a77bc
MD5: a36c2fd0a1e9d572ba030b6cc9b949b6
MD5: 27e9f62fed24ad0b93f3576f480e2644
MD5: 474d8729340789ba1722d9b82e646d8c
MD5: 1d369383ea55d81b4bcd3169bebb2772
MD5: 2fdeaa5ae2559f62a65d928d175da2c9
MD5: 496fb7da08a09c2f1d7b460bb7a24c01
MD5: 90114fd9fef19d0fc2c84bb1ee5d9bb9
MD5: 7e98cd68a4622c54f7fcb575c75cf79b
MD5: 1429ce41f54265d426c067a86e47f35a
MD5: 7c6c7c207a968bbf34f47213d91e618d
MD5: dee3f33ca9ece80871b6ab0591051c24
MD5: 91be7a17cb07c50afdf551a3e76d35c6
MD5: b6ed1bd88f36d80bf68d338620ed25c3
MD5: ef501d09c80be9aff5158c52b5986239
MD5: 5eac6806950b4fa497cfd0aab5e8ea43
MD5: e3e41e242998097b2f448990a951b467
MD5: 003167511de5d42626c665fadc7d9e32

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This