By Dancho Danchev
The gang of cybercriminals behind the ‘Magic Malware‘ has launched yet another malicious spam campaign, attempting to trick U.K users into thinking they’ve received a notification for a “New MMS” message. In reality, once users execute the malicious attachment, it will download and drop additional malware on the affected hosts, giving the cybercriminals behind the campaign complete access to the affected host.
More details:
Detection rate for the spamvertised archive: MD5: d55f732cc41eaadca1c58b4c3d07e431 – detected by 8 out of 46 antivirus scanners as UDS:DangerousObject.Multi.Generic.
Once executed it phones back to:
hxxp://asdacbxn34.us/area/la.php – (178.208.91.5) – Email: iavorscaia@gmail.com
hxxp://178.208.82.164/_load.exe
We are aware of two more registered malicious domains using the same email (iavorscaia@gmail.com), dating back to 2010:
secretshoper.info/ujd/upit.php – back then used to respond to 91.206.201.222
vertelitt.com/faw/pit.php – back then used to respond to 91.206.201.200
Responding to the same IP (178.208.91.5) is also the following domain ttnetbilglendirme.info.
Detection rate for the dropped _load.exe – MD5: bcadffb2117751fb89a4bb8768681030 – detected by 10 out of 46 antivirus scanners as Trojan.Win32.Generic!BT. It’s interesting to point out that the malware’s PE signature block refers to our colleagues at Mandiant.
Once executed the dropped sample phones back to the following C&C servers:
94.23.234.36
94.23.203.74
94.23.219.182:10080
Another MD5 is known to have phoned back to the same IP (94.23.234.36) MD5: 80b3735863cc59d3edc6e7331a231c88.
Webroot SecureAnywhere users are proactively protected from these threats.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.
So – How to rid my pc of this crap?