Over the past week, the cybercriminals behind the recently profiled ‘Citibank Merchant Billing Statement‘ themed campaign, resumed operations, and launched yet another massive spam campaign impersonating Citibank, in an attempt to trick its customers into executing the malicious attachment found in the fake emails.
More details:
Sample screenshot of the spamvertised email:
Detection rate for the malicious executable – MD5: 0bbf809dc46ed5d6c9f1774b13521e72 – detected by 16 out of 47 antivirus scanners as Trojan-Spy.Win32.Zbot.lvpo.
Once executed, the sample starts listening on port 12674. It then drops the following MD5s on the affected hosts:
MD5: 6044cc337b5dbf82f8746251a13f0bb2
MD5: d20d915dbdcb0cca634810744b668c70
MD5: 758498d6b275e58e3c83494ad6080ac2
Creates the following Registry Keys:
HKEY_CURRENT_USERSoftwareMicrosoftEvfyfarya
Sets the following Registry Values:
[HKEY_CURRENT_USERIdentities] -> Identity Login = 0x00098053
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] -> Hiij = “”%AppData%Ytcuhiij.exe””
[HKEY_CURRENT_USERSoftwareMicrosoftEvfyfarya] -> 29690939 = “VehcOWjxJHg7yg==”; 25f59e7f = 69 E8 3D 39; 70e963j = “BN09OTauFngMyvWP”
As well as the following Mutexes:
Global{CB561546-E774-D5EA-8F92-61FCBA8C42EE}
Local{744F300D-C23F-6AF3-8F92-61FCBA8C42EE}
Global{5D2DDFD7-2DE5-4391-0508-B06D3016937F}
Global{5D2DDFD7-2DE5-4391-7109-B06D4417937F}
Global{5D2DDFD7-2DE5-4391-490A-B06D7C14937F}
Global{5D2DDFD7-2DE5-4391-610A-B06D5414937F}
Global{5D2DDFD7-2DE5-4391-8D0A-B06DB814937F}
Global{5D2DDFD7-2DE5-4391-990A-B06DAC14937F}
Global{5D2DDFD7-2DE5-4391-350B-B06D0015937F}
Global{5D2DDFD7-2DE5-4391-610B-B06D5415937F}
Global{5D2DDFD7-2DE5-4391-B90B-B06D8C15937F}
Global{5D2DDFD7-2DE5-4391-190C-B06D2C12937F}
Global{5D2DDFD7-2DE5-4391-450C-B06D7012937F}
Global{5D2DDFD7-2DE5-4391-650C-B06D5012937F}
Global{5D2DDFD7-2DE5-4391-B50D-B06D8013937F}
Global{5D2DDFD7-2DE5-4391-290E-B06D1C10937F}
Global{5D2DDFD7-2DE5-4391-650E-B06D5010937F}
Global{5D2DDFD7-2DE5-4391-E508-B06DD016937F}
Global{5D2DDFD7-2DE5-4391-E90B-B06DDC15937F}
Global{5D2DDFD7-2DE5-4391-E90C-B06DDC12937F}
Global{5D2DDFD7-2DE5-4391-A50E-B06D9010937F}
Global{5D2DDFD7-2DE5-4391-1D0E-B06D2810937F}
Global{5D2DDFD7-2DE5-4391-490F-B06D7C11937F}
Global{EEE5022F-F01D-F059-8F92-61FCBA8C42EE}
Global{38E3341C-C62E-265F-8F92-61FCBA8C42EE}
Global{340FE32E-111C-2AB3-8F92-61FCBA8C42EE}
Global{340FE329-111B-2AB3-8F92-61FCBA8C42EE}
Local{55E9553D-A70F-4B55-8F92-61FCBA8C42EE}
Local{55E9553C-A70E-4B55-8F92-61FCBA8C42EE}
Global{5E370004-F236-408B-8F92-61FCBA8C42EE}
MidiMapper_modLongMessage_RefCnt
MidiMapper_Configure
MPSWabDataAccessMutex
MPSWABOlkStoreNotifyMutex
MSIdent Logon
It then phones back to the following C&C servers:
78.161.154.194:25633
186.29.77.250:18647
190.37.115.43:29609
187.131.8.1:13957
181.67.50.91:27916
8.161.154.194
186.29.77.250
190.37.115.43
187.131.8.1
181.67.50.91
84.59.222.81
211.209.241.213
108.215.44.142
122.163.41.96
99.231.187.238
89.122.155.200
79.31.232.136
142.136.161.103
63.85.81.254
98.201.143.22
110.164.140.144
195.169.125.228
190.83.222.173
96.29.242.234
178.251.75.50
199.21.164.167
180.92.159.2
213.43.242.145
94.240.224.115
2.187.51.145
208.101.114.115
50.97.98.134
41.99.119.243
197.187.33.59
79.106.11.64
178.89.68.255
190.62.162.200
165.98.119.94
94.94.211.18
We’re also aware of the following malicious MD5s that have phoned back to the same IPs during the past 24 hours:
MD5: 6c8f072883f0e3c3f8fa261bf24a0ec9
MD5: 8ad3541e65ed51048b45e65d940e6ad3
MD5: 1c638cf28e81bcbb0ca4bb99edb4f74c
MD5: 421525b68a36ed8b625eb10d2ed53f7f
MD5: 1af1eaafa527021e57bbb88dd933a735
MD5: 7d7200158b4a729b6cfbcab7ec45eb01
MD5: ba6770e4829ffa67a3aad02ede1ba8d4
MD5: 91637932d31d81831c5c5e64ca49006b
MD5: 3f66cbad92d657a153e71450169700c1
MD5: e565d69db2b89537bdc4e62143cdd514
MD5: abe82de6954f95844bdf490d60e59a68
MD5: 07776aa4ddc7a34f784a494212094df2
MD5: e0f021d263f09fde99fc38c0fd175596
MD5: 7a4c6833ebcdbcac2f30b665fe25d3fb
MD5: 812e20c6426da8719cde03149b1d5362
MD5: ea9ee50983add39ab074266833bac6a6
MD5: 0fcb22dbe998ec450c9d121f652bb140
MD5: 73feaf39239924526cf32b0e0019e96b
MD5: 8877031ba7c3ab29826416e37b638352
MD5: 341bb3e70dc494320f905ec1b0e915d8
MD5: 1b43a9ca4c5372aeeebc27d49c21fa42
MD5: 597a06a161ca6d4c28a13a0f9a71ed8e
MD5: 3cf217b4f1a1e12c7e9563f721673539
MD5: d2f94d18d1791001ef9629ebd61b0fe1
MD5: 6bb731725e8d4d003b5ee591a19e9b9e
MD5: 83665c792d859b4169f526075dafc558
MD5: 875901d90d3a0dba34a7393c90c30f18
MD5: 9de4c103dd1db1bbd8e8909082f87572
MD5: 65066de0a3ab632ef2ffbf3f4073d13e
MD5: 095a4c7d9da23b3fc22397f0af786426
MD5: d33bb85eedd51e26ca8c9307a03efaa6
MD5: 9f603e2f4be70ced836bcbaf466b71b4
MD5: 9fe16118aa907995547909e8534da3c6
MD5: 37b284ec76f95a5aedfebde17b449a81
MD5: 0ba620595833a41bbaec1bd5fcefc490
MD5: aa1a866bf6b20c24dca45d7d3a9f19e1
MD5: 92fbde3b15b80d8f867d9d4475984aa3
MD5: a873b55196ed1c961427bed9cf444125
MD5: 1d22200cd9761e72943936b79262113d
MD5: c2b3cf2a8141945c08bb4fc15bbdd03c
MD5: bb27f129ca4cc3fd1d516693307d6672
MD5: 958d2dc57222cd30b273c3c70b76f70b
MD5: 8727f70ce3eb0464c1214679e73a1cf8
MD5: e1504be723fd2b10bf92d28d0d7fdd64
MD5: 0c6affccc2274b29342c9e65fe74a5d5
MD5: bd986371abd214998c8b337f1ca5cf4a
MD5: fc77f429308076cf392433f3c57be180
MD5: 23a671ffad912a1e8871ba530a10b58d
MD5: 82329fbeb221c18dc44b04c7a8784c64
MD5: 54dcefc141af0de7612f2115ce28daee
MD5: 16502ca7ddfdd84dff5cbccdb7b45954
MD5: b88acd28fde42d648c36bbf48f7c3e24
MD5: 49b387c62d25124eef121c982220da12
MD5: 99dd803d52c32b650c0fdeb9bd42c15e
MD5: 11f97f038d32dad3a7287d6b6f3ece41
MD5: aa6b6f4ab1f3d3c0f4585767600eaaa7
MD5: 42b7209cdfc7ff5211acd2ed573b1e3c
MD5: 43fe7962f6609261c0fd340991923971
MD5: 62d7a8aa94cbccf25fb79675bf28cffe
MD5: df2ddb974ebc39843bf6f8b7e289c61b
MD5: affb6a5cbae325f5e8479eca751636ad
MD5: 955f60c49aeaf2676a8f02aed4506a8e
MD5: 512c7e96009ee16c221183218c29aa87
MD5: 03223110f778da979b7c4cd943d0df4b
MD5: 6f550a64bbbce49c2fb1eca39d1e278d
MD5: 2b98b338e5d52eee9f31a084a78062e0
MD5: ff791b1264feb8570e1ece8413c56aad
MD5: eb7ed2e9f29f6d36a8ee74f6b80e0cc4
MD5: c44612d97b271a3a520a81385042ab32
MD5: f596994858c3930a5d3b3b69e69205d6
MD5: 5cf3af041bbcf743cb7e7b8fd62800f3
MD5: 0a246f226b94315f340b88445ae2888e
MD5: 692a9f8bfd43a7861a5498f00480cb3f
MD5: bafd9764e04014f2b291f235e2450801
MD5: a95735cdf7b33af081dda2863846a328
MD5: a6c95c0812f7a27cce565036b1d9fb1f
MD5: dc1f018dd42ea8db092741254cb78040
MD5: 934eaeea66a26b97d91d7728dc41249a
MD5: 30b1c21bcc29d8697912403fa19f7691
MD5: 23c0a9ffcaa199f593d54bea0c72d440
MD5: 599221781c68f49777a039ee7d5106c7
MD5: 1766268cf787b80e487d3da0de7d42d9
MD5: 3e8aa532b9d060bd127724775ee6da37
MD5: 630ae63b8a3a331cd08fd46606cfb20a
MD5: 564d7ad55dbc3b7d276729625683cbfd
MD5: e397b34d21f8b3c0540c376c7f85a4a5
MD5: 97d7c4f53e5498a3dbacecf682e9a3ec
MD5: c79160293a591a5e4b8a922d5974a8b1
MD5: 791dc0ca3fee7b6dc84b57bc5a5f1485
MD5: d57b886c8853b7199ae738c79aed2f65
MD5: 9263460a8384564ff8e7e3024aaaa906
MD5: 89c7c7adcac550aa99ccbaf9e6d74c43
MD5: 8c13f48585ee220c4c35f74bab47899f
MD5: ce4cebf34dde67b70574bdf438620350
Webroot SecureAnywhere users are proactively protected from these threats.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.