The cybercriminals behind last week’s profiled fake T-Mobile themed email campaign have resumed operations, and have just spamvertised another round of tens of thousands of malicious emails impersonating the company, in order to trick its customers into executing the malicious attachment, which in this case is once again supposedly a legitimate MMS notification message.
Detection rate for the spamvertised attachment: MD5: 8a9abe065d473da9527fdf08fb55cb9e – detected by 26 out of 48 antivirus scanners as Trojan.DownLoader9.22851; UDS:DangerousObject.Multi.Generic
Once executed, the sample creates the following Mutexes on the affected hosts:
CTF.TimListCache.FMPDefaultS-1-5-21-1547161642-507921405-839522115-1004MUTEX.DefaultS-1-5-21-1547161642-507921405-839522115-1004
ShimCacheMutex
85485515
It then (once again) phones back to networksecurityx.hopto.org. The most recent MD5 (MD5: 014543ee64491bac496fabda3f1c8932) that has phoned back to the same C&C server (networksecurityx.hopto.org) is also known to have phoned back to dahaka.no-ip.biz (89.136.186.200).
Webroot SecureAnywhere users are proactively protected from these threats.