British users, watch what you execute on your PCs! Over the last week, cybercriminals have launched several consecutive malicious spam campaigns targeting users of Sky, as well as owners of Samsung Galaxy devices, into thinking that they’ve received a legitimate MMS notification to their email address. In reality though, these campaigns ‘phone back’ to the same command and control botnet server, indicating that they’re related.
Sample screenshot of the spamvertised attachment:
Detection rate for the Sky themed sample: MD5: d880cd5e3fe803c17f4208552ec22698 – detected by 27 out of 48 antivirus scanners as Trojan.Win32.Sharik.qgi
Detection rate for the Samsung Galaxy themed fake MMS sample: MD5: d08c957a004becd0a2404db99d334484 – detected by 24 out of 47 antivirus scanners as Trojan.Win32.Sharik.qgd; VirTool:Win32/CeeInject.gen!KK
Once executed, both samples phone back to a known C&C – networksecurityx.hopto.org.
Related malicious MD5s known to have phoned back to the same C&C server (networksecurityx.hopto.org) since the beginning of the month:
MD5: fa6ad32857e52496893d855e4c87fdc4
MD5: 0754bc0afadf12dcc16185552940a7a2
MD5: c18820db216be9dd45dd71bf4af12221
MD5: c6fc5304b1bc736d26b8d30291d7c233
MD5: 47789cd37bb80db557df461193230864
MD5: c738137d1c3092db0c7f07c829d08c62
MD5: edc52b2493ff148eb595a8931d177b52
MD5: 4d5745981507951a002900509a429295
MD5: af72bac81d90baf692022a2d3bd8cec3
MD5: 0220a490bdaa10c41318f86bb768bc74
MD5: 56dbfb5c1056a9c1c2f37be65d7f2832
MD5: 3d2263abc97d4297c0952c77a41c5db3
MD5: 54c33ecd97185aee6376e1a6aed610f2
MD5: d9c76155f76c4d3d42883ad7c1ca7544
MD5: 207cb51b0777793d0834afdaca41e415
MD5: e4be05e0ec44699f6a7be546e717acb3
MD5: ccd83b51f9733b81bfe556a6315c1a12
MD5: 380a79055e5de4f5f9b4aa5d82e482d5
MD5: a1e6fa2128ed6e0245c86e2d903dfe73
Related C&C server domains from malicious MD5s also known to have phoned back to networksecurityx.hopto.org:
1micro-update.no-ip.org
ahfgluqmcovghpmum.com
aqazrrwmzrvrvoshpi.com
arnvmiypge.com
bhlnvwlfbtre.com
bitvaisemrvzcjbrxpxq.com
brcpaqtlpwq.com
bunzvlesey.com
cdqvfoezutpworgjg.com
chbqrhunxg.com
daobcnqwefamhdfcs.com
eefifitiwwrvd.com
ejpcazebx.com
ezqjymdipjt.com
fdedkrmamntcyaine.com
fidqorildzpt.com
fktihyjhkomdxqkucg.com
fwlxulxb.com
giaddkbzcyaoim.com
gqfpcgbklmmskixc.com
hbrtrminyxb.com
idsuyvhdboaybaprf.com
ioxjbplzwgrinyike.com
iqhbyacfnea.com
jfzgufuwikakyza.com
jhkkssojlwnyjgnsslm.com
kbvmxwjxtvncddaiyb.com
kiovxfffze.com
ktlwxakbho.com
kydtaywfsfrsppvb.com
legcljdgpczw.com
lgsfbhyyrrnalpcbqkob.com
lldpoyrzfi.com
lxynmytvhgyiv.com
micro-update.no-ip.org
obhmbdjxkgmzw.com
oynrnyhmikxd.com
pjgwxsqwbdqh.com
psxfoalsn.com
qcoupmtycgogwblu.com
qtermfciofx.com
raxlendajlubxdhq.com
tccboqhpciznru.com
thnebevjzumnwfkyqwsa.com
upijkzzgohsviiufgwj.com
vdlkjuqdauwcpdxaybqm.com
vltnftcjrzrxnhfwgf.com
wchdbyuteue.com
xaftdwovbbtvt.com
xbmqunsmgty.com
ykvmiyfbbaqgryd.com
yqmodbxjxgczajstz.com
ytnxvxnlumzvtdelo.com
yyuihmtl.com
zbtgaqubvmmvvcx.com
zjwceimakuvaieqxzdi.com
zlndqawvrrbjhavidol.com
zlohhvqhqgyvbhbhe.com
zmfcmghjbpbxwn.com
zoyvmgsykc.com
zpqwczqatnmmb.com
ztvqcrxbvqd.com
Webroot SecureAnywhere users are proactively protected from these threats.
I wonder why malware researchers still use MD-5 hash functions. For more information why this is a really bad idea, check http://www.stopusingmd5now.com