Cybercriminals are mass mailing tens of thousands of emails, impersonating Booking.com, in an attempt to trick its users into thinking that their credit card was not accepted. Users are then urged to click on a fake “Print Booking Details” link, which leads them to the malware used in the campaign.

More details:

Sample screenshot of the spamvertised email:

Fake_Booking_Credit_Card_Not_Accepted_Hotel_Reservation_Email_Spam_Malware

Sample spamvertised URLs:
hxxp://www.tularat.ru/misc/teasers.php
hxxp://www.kotmart.com.ua/misc/teasers.php
hxxp://www.paraguay.org.eg/misc/teasers.php
hxxp://www.kotmart.com.ua/misc/teasers.php
hxxp://www.tebau.at/misc/teasers.php
hxxp://www.fullservice.co.nz/misc/teasers.php
hxxp://www.teachforlebanon.org/misc/teasers.php

Sample detection rate for the malicious executable: MD5: 75db84cfb0e1932282433cdb113fb689 – detected by 26 out of 46 antivirus scanners as TrojanDownloader:Win32/Kuluoz.B.

Once executed, the sample phones back to the following command and control (C&C) servers:
hxxp://66.232.145.174:6667/7983F8E17E0ADB06900CC3E4F4C4E9648753CB9E678CF5026D2394065EF041FFA32B1B6BCDE33A8C6F393565B6B18529AB300B817F78805342F2FF8D170C7266C374C52E23BA
8A478966890EFD9445
hxxp://175.45.142.15:8080/7983F8E17E0ADB06900CC3E4F4C4E9648753CB9E678CF5026D2394065EF041FFA32B1B6BCDE33A8C6F393565B6B18529AB300B817F78805342F2FF8D170C7266C374C52E23BA8
A478966890EFD9445
hxxp://66.84.10.68:8080/7983F8E17E0ADB06900CC3E4F4C4E9648753CB9E678CF5026D2394065EF041FFA32B1B6BCDE33A8C6F393565B6B18529AB300B817F78805342F2FF8D170C7266C374C52E23BA8A4
78966890EFD9445
hxxp://202.169.224.202:8080/7983F8E17E0ADB06900CC3E4F4C4E9648753CB9E678CF5026D2394065EF041FFA32B1B6BCDE33A8C6F393565B6B18529AB300B817F78805342F2FF8D170C7266C374C52E23B
A8A478966890EFD9445
hxxp://89.19.20.202:8080/7983F8E17E0ADB06900CC3E4F4C4E9648753CB9E678CF5026D2394065EF041FFA32B1B6BCDE33A8C6F393565B6B18529AB300B817F78805342F2FF8D170C7266C374C52E23BA8A
478966890EFD9445
hxxp://74.208.111.15:8080/7983F8E17E0ADB06900CC3E4F4C4E9648753CB9E678CF5026D2394065EF041FFA32B1B6BCDE33A8C6F393565B6B18529AB300B817F78805342F2FF8D170C7266C374C52E23BA8
A478966890EFD9445
hxxp://85.214.50.161:8080/7983F8E17E0ADB06900CC3E4F4C4E9648753CB9E678CF5026D2394065EF041FFA32B1B6BCDE33A8C6F393565B6B18529AB300B817F78805342F2FF8D170C7266C374C52E23BA8
A478966890EFD9445
hxxp://184.106.214.159:8080/7983F8E17E0ADB06900CC3E4F4C4E9648753CB9E678CF5026D2394065EF041FFA32B1B6BCDE33A8C6F393565B6B18529AB300B817F78805342F2FF8D170C7266C374C52E23B
A8A478966890EFD9445
hxxp://46.4.178.174:8080/7983F8E17E0ADB06900CC3E4F4C4E9648753CB9E678CF5026D2394065EF041FFA32B1B6BCDE33A8C6F393565B6B18529AB300B817F78805342F2FF8D170C7266C374C52E23BA8A
478966890EFD9445
hxxp://217.11.63.194:8080/7983F8E17E0ADB06900CC3E4F4C4E9648753CB9E678CF5026D2394065EF041FFA32B1B6BCDE33A8C6F393565B6B18529AB300B817F78805342F2FF8D170C7266C374C52E23BA8
A478966890EFD9445
hxxp://82.113.204.228:8080/7983F8E17E0ADB06900CC3E4F4C4E9648753CB9E678CF5026D2394065EF041FFA32B1B6BCDE33A8C6F393565B6B18529AB300B817F78805342F2FF8D170C7266C374C52E23BA
8A478966890EFD9445
hxxp://85.214.22.38:8080/7983F8E17E0ADB06900CC3E4F4C4E9648753CB9E678CF5026D2394065EF041FFA32B1B6BCDE33A8C6F393565B6B18529AB300B817F78805342F2FF8D170C7266C374C52E23BA8A
478966890EFD9445
hxxp://202.153.132.24:8080/7983F8E17E0ADB06900CC3E4F4C4E9648753CB9E678CF5026D2394065EF041FFA32B1B6BCDE33A8C6F393565B6B18529AB300B817F78805342F2FF8D170C7266C374C52E23BA
8A478966890EFD9445
hxxp://85.186.22.146:8080/7983F8E17E0ADB06900CC3E4F4C4E9648753CB9E678CF5026D2394065EF041FFA32B1B6BCDE33A8C6F393565B6B18529AB300B817F78805342F2FF8D170C7266C374C52E23BA8
A478966890EFD9445
hxxp://77.79.81.166:8080/7983F8E17E0ADB06900CC3E4F4C4E9648753CB9E678CF5026D2394065EF041FFA32B1B6BCDE33A8C6F393565B6B18529AB300B817F78805342F2FF8D170C7266C374C52E23BA8A
478966890EFD9445
hxxp://84.38.159.166:8080/7983F8E17E0ADB06900CC3E4F4C4E9648753CB9E678CF5026D2394065EF041FFA32B1B6BCDE33A8C6F393565B6B18529AB300B817F78805342F2FF8D170C7266C374C52E23BA8
A478966890EFD9445
hxxp://81.93.248.152:8080/7983F8E17E0ADB06900CC3E4F4C4E9648753CB9E678CF5026D2394065EF041FFA32B1B6BCDE33A8C6F393565B6B18529AB300B817F78805342F2FF8D170C7266C374C52E23BA8
A478966890EFD9445
hxxp://118.97.15.13:8080/7983F8E17E0ADB06900CC3E4F4C4E9648753CB9E678CF5026D2394065EF041FFA32B1B6BCDE33A8C6F393565B6B18529AB300B817F78805342F2FF8D170C7266C374C52E23BA8A
478966890EFD9445

More malware variantst are known to have phoned back to the same IPs. Associated MD5s:
MD5: FECEF95FBAB0E3520237F1FDE8784BC8
MD5: CAE28258E82EEC4ABFB76A910802E714
MD5: E2E021E1A6988B260F52916524448B41
MD5: C8089794207717290BD1DB680A20102C
MD5: E97CFB8D93B0BF5F9BBCA54847874379
MD5: 09C7E70F8DAFD97DE6AB7843FD2C40BE
MD5: F8F37893AF48137658BA1CD0CF0FB858
MD5: D6B7CF92F5A1DF9C8C445D0D9173020B
MD5: A1C66557C08DF58B8602FB5DA12FCA6B
MD5: AB70A1764D29CC403904B17BF501B11A
MD5: 8E8D0B99BDC661F184066530FD350458
MD5: D6B7CF92F5A1DF9C8C445D0D9173020B
MD5: A1C66557C08DF58B8602FB5DA12FCA6B
MD5: 1CF48849C3DA1F2E413B1B26F210C6B6
MD5: CA80A88EA5EF6ABF44227A50F0047041
MD5: D6C47208CDA112EB73BB22D46E306261
MD5: 9BB705500C8BB982D047AD83E841D1E3
MD5: 819314E69A49C6F9656CBA5F5C4074C4
MD5: EDCD8D82D14A76715992880F25ECAA2E
MD5: 88A99AAFEACAC0E9DF3BAB2CD6C853BB
MD5: 70EE66B9AE2DEDFCD539F479FAA01439
MD5: 2AEEE19ABBEE78014C70E57F6DC22328
MD5: 9251611A38D4411916CC5FC060F1C19C
MD5: 0309081A65BC7697BE24B66EAE490F48
MD5: A6DCD7FC08C9AC6A4760A25FB9A48143
MD5: EA1E19ADEC8FB5E540E06E10AC540D1F
MD5: F3E90DD3148D3DDF6938DB67B03DCF82
MD5: C8089794207717290BD1DB680A20102C
MD5: 176823F3C9822F31072265DFC6CABD1F
MD5: F41D533E371040B85FC87D7E28B41C45

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This