Spamvertised “Hallmark ecard” campaign leads to malware

by


Cybercriminals are currently spamvertising a “You just received a e-card form somebody” themed malware campaign, impersonating Hallmark.

More details:

Subject: You just received a e-card form somebody

Message: Hello, You have just received a Hallmark E-Card!There’s something special about that E-Card feeling.If you want to see your e-greeting-card, click the link below:http://www.hallmark.com/e-greetingsHope to see you soon,Your friends at HallmarkYour privacy is our priority.Click the “Privacy and Security” link at the bottom of this E-mail to view our policy.

Malware link: hxxp://e-card.serveusers.com/e-greetings.exe

Upon clicking on the link, the end user is required to manually download and execute the malicious attachment.

Details on e-greetings.exe

Detection rate: 17 our of 43 signatures-based antivirus scanners detect this as malware

MD5: 1cd3a366d926ecc90a5ef9a8de9f3be2

SHA256: 4028fffd6e4b7296564ee86c799b221ada0f97824469c0133102654b11a6b024

Detected as: Backdoor.IrcBot.ADIT; Backdoor.IRC.Zapchast.zwrc; IRC/Cloner.CA

Upon execution the sample phones back to the following IRC servers, where the infected host awaits further commands from the botnet masters:

  • 194.109.20.90: 6667
  • 208.83.20.130: 6667
  • 211.75.246.205: 6667

Webroot SecureAnywhere customers are protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.