November 16, 2012 By Dancho Danchev

Cybercriminals spamvertise bogus eFax Corporate delivery messages, serve multiple malware variants

Cybercriminals are currently mass mailing millions of emails trying to trick recipients into executing malicious attachments pitched as recently arrived fax messages. Upon running the malicious executables, users are exposed to a variety of dropped malware variants in a clear attempt by the cybercriminals to add additional layers of monetization to the campaign.

More details:

Sample screenshot of the spamvertised email:

Detection rate for the malicious executable: MD5: 16625f5ee30ba33945b807fb0b8b2f9e – detected by 37 out of 43 antivirus scanners as Trojan-PSW.Win32.Tepfer.blbl

Upon execution, it attempts to connect to the following domains:
192.5.5.241
ser.foryourcatonly.com
ser.luckypetspetsitting.com
dechotheband.gr
barisdogalurunler.com
alpertarimurunleri.com
oneglobalexchange.com
rumanas.org
www.10130138.wavelearn.de
visiosofttechnologies.com
sgisolution.com.br
plusloinart.be
marengoit.pl

It then downloads additional malicious payload from the following URLs:
hxxp://dechotheband.gr/5Wjm3iV2.exe
hxxp://barisdogalurunler.com/9BMu2.exe
hxxp://alpertarimurunleri.com/rRq.exe
hxxp://oneglobalexchange.com/19J.exe – ACTIVE
hxxp://rumanas.org/1vAWoxz3.exe
hxxp://www.10130138.wavelearn.de/4pxp.exe
hxxp://visiosofttechnologies.com/iDm9vs.exe
hxxp://sgisolution.com.br/jq5.exe - ACTIVE
hxxp://plusloinart.be/Ue7cHNm.exe - ACTIVE
hxxp://marengoit.pl/ZBrBpBh2.exe

Detection rate for a sample downloaded executable: 19J.exe – MD5: 1dc5c0ee228354b2e11aefbd119ef852 – detected by 36 out of 44 antivirus scanners as Trojan-Spy.Win32.Zbot.ggfs

This sample creates the following MD5s on the affected host:
tykiy.exe – MD5: 69A45269B0A43F4FE65B81C1833A2B3B
cafaha.yja – MD5: 507A43E36DB0F1A918C674874D72C9F3
tmp61346667.bat – MD5: 8F7B621E6AEB966B9C2005940498A404

Detection rate for the second downloaded executable: jq5.exe – MD5: c9f5d0ba1caa54d0537d60eead26534e – detected by 36 out of 43 antivirus scanners as Trojan-Spy.Win32.Zbot.gbga

Detection rate for the third downloaded executable: Ue7cHNm.exe – MD5: a7772183d2650d9d4f26ffa02fd41d64 – detected by 33 out of 44 antivirus scanners as Trojan-Spy.Win32.Zbot.gfrt

It creates the following MD5s on the affected host:
vaimhi.exe – MD5: 185F9F098069FE0C77DF524E7495CBFF
urliz.jew – MD5: C05DB33DA1109C86787C3AB314D14BE6
tmp291a82a0.bat – MD5: FF2E914D76BDA16724875294B1EE7327

The following MD5s are also known to have been downloaded by an affected host in a similar fashion:
MD5: 25098F408CFA013FA246B94622D1044A – detected by 32 out of 44 antivirus scanners as Trojan-Spy.Win32.Zbot.gazz
MD5: 79090DE7377E7CCB06DC26634EA914A6 – detected by 34 out of 43 antivirus scanners as Trojan-Spy.Win32.Zbot.gawd

The following MD5 also downloaded in the campaign is known to have phoned back to the following C&C server:
MD5: 2FC39B95A36BDD61C44BAAD205BCC2EC – detected by 30 out of 44 antivirus scanners as VirTool:Win32/CeeInject

Phone back URL:
hxxp://oftechnologies.co.in/update/777/img.php?gimmeImg – 130.185.73.102, AS48434 – Email: melody_mccarroll38@indyracers.com
Name Server:NS1.INVITEDNS.COM
Name Server:NS2.INVITEDNS.COM

The following malicious domain responds to the same IP:
updateswindowspc.net

The following malicious domains are also known to have responded to the same IP (130.185.73.102) in the past:
warrantynetwork.co.inMD5: c80c3e16b17309fbcabdd402649faab5 is known to have phoned back there – detected by 33 out of 44 antivirus scanners as Trojan:Win32/Grymegat.B
amendenhancements.net.inMD5: B1206CB15B85DDBF6FC411FE9C1FB808 is known to have phoned back there – detected by 17 out of 44 antivirus scanners as Trojan:Win32/Grymegat.B
homedrakx.net.in

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button
0 comments
true