Madi/Mahdi/Flashback OS X connected malware spreading through Skype

by


Over the past few days, we intercepted a malware campaign that spreads through Skype messages, exclusively coming from malware-infected friends or colleagues. Once users click on the shortened link, they’ll be exposed to a simple file download box, with the cybercriminals behind the campaign directly linking to the malicious executable.

More details:

Sample screenshot of the campaign in action:

Skype_Spreading_Malware_Social_Engineering

Sample redirection chain: hxxp://www.goo.gl/aMrTD?image=IMG0540250-JPG -> hxxp://94.242.198.67/images.php -> MD5: f29b78be1cd29b55db94e286d48cddef – detected by 20 out of 46 antivirus scanners as Gen:Variant.Symmi.17255.

More malware is known to have been rotated on the same IP, such as for instance:
hxxp://94.242.198.67/sg0.exeMD5: cfaf9e3345bb6dc7204d6ad1a266a4c0 – detected by 9 out of 46 antivirus scanners as Trojan.FakeSky
hxxp://94.242.198.67/ef.exeMD5: d85639f3e067c2b3eda5aa3a36979b56 – detected by 7 out of 46 antivirus scanners as PWS-Zbot-FARH!D85639F3E067
hxxp://94.242.198.67/stp.exeMD5: d848763fc366f3ecb45146279b44f16a – detected by 28 out of 46 antivirus scanners as Backdoor.Win32.ZAccess.bsle
hxxp://94.242.198.67/4.exeMD5: 8c005816a75d63853bcff5c815c638d7 – detected by 11 out of 46 antivirus scanners as Mal/VBCheMan-B
hxxp://94.242.198.67/fbsp.exeMD5: 09fe80eccb798f33f32792fc303504de – detected by 5 out of 46 antivirus scanners as PWS-Zbot-FARH!09FE80ECCB79
hxxp://94.242.198.67/IMG0540250-JPG.scrMD5: f29b78be1cd29b55db94e286d48cddef – detected by 20 out of 46 antivirus scanners as Gen:Variant.Symmi.17255

Upon execution, MD5: d848763fc366f3ecb45146279b44f16a phones back to hxxp://xlotxdxtorwfmvuzfuvtspel.com/RQQgW6RRMZKWdj0xLjImaWQ9MjQ3NzA0MzA5MiZhaWQ9MzAyODcmc2lkPTQmb3M9NS4xLTMyluYwGI8j – 50.62.12.103

What’s so special about this IP (50.62.12.103) anyway? It’s the fact that it’s known to have been used as a C&C for the Madi/Mahdi malware campaign, as well as a C&C for the Flashback MAC OS X malware, proving that someone’s definitely multi-tasking.

Known to have been responding to the same IP (50.62.12.103) are also the following malicious domains:
026ac50bb7a03a66.net
12eriujdjdjjdunog.info
advantcedmtleaps.com
advdomain2.com
advisitormetrics.com
aefixclfrsdjfvxeasjzbortwvg.info
aeorclucdlhzdzdmdqhyppn.info
airbusnotemountain.com
aivlmxgiwe.com
alnvggqlpfcnirw.info
amnsreiuojy.biz
aofligawxeoadyndns.info
aoflkpshxeoadyndns.info
apenhaimcanadaupdate4.com
appnetgroucom.com
asduihdqkbnbmzcvhgasd.info
asjdiweur87wsdcnb.info
aspnet5ulalalala-lux-premium.info
auumhjwopdlunno.info
avilantup.com
awbjrtehedel.com
b08e6870b2a1ef9e.com
b18h34h34l68duezgsm29luorgybsdrlvcrdr.info
betikpshxeoadyndns.info
betiyfadxeoadyndns.info
bgdqfddrqwpfou.info
blogsmoneyok.info
bniwedsafe.com
bol3eraxermitser27erty.com
bpfq02.info
buglethilliam.com
bwincdwtyxsorh.info
bxnet-nt.com
bxrsnconnect.com
byfihmfadedaguozhihiditcibpqg.info
camareserqw2.info
camnetfbvoor5.info
camnetfdfoor4.info
camnetqwfoor4.info
carambmaining.net
carambmaining56.net
carambmainings.net
caravelaoroltd.com
cfcdgvwxnbwcs.info
cfirjgkgirkxkh.info
cfqwmwlmyuvln.info
citroncomutroner.com
cleansales-agent9.info
collach.com
commonftsformbs.com
compactwinse.net
cqtssgpduscfuaikjeagmozljnrylzt.info
cydzctpxd10crf12aukueqgwo31lunyivjz.info
cyuxrqripzalpspqkoldwlabx.com
data-forumziforsexxi01.info
defeatswirly1.net
dfgpoidpoitertert.com
dggubvhxorb.com
dihhcezdkzdipcijbtskzeuvsh.info
dikixy.info
ditwkukaylebyxhmmzjqoj.info
diulbrcwogazxrukkbqdikzhmlyh.info
djnokpshxeoadyndns.info
dkjphajyjkfpxxa.info
dljtigawxeoadyndns.info
dljtkpshxeoadyndns.info
dmpzmzxkrofibgytnfuuw.info
dnayapontis.com
dodofofo.com
dofipsdfkjfifps.com
doubtcatch.net
dririgawxeoadyndns.info
dsmfwjivipeysga.info
dspuigawxeoadyndns.info
dspukpshxeoadyndns.info
dwveuejf.com
dxfetecs.biz
dzp52mrlrjunzo11a17pzj16nzcspzhqpzhw.info
dzsmahpcki.info
e41jqd40argtp22owfrjrg13kudqareqbxe11.info
e51lzlvfsg23htf12hrlzb38p12i55orhxoxcy.info
earthwithoutmee1.com
eeejudpyefmsnd.info
eigauvlvljonlnhxpnh.info
elementarimagine.net
emphasissmartlists.org
emvshokudjpxoxqfa.com
erthgeneraleboss.com
etlfexgfuxctbypvidxopcq.info
eudbmmrxdmthyqwlhltkro.info
euolaulmala.com
evuhdwnkmrljqx.info
ezcnigawxeoadyndns.info
f5ds1jkkk4d.info
fghgng44fgjl82509dfg83df.com
fhnqskxxwloxl.info
freelife4ever.com
froyoexplainss.com
fsdrpxvgmmvfiq.info
fshopadobes.com
fssjpikqkysxx.info
fuaihaughbdgmp.info
fzbtf32ozmto61kqktowd10cyo31gvitiqgw.info
g1ikdcvns3sdsal.info
galwayupdate6.com
gebhesroater.com
generalseoptimization1.com
ghgng43fgjl82309dfg99df4.com
gmtkkhmnbudlbobaepnhyhiyh.info
googlesafebrowsing-ads.com
goopywilsp92.net
gqnjdudibuphikjsdcuhl.info
grayhorse-love1.info
greatsummerplaya.com
gsvlynnaafkef.info
gvbvgreve45by4dd33.com
gwbybehycpxpshd.info
h44d40pxhqevnwh54gwb58n40kwozpsdxd40c29.info
h8x79bn8x798vnvddddxcv87o8xb9x7b7cv9c.com
he3ns1k.info
heskrklvtvokzdvyuwhagizor.info
hgng43fgjl82309dfg8df4.com
hivqwbnkasisil.info
hjdfhjpqhf4vzskdjui123123.org
hjdfhjpqhf5vzskdjui123123.org
hqasf52jyowhzpvoqn20l28l68mycyoza57f42.info
huheramantukisloktusos.com
hunlwtjaag.com
hwpdigawxeoadyndns.info
hyqopmvtwrgdagyaqbutwprcwc.info
ibmzuwqsugnvpjuotkgfmnrdezl.info
ibpvgmxyphtsgaydtsgtwqwkvmr.info
idontworkanymooree.com
ieoverobots.com
ieujje239cm.com
iffqqrgvkdlbtsofrfipbdiwcytpj.info
igawigawxeoadyndns.biz
igawigawxeoadyndns.info
igpcuvalgvbfaf.info
iqkydbxjfodro.net
ivpdakfaifyhihnvjftdaikn.info
iwuyrvtylnojde.info
ixcmzbffyie.com
jckhbgjj.com
jeceryn.info
jegh34kjhwe8889321.com
jewuqyjywyv.eu
jghidxcalkrrw.info
jgsowwnlbieyv.info
jifyhsqkbyykzamdeuceakjf.info
jimsterdark3746.com
jknceldiknaxgmnfgedd.info
jks49sdgrled9.com
jkuniversepoolz4356.net
jrttuuemjk.biz
jumperbartons54.net
justiceforpeople.net
keywordkr.com
kfbavaqqwrnjlmkrl.com
kgqzirish.com
kinstelertiong.com
kjuhhwiusatt.org
kkagkpshxeoadyndns.info
kkdydy.com
koreasys2.com
koteroselvo.com
kpshigawxeoadyndns.info
kpshkpshxeoadyndns.info
krexjdsamdx.com
ktiijejk.biz
kuddkpshxeoadyndns.info
kulnd.com
kvukggykrrchguormgmjbyroce.info
lbaviecejxft.info
lenexiusdeotime.net
lequkvmlratgsm.info
lettheimmoralityrule2.org
ljsomjonmvushavkgaqwtpzjf.info
lnprpshztsceyoblrzrowcfiauae.info
look4profits1.net
lordoftheworld20.com
louqwesas.com
lowdonfon-you2.com
lpjwscxnwpqkaq.com
lpnzrseayswdydwcivzprfqs.info
lruwxvqgruwswrwifhymzmnyleu.info
lshsjokjjgtmm.net
lutsvwgyuwhvkganrvofmwk.info
lvhsspkwyevfca.info
lxpznvbqewh14k47pqc19i35g13fzjrnri45av.info
lye21h44f62atb68e21c29b28ish34m39mwp62ive11.info
majakil.in
mamo-counter777.net
mathekrundesma.com
mbpffaxalpzvvfdbqditomrbe.info
megatraff.org
merchantinhouse3.info
micapredelpport.com
micorsslow-tool1.com
microcaroinos3.com
microsoft-db-tool-new2.com
microupdate14.info
miecjlosmoliu.info
miraclegroupscom.com
mkkuei4kdsz.com
mkvrpknidkurcrftiqsfjqdxbn.com
moneybase55.biz
mopiiueus.com
mswqfsqgtcsluvy.info
mtfsf42e11oxmrfwd20fvg53o41aupvexmyjv.info
mtjugjbwwldfl.info
mxfhfg.info
mydataqwedds.info
myvokpshxeoadyndns.info
n8l9l7u5.info
nahuyaverov6091.info
navegadordelcaribe.com
nblraumbahittwwglzxeawgztaqlv.info
nkbfpywlvglrb.info
ns2275ab.com
nsiykpshxeoadyndns.info
nvauuoeqwpbqcmrltskrlrrsrwqg.info
nvprtvwozqkdrspnxsifjvpdi.info
nxoqhmpbjzhdqxwqbysgugzhmfa.info
oaifpapl.com
obmfvijftylgjpf.com
obnyi-pesxbeg.net
oeurkpshxeoadyndns.info
oiicmtkpkaocnm.info
ok-money-blogs.info
ovjxnjrowtuu.info
pepbigawxeoadyndns.info
pgiqlkbgdooiypl.info
phgxesbwepuic.info
phsrednog.com
piltfjdxqxjkflb.info
prbktcowpvjmr.net
prgeuzydfucylrqspgigiyl.info
pricheshueisherstkugladko.com
protectionadaptss.com
proton-tm9999999.org
proxy-freedoservice.com
ptlbaemhupbcuizguvszddyqk.info
pxvlcs.info
qedoluv.info
qekyqop.com
qetyfuv.com
qllrpq.com
quitfsasaf144new.net
recorduntil.net
redqtdidmcrxbnd.com
reuirbgeuihrweiufheeey.com
rgelkpshxeoadyndns.info
rnwpigawxeoadyndns.info
rnwpkpshxeoadyndns.info
rqqyfomgpnqqfrnn.info
rytepyv.net
s87g7g81ffsdb.com
satriavision.net
savetimeforyooooulife2013.net
sewjdnmm93.com
sfunnywb.net
sibirturizm-extrim2015.info
singleshotscreen.info
skwkpfaqacfdyvv.info
smspex201.com
soddddfdddda.com
soldhvzyqa.com
stainlessnetcombizzer.com
stebqigidqbnaqu.info
stxeapbewbblp.net
styerw45ork9.net
submit-moonlight-pictures.info
tiktak10.com
tillcollpsextreme.com
tnyshuxmiax.com
tpgbtomvader.com
tpstneuknash.com
trucolorcfgdeo.net
tspddtovautjvtcethathm.info
ttncvthmewyexig.info
ubibictj.biz
ufvgtnnmukdmjb.info
uislggelds.com
ukiixagdbdkd.com
ultimaresources.com
uonbydpfalnaufmjylpfjvrdmb.info
uopobqtyhorogupjdcigl.info
uredasqopjerl.net
uwidierihon.com
vapu.info
vasjokmoz65etvssat123.com
vd93mkkj9d87g9d.com
verifyservicenetwebs.com
vieajzkg.info
vijthukg.com
vipreclod.com
viqtkpshxeoadyndns.info
vjlvchretllifcsgynuq.com
vjseqysltlteksy.info
voloerdpsoeudjl.com
vpcwmobama.com
vperedzaddos.com
vrvtgirixixepis.info
vvvjecojmbju.info
vwqoxobapgehxseufamwgrs.info
wamuv.com
werbadvsrvpoints.net
whycclrtpekoidf.info
windnetsteels.com
winsoft3.com
wiovtvolveras.com
wjcfvktlefqhigp.info
wnvshbuoil.net
womancasdorinosvictor.com
wvwuihci.biz
xlotxdxtorwfmvuzfuvtspel.com
xsqgafytwjygwl.info
xunwrhxtwgwylr.info
yfadigawxeoadyndns.biz
yfadigawxeoadyndns.info
yjaqgsmksfcd.info
ymjgdminmont.com
yoillzlag.net
yrfaimwtpkelc.info
yvknkdqeouqqpbo.info
zjdgrkry.com
zlxlkpshxeoadyndns.info

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Trackbacks

  1. [...] new malware-spreading campaign is targeting Skype users, warns Dancho [...]

  2. [...] Cables” include over 1.7 million diplomatic records from 1973 to 1976, of which 205,901 are connected to controversial US Secretary of State Henry Kissinger. In total, the release is around 700 million [...]