FedWire ‘Your Wire Transfer’ themed emails lead to malware

by

Share this news now.

Over the last day, cybercriminals have launched yet another massive email campaign to impersonate FedWire in an attempt to trick users into thinking that their wire transfer was processed incorrectly. Once they execute the malicious attachment, their PCs automatically become part of the botnet operated by the cybercriminal/gang of cybercriminals.

More details:

Sample screenshot of the spamvertised email:

FedWire_Email_Spam_Malware_Malicious_Software_Social_Engineering_Botnet_Wire_Transfer

Detection rate for the malicious executable:
MD5: 0a3723483e06dcf7e51073972b9d1ef3 – detected by 10 out of 46 antivirus scanners as Trojan-Spy:W32/Zbot.BBHU.

Once executed, the sample creates the following files on the affected hosts:
C:Documents and Settings<USER>Application DataIvtycifi.exe
C:DOCUME~1<USER>~1LOCALS~1Temptmp0a13035e.bat

Sets the following Registry Keys/Values:
KEY: HKEY_CURRENT_USERSoftwareMicrosoftEspao5eeged2
VALUE: JIDkwp5v1/Oe5S3T8Ma6FeO0Qdc=

Creates the following Mutexes:
Global{CB561546-E774-D5EA-8F92-61FCBA8C42EE}
Local{744F300D-C23F-6AF3-8F92-61FCBA8C42EE}
Global{DFD8EA7E-184C-C164-0508-B06D3016937F}
Global{DFD8EA7E-184C-C164-7109-B06D4417937F}
Global{DFD8EA7E-184C-C164-490A-B06D7C14937F}
Global{DFD8EA7E-184C-C164-610A-B06D5414937F}
Global{DFD8EA7E-184C-C164-8D0A-B06DB814937F}
Global{DFD8EA7E-184C-C164-990A-B06DAC14937F}
Global{DFD8EA7E-184C-C164-350B-B06D0015937F}
Global{DFD8EA7E-184C-C164-610B-B06D5415937F}
Global{DFD8EA7E-184C-C164-B90B-B06D8C15937F}
Global{DFD8EA7E-184C-C164-150C-B06D2012937F}
Global{DFD8EA7E-184C-C164-4D0C-B06D7812937F}
Global{DFD8EA7E-184C-C164-6D0C-B06D5812937F}
Global{DFD8EA7E-184C-C164-B90D-B06D8C13937F}
Global{DFD8EA7E-184C-C164-2D0E-B06D1810937F}
Global{DFD8EA7E-184C-C164-610E-B06D5410937F}
Global{DFD8EA7E-184C-C164-7908-B06D4C16937F}
Global{DFD8EA7E-184C-C164-790B-B06D4C15937F}
Global{DFD8EA7E-184C-C164-550C-B06D6012937F}
Global{DFD8EA7E-184C-C164-F50E-B06DC010937F}
Global{DFD8EA7E-184C-C164-3D0D-B06D0813937F}

It then phones back to the following C&C servers:
78.139.187.6:19644
123.237.234.67:17231
78.139.187.6:14384
95.59.85.166:26355
123.237.234.67:19477
81.133.189.232:10880
79.43.109.56:15575
64.231.249.250:27667
69.183.226.70:14774
202.229.103.0:13338
81.133.189.232
79.43.109.56
69.183.226.70
202.229.103.0
83.23.136.17
82.50.88.142
62.163.245.52
189.223.135.118
24.120.165.58
66.63.204.26
99.103.42.49
212.76.98.162
81.88.151.109
173.194.67.106
90.156.118.144
199.59.157.124
108.74.172.39
151.45.10.230
2.181.13.249
213.188.74.166
109.237.192.56
2.184.146.117
173.61.237.166
123.252.172.184
76.219.136.45
76.181.147.218
2.180.104.27
182.53.26.37
129.89.11.208
120.59.91.66
24.173.222.82
78.187.120.209
67.190.79.132
94.65.141.20

More malware (SHA256 hashes) samples are known to have phoned back to the same IPs over the last couple of days, for instance:
0eb5dd62e32bc6480bae638967320957419ba70330f0b9ad5759c2d3f25753dd
85ba584731c9efb870b391532533037548f4152d1dceb92a5aa062f593c1da98
d8067d7a86b65ac4df60514792bc7c3991631a664118a32f5ea29fc595d68c8a
1c678ad43f59e4fda58be198f5264f2110e1c27b3aa13a4fcb9d5f4e317cbac9
5fe14e389f8cff581385fb272a4189312fa94a7e8a9fdc197989e184ba413253
a680b5a5cf3c5d78fa1718605924dc6bf220e371a76e8b2c76c84e1c6e38b6e3
3982d1dde8157bea7a6714da20bb285acd75b967570c7e405e4e0c4f06b6ce4f
8c636547f3ce92b95eeadae55ef4668ab97d927fbffac25771010e72dc6723e0
dbe0b013402e52a84f67017ec74e62e650c34af7306a50ce63f487d721ccd7fa
c0f68c918910f3edc4a61851be627c0e29889092d5fef87e7c5cfb126ac6e17f
954fb7b172f2408071db5f4ff4324ec3cdf9940e77590774d2c1372681e3605e
934cd7e608782b2a251e311f35b80b9d6c942256b30d11c760904e8bab35c948
b8bf59f59db01780719e9b5f9c4d02efd6407a49177f200c8039871d9ff27fb5
46c7a2d4ba271af4dba07499e9db019ee217d17ddf1cb5df02c542cc735a3805
270e65a12dfebb4576c744a0cf95ceec596559e2f807d4d33df6d41d58f6917a
a96e265ac94f7e2b46d404b034c95076e4ac4f7dc858b30566c9ee8481fc25a3
e97601bba68645355b0294fca90093eedfe6eb446a79b870d21d63b606f18e1b
f52ff4e9e2309f447375623460472d3fe764d0bf48b228d33f7a8e068238b788
235643e6d419d4cfb964e00f7c9a39c9334b809f6268e0c4933b36dd2783abda
986468654dc049fffdb77cb380bc0d148305d9ae5045e2127d17dc6753858f62
2b5be44424967dc88612851f90517161c8d2f9f651e0d02947b676a07fb9f5c0
7c858682c4a0122fadd802725ce21b09f6f2452cd168a6a65431322e4d4f2fcd
5eb3cdb05e86498ba8b249604d86194d8b11baf949ea63a465fc78b2e5eb1e14
56d61f9577ae86a05fc6395573cd80367903a21a3e904e978a50e6576adda871
4cab19871551e54195cc587a25c22f6c2e40bd1314abe1f2b316ec0057ae37cb
038edc2dbb651e1173de0893289fa266e8baa1f229cb2801f228629e3997f73a
d53c71eebf465812df25a1fcd280e7dd07eb5aaa47507e9af3de5d44e1150c35
2f80751c7c9a8816054190ce67b303846ba216caaa4f5934d8041e12af5e1b49
8197f4a38ebc5559e221f174b5d6ce007af6e4c13acbc85b3fba2d93a9bfcbc1
4117e3d775eda1da344686e5c886ba84d229b5cf9ac438205a9db5a56fbee43b
5a676f388d5ad5164b7efed3574d747cf1315c6e16110f6b8ca84587cf983fb4
7c9f8f4c01e2039578e94f16120a7211e4529ee1686a12ecb143010833de445f
982fa557adde4198a2a7717841d8e5920eeb8337ea8b48125f7d7334890767a9
478a24371467b24371d0aa1173bf508922e82be7e0314c188f2bb7f1de6b0dae
13de17504f96a595a76a29f9f7976f1083be34b2ab2922d2c5460e97fd320ee8
5bf1c51e45ca382a9755b76aed8038bcdfeca9bc5f06cf10f665c8f3472ebe6f
076f3b745b540774fb722062122f2003cef34b4baf3ef6cd9a2059a43dd375a2
841f66489f4da2f1b594d719894487deb5955c35c35e444086d2effa649c6ff2
d1d1abdeda3d3bb609a2abcc3ce8aa065f6f94c37939cd4e5fbf58f0477d7280
d5e00701217b3090c669651f3864d7dcfb569c49205cfecf5f06b02f2304cca7
c838160259e3e9d98242357c0db901b48679c30a7ffa2e457bc8ad716aa549a4
83c1ef12b672876b2aea0c06caf09ee62baa764ef5a2dd02fe7f5f70b1482d08
2e6f8e3f3f880ac722c49a54f46ea42823981c23fbdba3e67a5d669a36463a43
422c75c2f27f471d630ae466169397e164ab51afc9dbde1bc7fc643b9ada893f
7b6748372cf6f6ccb5848685de69a67514f019d4d18375c976f1d8148f5dd181
ed4c0086f9662ca93fcb8d9b7440325d52fab377a32c6965b0049a5df91e959f
ee5652950df078d3c4c80604f11717833a64be604e3c754611c1d0d63550ef18
d4d8ad94331afc9a9a0ea70305103dcf3c2582ef52fb5d38a5494e7706573437
950006f68840832290873136562fc5309b300353028c18079e5da42eace45c3f
fdbb1ae513a6254834a386cc7bb3c727bf2d582b4c08083d432b61715fccf30b
f91817a7749459d9419494faf9367aacb10eea26840e4728a16cde89959cbcb2
c5b75e11ae00e8b4c9d5a76f79e62f69e3c0a01098cd364d8ba08e65b43a7662
c0a96e3679c63c658a95c39f94fd919692987bbd9bf31e370cbbe9ffa8b68963
1f1c62a976932012da53fb81f0094e7600c083bb8c63abc496aa810675d8c45c
bd37267c763e09c65cc1670a0234ada28b8dd97072a4019d2776d09a1186d3f1
10beea23476be17d78ceba1af68c841cd34e7ef69943f8d9bc9ae4c069c51ea2
6e13a418784f7f56698b588293cd7ef53fe9fa322151c14c53d7d49bb34bb062
8f5c2a9c08fe940c86bfac54aa8752a3aaa816f1714a441e1c0c1483d1244f25
2f895068995299757af93db52c2f5127aeeaf99cf5e0caeef8b43764f57ca6bf
7eff773e0cde15871871ac6698fe7773b8f93c999f5f7329431704f5050d6f4b
451e01c93a7a8bd56c4e427b3443d7700839eba7e2bb2dc13dcc452959e43e12
c800509af39c462ba754fde9ee628c409db1b4b044feca63ab6f155595018c45
71ec5045dac1ac067a3e14ce0f0e0660b417275c74977e6c86f569ba3bcbca1f
e1477c11a74e4881849f7f14db06c7735c153d064e7ef5f5764d57bad0c46115
381d2370c8e67d484cc5ad205dd126378fab5e84b285d3f6889541b34a425ca2
1f8d54a266a314eea3b29c9b147ff59316e4c48e957a938bf59245efe81b3a01
1f7030ac67fa0e19fb22738d7e3ca64018197567fda07a0ef233957a38352572
12b128c2492f399dbad9ecef92af75d5c63866f2ba9a91d140eb35ffd4c4eed0
333419591463428cbc385509b1cece29858f3cd3e56882c8d9c498b715c799f7
4fcf44b3c211e5a24a70c6400e0f4e6d0d50cca2bb2a1ff8eb6e1533c51d2ce8
d8b07699d52079c8e4c92532e5e0e88db49019bed7ef0ff2ed24a5147d60297a
1d16abe77fbd40c2e245b2760742e3f74a6df9f934d6598763ed858662629137
65046d0072797394793abb46033854d510232ef570110c26431b798967dc7be0
a8666e9b33110edb162524d2506331ed53ac9ea3e2ceaf955ccb04c6daf4cc6d
28956c6c409dbf027b63da5b6c28499c89d0a02881a546dd154dd25c165cc745
f9fb661ce6ed17e0f9251ca492eb645b3f971c86e43a2d38bde729795b491ed3
c4bda310a5e9f2c299ad45ff4285fcd5914ca98006ae9b164b2dd45410a4ed16
2846e402102650c7b73640d7afc27ad8ca33cfdf9fad81528387e0ce2cf17ece
d49031a87a2877912ae887818d2108b76083c1e4ae83858cbdffbff1d0b239d5
723593ab67dd5b96f55f38a8a9d1c1163e90818ab1ccb099a0fad6c7b3d3f038
17a83a6e47a0188b4c0bda223994fd99bc44cdcdb18017cf886e56feeeb2bb7e
0c0d0ce54b5491d7d8c812bf83553c1240875864b941f251245995bfd5192423
26f8df16b4ce3dd60dfed59c909acf516c2d5500977d4bb84a7655ddd54e5b4f
a95ad91bd6848daaee98391d540d1c863111b0269ed9c57f6a2cb0f7a610dda0
5843f6eb1ea320ee86959547576be954c94e02127947a4d721a5b0fc25676060
38a2e63e9278006de45a3d55e742384523fd9710b8b9a91b4313a5048576c077
1db24a9d3693501fb0729fdc4acb57b648c84ed9717bb3ca50b83260329b36c0
3104746b09c39162d474f21335b7e5a56cd1819a916db07afbd8b33e47881a20
536b6e938f5e1a35814822dce47f442666738ac1b4dd9667ae50a4f08fe4ffcb
a81a3707b1186114fbc735720f897c1a66ab88d95d99e51df20477a67d986800
c2ff03669f04524c394dc18e7dace504ee4fba10a733348e5bb520cb98ec7d34
2ad3345aa79cb99fe894da035d3fa26d45296332a3941282c54a83c651ffdf3a
d19f99eaa6e6f9b5ca6e2744a4ef70797a921713eda0433be3f0c74ab2584f6a
abc019a85bad4f34efec0e98ffbddd971d99a6b6e35efd916c58145247b9b560
2c96be452e6bc826430793af0939c90643df3a4f124632c1d723c267404cb5ed
2a74c1c999a265f8fd43226bb591b95c8f029a19cd14192d530dc2e136706fb2
ffbb8fa577cb0aac1213eaaf549a14101cc856868801e4516a615471fd95c69a
180ae8891f3454a3fa54694bdb8fe26bcc7ab64b96a12ea1ab7e6ced1239e4d6
994464b0550a2c7fe025106b677dc5b88143f44f0e7c5cb76d92d4021bf77b12
7b5797d2dc7d90567ec7900208e3795aa1416e3b5def0440a7220a28077aabb2

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.


Share this news now.