By Dancho Danchev

Cybercriminals are currently spamvertising tens of thousands of bogus emails impersonating New York State’s Department of Motor Vehicles (DMV) in an attempt to trick users into thinking they’ve received an uniform traffic ticket, that they should open, print and send to their town’s court.

In reality, once users open and execute the malicious attachment, their PCs will automatically join the botnet operated by the cybercriminal/cybercriminals behind the campaign.

More details:

Sample screenshot of the spamvertised email:

New_York_State_DMV_Uniform_Traffic_Ticket_Fake_Email_Spam_Malware_Malicious_Software_Social_Engineering

Detection rate for the malicious executable: MD5: 247c67cb99922fd4d0e2ca5d6976fc29 – detected by 23 out of 46 antivirus scanners as Trojan-Spy.Win32.Zbot.lhim.

Once executed, the sample creates the following files on the affected hosts:
%AppData%Xayfyksyi.exe – MD5: 3173A9539F42364205093BB5112F0350
%AppData%oqucxa.awe – MD5: B7C26E50553C33AA87C8A4215A7FCC72
%Temp%tmp3bf1628f.bat – MD5: 639D147E3E1DD618D1E773BB7CFC98F2

The following Registry Keys:
HKEY_CURRENT_USERSoftwareMicrosoftBiqol

As well as the following Registry Values:
[HKEY_CURRENT_USERIdentities] -> Identity Login = 0x00098053
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] -> {3DFA1AE4-115C-AD7B-A6BA-A75086AF8442} = “”%AppData%Xayfyksyi.exe””
[HKEY_CURRENT_USERSoftwareMicrosoftBiqol] -> eigbe47 = “BGr6IhOgjQY=”; b1ee1d5 = 18 6A 9B 22; 218d92bh = E6 29 9B 22 06 CA BA 06 39 CE D7 3B

The following Mutexes:
Global{CB561546-E774-D5EA-8F92-61FCBA8C42EE}
Global{644DF5F7-07C5-7AF1-0508-B06D3016937F}
Global{644DF5F7-07C5-7AF1-7109-B06D4417937F}
Global{644DF5F7-07C5-7AF1-490A-B06D7C14937F}
Global{644DF5F7-07C5-7AF1-610A-B06D5414937F}
Global{644DF5F7-07C5-7AF1-8D0A-B06DB814937F}
Global{644DF5F7-07C5-7AF1-990A-B06DAC14937F}
Global{644DF5F7-07C5-7AF1-350B-B06D0015937F}
Global{644DF5F7-07C5-7AF1-610B-B06D5415937F}
Global{644DF5F7-07C5-7AF1-BD0B-B06D8815937F}
Global{644DF5F7-07C5-7AF1-190C-B06D2C12937F}
Global{644DF5F7-07C5-7AF1-4D0C-B06D7812937F}
Global{644DF5F7-07C5-7AF1-750C-B06D4012937F}
Global{644DF5F7-07C5-7AF1-B50D-B06D8013937F}
Global{644DF5F7-07C5-7AF1-290E-B06D1C10937F}
Global{644DF5F7-07C5-7AF1-610E-B06D5410937F}
Global{644DF5F7-07C5-7AF1-E508-B06DD016937F}
Global{644DF5F7-07C5-7AF1-FD0B-B06DC815937F}
Global{644DF5F7-07C5-7AF1-190D-B06D2C13937F}
Global{644DF5F7-07C5-7AF1-150D-B06D2013937F}
Global{644DF5F7-07C5-7AF1-D109-B06DE417937F}
Global{340FE32E-111C-2AB3-8F92-61FCBA8C42EE}
Global{38E3341C-C62E-265F-8F92-61FCBA8C42EE}
Global{EEE5022F-F01D-F059-8F92-61FCBA8C42EE}
Global{340FE329-111B-2AB3-8F92-61FCBA8C42EE}
Global{5E370004-F236-408B-8F92-61FCBA8C42EE}
Global{644DF5F7-07C5-7AF1-790B-B06D4C15937F}
Local{55E9553D-A70F-4B55-8F92-61FCBA8C42EE}
Local{55E9553C-A70E-4B55-8F92-61FCBA8C42EE}
Local{744F300D-C23F-6AF3-8F92-61FCBA8C42EE}

It then phones back to the following C&C servers:
109.133.89.74:12851
180.248.91.99:23798
186.134.187.62:13338
187.172.45.5:11680
2.96.42.157:22487
37.232.27.130:11815
64.231.249.250:27667
69.77.132.197:13027
94.240.224.115:27794
168.150.243.11
173.225.242.27
176.73.238.72
190.15.128.210
195.169.125.228
199.59.157.124
2.96.42.157
70.140.36.61
75.131.19.253
75.64.131.25
76.245.44.216
79.50.36.133
90.156.118.144
95.239.225.8
95.86.104.231
99.251.147.34

More malware samples are known to have phoned back to the same IPs. For instance:
MD5: 247c67cb99922fd4d0e2ca5d6976fc29
MD5: e9017fcf0e2416043cb7a5a7996e72f6
MD5: ed6cf29f0a48d8eafebfa0f51a2abe9e
MD5: 543ef490d269a61b128964f8176d299e
MD5: 3c70d82bc49668c5367fc8792371fec6
MD5: 917e3cbb690e233d4f20fd7e8b4afaf3
MD5: 7c993d383a1165957541eb2d289eea85
MD5: cdad47cb2d1db132daf21da73145aa18
MD5: 1977f4861cf67c1012c6e92c2e39283e
MD5: fdbfdb6c5b5796e32298f2e53cb1cb90
MD5: cf88b3f3b40a9a268d5f5c1b261acc33
MD5: 7ec06721bc935fcbfb319265b8b8cff8
MD5: 7c17d897aef6e526dadf2b4699323488
MD5: c8168b0a88f90014c451a4770213c9a7
MD5: 346efdfb527e5c602aaf55835c9671e7
MD5: 3495df769588f3f5f40ee25841aecaed
MD5: 50d5441a4c0dc1742ab0b5a05a6f4e4b
MD5: e58cfb3f79b565de3fa61c2235377e0f
MD5: a4bf232cdbebc90b9b3d74cc8c1f9d2a
MD5: 259660c9323f1f0f132cdb9c4789f915
MD5: 2fa2e3281be7e45488ce64b6cb6581bb
MD5: 82ce8e9521d72c4951430a34864493d3
MD5: d444dc8dfe7fbce52429c62af1dc5b16
MD5: 805f125fb367dccec1551b881695b1d6
MD5: 9d61ff0d27188b129d5fc97ba45aa599
MD5: 59251b43d35702f5cd197e452a44ea7b
MD5: 1a86caab899ca5ddf663c8467235ff01
MD5: b072dbf799a590bbe7b80238542fa2af
MD5: 8f54130a4b7407dbea864449f6908804
MD5: 2060eb24b10d436e5294960672677ce8
MD5: 46c606fe5dbc061f0be6cc6866705c9f
MD5: 00cd81d1d0fc916ab0b304600dad2058
MD5: 367bbef986b336c1bb9335b9e61fcf24
MD5: 72d96fbd89fac18832a040d7d9cbcd8c
MD5: 329e5b0bc4e75e879f1cc393ca043288
MD5: 518352a7be3a343fd9b431652b4293dc
MD5: 5b9637cbc07f32cd30e320899304cb7f
MD5: f24f1b1f59fb82328aa59d43b12eabd3
MD5: 70e4efbe6f4e09f6c3bb2407c693e057
MD5: 5f9d4fef21708fd4e10d6e80bb8a733c
MD5: 87f3b9e991b9830caf7841e414ea88fe
MD5: 893ccedad0c1f6b01e3868f66b4744f8
MD5: d4ee3105ae4c44d2985e8faae7f1044b
MD5: 1adf7905418cfcb51a95ca34cecf6c05
MD5: 03b6f974e7115cf5f13644bf81caac04
MD5: 42d9ec294e32c4df6e2ebdddd35c7fd8
MD5: d952792a2a46aafb38b6129df44b1079
MD5: bb67064fa8cb28de34d56bb76d935cf0
MD5: 77d3bd676cad6c8b186297a84dafc48d
MD5: 3b67c763a7a317238e788c54d09b8de0
MD5: 88b4905975113b4d544d49665d16e821
MD5: f27de781f9b844e177177e128a203ef1
MD5: 6de4ea5063f204186e26a3ad35336d01
MD5: 1b2223a8e0f4b29a68496c40741d1c7a
MD5: 85f261b22746e5e63948d8afe3f1e129
MD5: 7abbcd050c8f2ad5c9ef720f653137df
MD5: b053b4dc84de1a85ee626ea86eba8052
MD5: 9d6ec02156c3f67f14867efbc1af59c0
MD5: f099871c4d8c1c0c934c3775e375d795
MD5: ae79af10ce52db3c162d65f0cbabd062
MD5: ec968e27f8647310485870477816276d
MD5: 5b91f61a83f2549ceba4e03cf6f84a84
MD5: 7c5dff882e56d4e372661fb951fe061b
MD5: 294cd29658de52e01f392fc03bf80f9f
MD5: 6a5a717a1f9e2d4f201b0f32ff2ff859
MD5: 69eb93af2d176497bd95081d223eab39
MD5: 661baa1231158ba77e9a8b5c62f08ec3
MD5: 64180426af81153b2375308ea4529327
MD5: 44442f6a1e8c3e0bc573bebd40ca06b8
MD5: 8b09db751a82994adb70fd01211c9983
MD5: 160ee078326901832bcd8402cec42811
MD5: 54282d7d67ccdb2357ae4bd6cec050fc
MD5: febc26304b45fe1ca3bd01cdda1a5916
MD5: 4b98dd5c4cebaaa024d0448df0c2926c
MD5: 65afe0d5a6601a55224f37893eb7a12d
MD5: c73b6fb824845d3c037dc610dc75d551
MD5: 476a16169ba2f4b49738883dcaa4142f
MD5: 5e6e7926f9ea856e82a8d5d641486776
MD5: 32fafadece23b75661a6c189cbb6804e
MD5: 9eef1a1ce5c3b5d7ba7feec91290fa22
MD5: 337f370b4660cc164a64d12566672b70
MD5: d6e3fe2a9d7af6f8d35ee70b0d354ce2
MD5: a9c753ad53f465def07bdd3f37becccc
MD5: aa3a3e8da07b301960bfb27b57676fab
MD5: 87ae40f0e5ce4fd5f249a7b550b88a2c
MD5: 7381bbece8166e37a6125625d29c99ea

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This