By Dancho Danchev
The gang of cybercriminals behind the ‘Magic Malware‘ has launched yet another malicious spam campaign, attempting to trick U.K users into thinking they’ve received a notification for a “New MMS” message. In reality, once users execute the malicious attachment, it will download and drop additional malware on the affected hosts, giving the cybercriminals behind the campaign complete access to the affected host.
Detection rate for the spamvertised archive: MD5: d55f732cc41eaadca1c58b4c3d07e431 – detected by 8 out of 46 antivirus scanners as UDS:DangerousObject.Multi.Generic.
Once executed it phones back to:
hxxp://asdacbxn34.us/area/la.php – (126.96.36.199) – Email: firstname.lastname@example.org
We are aware of two more registered malicious domains using the same email (email@example.com), dating back to 2010:
secretshoper.info/ujd/upit.php – back then used to respond to 188.8.131.52
vertelitt.com/faw/pit.php – back then used to respond to 184.108.40.206
Responding to the same IP (220.127.116.11) is also the following domain ttnetbilglendirme.info.
Detection rate for the dropped _load.exe – MD5: bcadffb2117751fb89a4bb8768681030 – detected by 10 out of 46 antivirus scanners as Trojan.Win32.Generic!BT. It’s interesting to point out that the malware’s PE signature block refers to our colleagues at Mandiant.
Once executed the dropped sample phones back to the following C&C servers:
Another MD5 is known to have phoned back to the same IP (18.104.22.168) MD5: 80b3735863cc59d3edc6e7331a231c88.
Webroot SecureAnywhere users are proactively protected from these threats.