Newly launched ‘Magic Malware’ spam campaign relies on bogus ‘New MMS’ messages

by

Share this news now.

By Dancho Danchev

The gang of cybercriminals behind the ‘Magic Malware‘ has launched yet another malicious spam campaign, attempting to trick U.K users into thinking they’ve received a notification for a “New MMS” message. In reality, once users execute the malicious attachment, it will download and drop additional malware on the affected hosts, giving the cybercriminals behind the campaign complete access to the affected host.

More details:

Detection rate for the spamvertised archive: MD5: d55f732cc41eaadca1c58b4c3d07e431 - detected by 8 out of 46 antivirus scanners as UDS:DangerousObject.Multi.Generic.

Once executed it phones back to:
hxxp://asdacbxn34.us/area/la.php – (178.208.91.5) – Email: iavorscaia@gmail.com
hxxp://178.208.82.164/_load.exe

We are aware of two more registered malicious domains using the same email (iavorscaia@gmail.com), dating back to 2010:
secretshoper.info/ujd/upit.php – back then used to respond to 91.206.201.222
vertelitt.com/faw/pit.php – back then used to respond to 91.206.201.200

Responding to the same IP (178.208.91.5) is also the following domain ttnetbilglendirme.info.

Detection rate for the dropped _load.exeMD5: bcadffb2117751fb89a4bb8768681030 - detected by 10 out of 46 antivirus scanners as Trojan.Win32.Generic!BT. It’s interesting to point out that the malware’s PE signature block refers to our colleagues at Mandiant.

Once executed the dropped sample phones back to the following C&C servers:
94.23.234.36
94.23.203.74
94.23.219.182:10080

Another MD5 is known to have phoned back to the same IP (94.23.234.36) MD5: 80b3735863cc59d3edc6e7331a231c88.

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.


Share this news now.
Newly launched 'Magic Malware' spam campaign relies on bogus 'New MMS' messages by