Fake ‘Export License/Payment Invoice’ themed emails lead to malware

by


By Dancho Danchev

We have just intercepted yet another currently ongoing malicious spam campaign, enticing users into executing a fake Export License/Payment Invoice. Once gullible and socially engineering users do so, their PCs automatically join the botnet operated by the cybercriminals.

More details:

Detection rate for the malicious executable: MD5: 4e7dc191117a6f30dd429cc619041552 – detected by 33 out of 47 antivirus scanners as Trojan.Win32.Inject.foiq; Trojan.Zbot.

Once executed, the sample starts listening on port 28723.

It then creates the following files on the affected hosts:
%AppData%Wyifdylo.exe

The following Registry Keys:
HKEY_CURRENT_USERSoftwareMicrosoftUfoda

The following Registry Values:
[HKEY_CURRENT_USERIdentities] -> Identity Login = 0×00098053
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] -> {3DFA1AE4-115C-AD7B-A6BA-A75086AF8442} = “”%AppData%Wyifdylo.exe””
[HKEY_CURRENT_USERSoftwareMicrosoftUfoda] -> 298j5icj = 19 F6 D3 3E 87 FA CB 0A F4 B2; 25cdfb7h = 25 F6 B2 3E; 6hj5ac9 = CB C5 B2 3E D7 A1 F9 0A C4 B2 7D 39

The following Mutexes:
Global{CB561546-E774-D5EA-8F92-61FCBA8C42EE}
Local{744F300D-C23F-6AF3-8F92-61FCBA8C42EE}
Global{FD2CEE5F-1C6D-E390-0508-B06D3016937F}
Global{FD2CEE5F-1C6D-E390-7109-B06D4417937F}
Global{FD2CEE5F-1C6D-E390-490A-B06D7C14937F}
Global{FD2CEE5F-1C6D-E390-610A-B06D5414937F}
Global{FD2CEE5F-1C6D-E390-8D0A-B06DB814937F}
Global{FD2CEE5F-1C6D-E390-990A-B06DAC14937F}
Global{FD2CEE5F-1C6D-E390-350B-B06D0015937F}
Global{FD2CEE5F-1C6D-E390-610B-B06D5415937F}
Global{FD2CEE5F-1C6D-E390-B90B-B06D8C15937F}
Global{FD2CEE5F-1C6D-E390-190C-B06D2C12937F}
Global{FD2CEE5F-1C6D-E390-4D0C-B06D7812937F}
Global{FD2CEE5F-1C6D-E390-650C-B06D5012937F}
Global{FD2CEE5F-1C6D-E390-B50D-B06D8013937F}
Global{FD2CEE5F-1C6D-E390-310E-B06D0410937F}
Global{FD2CEE5F-1C6D-E390-610E-B06D5410937F}
Global{FD2CEE5F-1C6D-E390-E90F-B06DDC11937F}
Global{FD2CEE5F-1C6D-E390-ED0B-B06DD815937F}
Global{FD2CEE5F-1C6D-E390-ED0C-B06DD812937F}
Global{FD2CEE5F-1C6D-E390-B10E-B06D8410937F}
Global{FD2CEE5F-1C6D-E390-6D0F-B06D5811937F}
Global{5E370004-F236-408B-8F92-61FCBA8C42EE}
Local{55E9553C-A70E-4B55-8F92-61FCBA8C42EE}
Local{55E9553D-A70F-4B55-8F92-61FCBA8C42EE}
Global{FD2CEE5F-1C6D-E390-D10F-B06DE411937F}
Global{EEE5022F-F01D-F059-8F92-61FCBA8C42EE}
Global{38E3341C-C62E-265F-8F92-61FCBA8C42EE}
Global{340FE32E-111C-2AB3-8F92-61FCBA8C42EE}
Global{340FE329-111B-2AB3-8F92-61FCBA8C42EE}
MidiMapper_modLongMessage_RefCnt
MidiMapper_Configure
MPSWabDataAccessMutex
MPSWABOlkStoreNotifyMutex
MSIdent Logon

It then phones back to the following C&C servers:
213.230.101.174:11137
87.203.65.0:12721
180.241.97.79:16114
83.7.104.50:13647
84.59.222.81:10378
194.94.127.98:25549
98.201.143.22:19595
78.139.187.6:14384
180.183.178.134:20898

We’ve also seen the following C&C server IP (194.94.127.98) in previously profiled malicious campaigns:

As well as 78.139.187.6, in the following previously profiled malicious campaign:

We’re aware of more MD5s that phoned back to the same IPs over the last couple of days. For instance:
MD5: f55412ecb47cd64528dc1942d46331bf
MD5: 9d96157b5ae4e0546b7f510bcc1ac174
MD5: 9ea0a3efe62e175046048ca812c87158
MD5: 2b1657cee8dfec489b7fd00113b9bb4c
MD5: 28b8ad5e84f8541c716abbdb8f575c7d
MD5: 03ce491d25b68597d06cdcfe316431c6
MD5: 70768ea3273f360781f2e1d5f00eb715
MD5: ccabfea47b6d2bddf8a2090a641e5b75
MD5: 94ca03ab7c414ed347be34618804dc25
MD5: 3eaecc4bac464708d64c621b62b707e2
MD5: 3fbcd1bd6452877d883245d09b7768ea
MD5: 9f027af381bf757ba9d506e82a770bff
MD5: 8f7bfa8f1b7652d0f4f1fab93a7c63b0
MD5: a6815e3d2e53117c738f7a5370daafcc
MD5: cc2eaf9df2608e07aa2ba39fa1c2912e
MD5: fb1e76fbc43753912a4937f32d5f9c58
MD5: 4e7dc191117a6f30dd429cc619041552
MD5: d1c4179ea3b9af795e5169c244ff8c31
MD5: 694a6783866f5d43b85e93e70caaa37c
MD5: 73f85a49c2a7f1b71a087018307146c1
MD5: 8f9599e3989cc19e19fa4971b1386520
MD5: c012f6646b801a916c0b1a5235688a7a
MD5: 379ee5b9d022b13d3c919d11999b7dff
MD5: e2c18303bfca70692f85181d4a86a954
MD5: 289049f65a85cbe02d3ed6fa7e0008f6
MD5: ee3f8e7d94b801d635cbc2575ff3b3dc
MD5: 42b4d077ff3e7a9077b14f762cd2063f
MD5: a9e2f26d5e4456710f608b1f37ad2c0d
MD5: 7d7307d32e8711a2c6a261e5870a77bc
MD5: a36c2fd0a1e9d572ba030b6cc9b949b6
MD5: 27e9f62fed24ad0b93f3576f480e2644
MD5: 474d8729340789ba1722d9b82e646d8c
MD5: 1d369383ea55d81b4bcd3169bebb2772
MD5: 2fdeaa5ae2559f62a65d928d175da2c9
MD5: 496fb7da08a09c2f1d7b460bb7a24c01
MD5: 90114fd9fef19d0fc2c84bb1ee5d9bb9
MD5: 7e98cd68a4622c54f7fcb575c75cf79b
MD5: 1429ce41f54265d426c067a86e47f35a
MD5: 7c6c7c207a968bbf34f47213d91e618d
MD5: dee3f33ca9ece80871b6ab0591051c24
MD5: 91be7a17cb07c50afdf551a3e76d35c6
MD5: b6ed1bd88f36d80bf68d338620ed25c3
MD5: ef501d09c80be9aff5158c52b5986239
MD5: 5eac6806950b4fa497cfd0aab5e8ea43
MD5: e3e41e242998097b2f448990a951b467
MD5: 003167511de5d42626c665fadc7d9e32

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.