Fake ‘iPhone Picture Snapshot Message’ themed emails lead to malware

by

Share this news now.

We’ve just intercepted a currently circulating malicious spam campaign that’s attempting to trick iPhone owners into thinking that they’ve received a ‘picture snapshot message’. Once users execute the malicious attachment, their PCs automatically join the botnet operated by the cybercriminal/gang of cybercriminals, whose activities we’ve been closely monitoring over the last couple of months.

More details:

Detection rate for the malicious attachment – MD5: b7fa4173cf694f53a2597e9eca21ab4c – detected by 10 out of 46 antivirus scanners as Trojan-PSW.Win32.Tepfer.orbb; Troj/Agent-ADAU.

Once executed it starts listening on port 5179.

The sample then creates the following Mutexes:
Groove:PathMutex:[LUt+jL/YbxUWwjk7hRky++rqRco=]
Local{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Local{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Local{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Local{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Local{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Local{911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A}
Global{2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A}
Global{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Global{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Global{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Global{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Global{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Global{BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A}
Global{3158EDA2-DDC3-CAB5-11EB-B06D3016937F}
Global{3158EDA2-DDC3-CAB5-75EA-B06D5417937F}
Global{3158EDA2-DDC3-CAB5-4DE9-B06D6C14937F}
Global{3158EDA2-DDC3-CAB5-65E9-B06D4414937F}
Global{3158EDA2-DDC3-CAB5-89E9-B06DA814937F}
Global{3158EDA2-DDC3-CAB5-BDE9-B06D9C14937F}
Global{3158EDA2-DDC3-CAB5-51E8-B06D7015937F}
Global{3158EDA2-DDC3-CAB5-81E8-B06DA015937F}
Global{3158EDA2-DDC3-CAB5-FDE8-B06DDC15937F}
Global{3158EDA2-DDC3-CAB5-0DEF-B06D2C12937F}
Global{3158EDA2-DDC3-CAB5-5DEF-B06D7C12937F}
Global{3158EDA2-DDC3-CAB5-95EE-B06DB413937F}
Global{3158EDA2-DDC3-CAB5-F1EE-B06DD013937F}
Global{3158EDA2-DDC3-CAB5-89EB-B06DA816937F}
Global{3158EDA2-DDC3-CAB5-F9EF-B06DD812937F}
Global{3158EDA2-DDC3-CAB5-E5EF-B06DC412937F}
Global{3158EDA2-DDC3-CAB5-0DEE-B06D2C13937F}
Global{3158EDA2-DDC3-CAB5-09ED-B06D2810937F}
Global{3158EDA2-DDC3-CAB5-51EF-B06D7012937F}
Global{3158EDA2-DDC3-CAB5-35EC-B06D1411937F}
Global{3158EDA2-DDC3-CAB5-D5EB-B06DF416937F}
Global{DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A}
Global{2E1C200D-106C-D5F1-DBC9-BE58FA349D4A}

It then phones back to the following C&C servers+downloads additional malware:
hxxp://62.76.187.113/inop/ge.php (62-76-187-113.clodo.ru, AS57010)
hxxp://62.76.187.113/par/2.exe
68.22.158.150
75.1.200.201
203.45.203.83
99.26.122.34
108.74.172.39
68.117.10.58
71.90.134.19
174.96.27.128
68.76.122.163
108.60.184.54
67.77.13.23
108.202.187.155
90.156.118.144
203.81.192.36
123.238.64.66
78.8.206.100
108.197.50.249
66.63.204.26
189.253.90.151
108.215.5.249
27.87.30.242
94.240.232.143
95.104.30.151
50.77.206.10
78.139.149.134
77.21.184.219
95.247.117.146
41.222.248.145
42.98.129.251
64.180.81.249
83.228.0.230
69.156.49.21
71.194.139.192
79.37.7.109

We’ve already seen some of the C&C IPs (108.74.172.39; 90.156.118.144; 66.63.204.26; 94.240.232.143) in the following previous profiled campaigns, launched by the same cybercriminal/gang of cybercriminals:

Detection rate for the additionally downloaded malware – 2.exe – MD5: 8c8d43c8cfacf6d5c04e6f6ac7d4ff54 – detected by 2 out of 46 antivirus scanners as UDS:DangerousObject.Multi.Generic.

Once executed it starts listening on port 5288.

Creates the following Mutexes:
Local{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Local{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Local{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Local{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Local{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Local{911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A}
Global{2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A}
Global{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Global{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Global{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Global{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Global{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Global{BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A}
Global{36C6EA7F-DA1E-CD2B-11EB-B06D3016937F}
Global{36C6EA7F-DA1E-CD2B-75EA-B06D5417937F}
Global{36C6EA7F-DA1E-CD2B-4DE9-B06D6C14937F}
Global{36C6EA7F-DA1E-CD2B-65E9-B06D4414937F}
Global{36C6EA7F-DA1E-CD2B-89E9-B06DA814937F}
Global{36C6EA7F-DA1E-CD2B-BDE9-B06D9C14937F}
Global{36C6EA7F-DA1E-CD2B-51E8-B06D7015937F}
Global{36C6EA7F-DA1E-CD2B-81E8-B06DA015937F}
Global{36C6EA7F-DA1E-CD2B-FDE8-B06DDC15937F}
Global{36C6EA7F-DA1E-CD2B-0DEF-B06D2C12937F}
Global{36C6EA7F-DA1E-CD2B-5DEF-B06D7C12937F}
Global{36C6EA7F-DA1E-CD2B-95EE-B06DB413937F}
Global{36C6EA7F-DA1E-CD2B-F1EE-B06DD013937F}
Global{36C6EA7F-DA1E-CD2B-89EB-B06DA816937F}
Global{36C6EA7F-DA1E-CD2B-F9EF-B06DD812937F}
Global{36C6EA7F-DA1E-CD2B-E5EF-B06DC412937F}
Global{36C6EA7F-DA1E-CD2B-0DEE-B06D2C13937F}
Global{36C6EA7F-DA1E-CD2B-09ED-B06D2810937F}
Global{36C6EA7F-DA1E-CD2B-51EF-B06D7012937F}
Global{36C6EA7F-DA1E-CD2B-35EC-B06D1411937F}
Global{36C6EA7F-DA1E-CD2B-55EF-B06D7412937F}
Global{DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A}
Global{2E1C200D-106C-D5F1-DBC9-BE58FA349D4A}

It then phones back to the following C&C servers:
68.22.158.150
75.1.200.201
203.45.203.83
99.26.122.34
108.74.172.39
68.117.10.58
71.90.134.19
174.96.27.128
68.76.122.163
108.60.184.54
67.77.13.23
108.202.187.155
90.156.118.144
203.81.192.36
123.238.64.66
78.8.206.100
108.197.50.249
66.63.204.26
189.253.90.151
108.215.5.249
27.87.30.242
50.77.206.10
94.240.232.143
95.104.30.151
78.139.149.134
77.21.184.219
95.247.117.146
41.222.248.145
42.98.129.251
64.180.81.249
83.228.0.230
69.156.49.21
71.194.139.192
79.37.7.109
95.224.106.243
96.10.227.54
157.157.224.14

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.


Share this news now.
Fake 'iPhone Picture Snapshot Message' themed emails lead to malware by

Trackbacks

  1. […] transforms the machine into a zombie in a botnet operated by a cybercriminal gang, according to a blog post by Dancho […]