August 7, 2013 By Dancho Danchev

Cybercriminals spamvertise fake ‘O2 U.K MMS’ themed emails, serve malware

British users, watch what you execute on your PCs!

An ongoing malicious spam campaign is impersonating U.K’s O2 mobile carrier, in an attempt to trick its customers into executing a fake ‘MMS message” attachment found in the emails. Once socially engineered users do so, their PCs automatically join the botnet operated by the cybercriminal/gang of cybercriminals whose activities we continue to monitor.

More details:

Detection rate for the malicious attachmentMD5: 898101c6689522c336f6d2c6aabd6c8c – detected by 9 out of 46 antivirus scanners as Heuristic.BehavesLike.Win32.Suspicious-BAY.K; Win32/TrojanDownloader.Zurgop.AW.

Once executed, the sample starts listening on port 6501.

It then creates the following Mutexes:
3161B74B4743E1643757A7220636106970144646
Global{BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A}
CTF.TimListCache.FMPDefaultS-1-5-21-1547161642-507921405-839522115-1004MUTEX.DefaultS-1-5-21-1547161642-507921405-839522115-1004
Local{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Local{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Local{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Local{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Local{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Local{911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A}
Global{2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A}
Global{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Global{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Global{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Global{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Global{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Global{5C56C404-F465-A7BB-11EB-B06D3016937F}
Global{5C56C404-F465-A7BB-75EA-B06D5417937F}
Global{5C56C404-F465-A7BB-4DE9-B06D6C14937F}
Global{5C56C404-F465-A7BB-65E9-B06D4414937F}
Global{5C56C404-F465-A7BB-89E9-B06DA814937F}
Global{5C56C404-F465-A7BB-BDE9-B06D9C14937F}
Global{5C56C404-F465-A7BB-51E8-B06D7015937F}
Global{5C56C404-F465-A7BB-81E8-B06DA015937F}
Global{5C56C404-F465-A7BB-FDE8-B06DDC15937F}
Global{5C56C404-F465-A7BB-0DEF-B06D2C12937F}
Global{5C56C404-F465-A7BB-5DEF-B06D7C12937F}
Global{5C56C404-F465-A7BB-95EE-B06DB413937F}
Global{5C56C404-F465-A7BB-F1EE-B06DD013937F}
Global{5C56C404-F465-A7BB-89EB-B06DA816937F}
Global{5C56C404-F465-A7BB-F9EF-B06DD812937F}
Global{5C56C404-F465-A7BB-E5EF-B06DC412937F}
Global{5C56C404-F465-A7BB-0DEE-B06D2C13937F}
Global{5C56C404-F465-A7BB-09ED-B06D2810937F}
Global{5C56C404-F465-A7BB-51EF-B06D7012937F}
Global{5C56C404-F465-A7BB-35EC-B06D1411937F}
Global{5C56C404-F465-A7BB-85EC-B06DA411937F}
Global{5C56C404-F465-A7BB-FDEF-B06DDC12937F}
Global{DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A}
MPSWabDataAccessMutex
MPSWABOlkStoreNotifyMutex

And phones back to the following C&C servers:
hxxp://62.76.187.147/nsmp/og/index.php
hxxp://62.76.187.113/par/22.exe
62.76.187.147
62.76.187.113
88.68.122.74
70.169.168.37
50.65.158.6
99.146.98.160
189.242.35.122
108.74.172.39
108.210.219.218
99.0.126.100
90.156.118.144
178.238.233.29
68.22.158.150
184.39.153.172
66.63.204.26
217.114.113.148
76.226.134.206
203.45.203.83
130.251.186.103
213.123.186.173
69.115.119.227
75.1.200.201
77.53.215.241
108.245.72.131
71.85.110.76
217.41.24.37
68.45.158.241
182.52.92.50
81.130.84.78
88.242.132.171
188.129.147.67
31.192.45.65
68.117.10.58

Related malicious MD5s known to have phoned back to the same C&C IP (62.76.187.113) :
MD5: 27da5e0800d937f03c5fbdff8aeb52c3
MD5: 83ab87dba8600e5f6eabad30c6c83a89
MD5: 8c8d43c8cfacf6d5c04e6f6ac7d4ff54

Related malicious MD5s known to have phoned back to the rest of the C&C IPs:
MD5: b3ea4bff1b0d1ddd938edcc1993098fe
MD5: 0e6128900197d4ddc03579925878df9b
MD5: b87646a8903ae9b96ec03c626d966487
MD5: 22989829fbec90ed6e6b2ffb4d9e05f0
MD5: 4108733a631f090b1678dfaf628827e0
MD5: 40e652cb3f16036f0ec5ff420c6fe32d
MD5: 40df940b645b858a5f18434530083c9d
MD5: 458b7b551270d27ddda4d453d6e01a37
MD5: 42fbb3a1262fe6765dd5b088dda68c17
MD5: 45a0fbc793b29d24db0d9b46c68fc43d
MD5: 4353b1fa1f82917dd785c50fc462f6e1
MD5: 45eebb5b36d5484cd86a4346e291d3f5
MD5: 3f2a82b23cfa41009c8bf1aa17dd9596
MD5: 450c2cf0dd49e402544b6371aac794d7
MD5: 2f2520d1c93a679021c5a00ab6f66c2f
MD5: 3a71b1886c45a94dea2812c016c98591
MD5: 37c5dbaac8e18324ed448f2db7bfc161
MD5: 33075ffd7aed4835b0b682200c3f04ac
MD5: 2a176b72e6ab78139bfa4e180baf64eb
MD5: 81225759067aef4201c99f2ffe2f4b7b
MD5: 32e60c4f951b9dd7eac4b59c133fb7a0
MD5: 30e90438022ab99154290fbca4f886d7
MD5: 253943239f595a0104fc5eb986875f10
MD5: 2289fbcb158e2eec17a659264b957225
MD5: 1f5b02fd972d51140a6a5ef835e91b54
MD5: 250c6b131c6a3958f4d533f9b206ef41
MD5: 1e7ccdbc40e911b99fed29d5c8c4954b
MD5: 20a1a83437535c0cb8d9c1b89f8e52ac
MD5: 1c4d94ee49acf4de708ffbf389c7e3d6
MD5: 1838365520495ef13c7cb04b8c9f16be
MD5: 178e4c2335e6aad1b2512f84ad7f5c48
MD5: 1f96b6582238263b9bc572dba8cdca2d
MD5: 18d2945660a11009c10ed1827287c45a
MD5: 1d9b592b424fdb11d8b53392c6840c89
MD5: 173843e9d668a5ec25b5efb186dc68ec
MD5: 14ef08883becccbaebe72ffda5dde77c
MD5: 1464af0b8c22df305ca7c9b13c2736e4
MD5: 11b4adc82be692ecdb2fa72e5394c83e
MD5: 103eaf337190472e4ec4e956c4fe2bcf
MD5: 09eaf3edb1b57fed6412ee5604583905
MD5: 0b08c71d47321000973e78f85c07e98c
MD5: 0555039e122f36e94225414a895124a0

We’ve also seen these C&C IPs (108.74.172.39; 90.156.118.144) in the following already profiled malicious campaigns:

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.

Share Button
0 comments
true