The cybercriminals behind last week’s profiled fake T-Mobile themed email campaign have resumed operations, and have just spamvertised another round of tens of thousands of malicious emails impersonating the company, in order to trick its customers into executing the malicious attachment, which in this case is once again supposedly a legitimate MMS notification message.

Detection rate for the spamvertised attachment: MD5: 8a9abe065d473da9527fdf08fb55cb9e – detected by 26 out of 48 antivirus scanners as Trojan.DownLoader9.22851; UDS:DangerousObject.Multi.Generic

Once executed, the sample creates the following Mutexes on the affected hosts:
CTF.TimListCache.FMPDefaultS-1-5-21-1547161642-507921405-839522115-1004MUTEX.DefaultS-1-5-21-1547161642-507921405-839522115-1004
ShimCacheMutex
85485515

It then (once again) phones back to networksecurityx.hopto.org. The most recent MD5 (MD5: 014543ee64491bac496fabda3f1c8932) that has phoned back to the same C&C server (networksecurityx.hopto.org) is also known to have phoned back to dahaka.no-ip.biz (89.136.186.200).

Webroot SecureAnywhere users are proactively protected from these threats.

 

 

 

 

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This