Malicious ‘FW: File’ themed emails lead to malware

by

Share this news now.

Think someone forwarded you an important attachment? Think twice. Cybercriminals are currently mass mailing tens of thousands of malicious emails attempting to trick the recipient into thinking that someone has forwarded a file to them. In reality, once socially engineered users execute the malicious attachments, their PCs automatically become part of the botnet operated by the cybercriminals behind the campaign, allowing them to gain complete control over the affected PCs, and consequently abuse the access for related fraudulent purposes.

Detection rate for the spamvertised attachment: MD5: fca250f3239fc3ea70c33dc884dd7418 – detected by 2 out of 47 antivirus scanners as Trojan-Downloader.

Once executed, it starts listening on ports 3512 and 7379. It also drops MD5: 190be2abce620c30ade2b4ce06b216f3 and MD5: ea5911eb532e2b24f8765f592426a3a0 on the affected hosts.

It then creates the following Mutexes on the affected hosts:
Local\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Local\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Local\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Local\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Local\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Local\{911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A}
Global\{2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A}
Global\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Global\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Global\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Global\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Global\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Global\{BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A}
Global\{63502D77-1D16-98BD-11EB-B06D3016937F}
Global\{63502D77-1D16-98BD-75EA-B06D5417937F}
Global\{63502D77-1D16-98BD-4DE9-B06D6C14937F}
Global\{63502D77-1D16-98BD-65E9-B06D4414937F}
Global\{63502D77-1D16-98BD-89E9-B06DA814937F}
Global\{63502D77-1D16-98BD-BDE9-B06D9C14937F}
Global\{63502D77-1D16-98BD-51E8-B06D7015937F}
Global\{63502D77-1D16-98BD-81E8-B06DA015937F}
Global\{63502D77-1D16-98BD-FDE8-B06DDC15937F}
Global\{63502D77-1D16-98BD-0DEF-B06D2C12937F}
Global\{63502D77-1D16-98BD-5DEF-B06D7C12937F}
Global\{63502D77-1D16-98BD-95EE-B06DB413937F}
Global\{63502D77-1D16-98BD-F1EE-B06DD013937F}
Global\{63502D77-1D16-98BD-89EB-B06DA816937F}
Global\{63502D77-1D16-98BD-F9EF-B06DD812937F}
Global\{63502D77-1D16-98BD-E5EF-B06DC412937F}
Global\{63502D77-1D16-98BD-0DEE-B06D2C13937F}
Global\{63502D77-1D16-98BD-09ED-B06D2810937F}
Global\{63502D77-1D16-98BD-51EF-B06D7012937F}
Global\{63502D77-1D16-98BD-35EC-B06D1411937F}
Global\{63502D77-1D16-98BD-71E8-B06D5015937F}
Global\{DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A}
Global\{2E1C200D-106C-D5F1-DBC9-BE58FA349D4A}

And phones back to:
cocinarpara2.com – 174.36.228.121

We’re also aware of another malicious MD5 that is known to have been directly downloaded from the same IP:
MD5: 45a6d8e0f26562753eab19eb279cc15a – detected by 25 out of 48 antivirus scanners as UDS:DangerousObject.Multi.Generic.

As well as the following MD5s known to have directly phoned back to the same IP:
MD5: 7da3f3c5db43e924487ffc29d894af5d – detected by 2 out of 48 antivirus scanners as Trojan-Downloader
MD5: 3631737139bb2090cefdb50c6f7d646b – detected by 3 out of 48 antivirus scanners as UDS:DangerousObject.Multi.Generic

Moreover, all of the samples attempt to establish UDP based communication channels with the following IPs, using the following ports:
68.125.255.234:6568
128.208.19.110:3009
64.229.35.241:2402
88.153.221.37:3544
107.193.222.108:3981

We’re also aware of the following malicious MD5s that are known to have communicated with the same IP (107.193.222.108), over the last couple of days:
MD5: 7da3f3c5db43e924487ffc29d894af5d
MD5: 4d95c01f1b0918e5cbce34f3be169d6f
MD5: 696615ee3959b9cbfb6d11f908b98e74
MD5: 63c69169949c49c869b593c4ee5a60c6
MD5: 00d2bddad9d5dd4f66e88334a235ffb0
MD5: 9cb63b015bf77186854e74992d3f5462
MD5: 0cb5a7eab6111250b4a24ea3cd644dcb
MD5: e5d594f6330c209df28b546da06e4c1d
MD5: 30916a1258f45295e02a9adfa6f7e2b7
MD5: f1328033365c1b273e08eb2efa87add0
MD5: 3631737139bb2090cefdb50c6f7d646b
MD5: b51b5afaf4503c5a93b03f1d0a468a39
MD5: 61d9851259f41d5b656c7a2d6ce476f2
MD5: a9b67d19e459fbc6a330b14f3b7709c9
MD5: aa315ae459e4aa91998f87b4bb234316
MD5: 65bad289cd2cb110d29f20cf6b7153e9
MD5: 7f64e75b459bc3e592f274b2a8de74fb
MD5: 58bc8250931e8184967298265b1650e1
MD5: ae4d8d378fa128d5fd0acb5393019731
MD5: 089b3fa08ecc070764a447fbf449789b
MD5: 87b5b1806feeacb145be3b9fb73c97c7

Webroot SecureAnywhere users are proactively protected from these threats.


Share this news now.