We’ve intercepted a currently circulating malicious spam campaign, tricking users into thinking that they’ve received a scanned document sent from a Xerox WorkCentre Pro device. In reality, once users execute the malicious attachment, the cybercriminal(s) behind the campaign gain complete control over the now infected host.

Sample screenshots of the spamvertised malicious email:

Email_Spam_Malicious_Fake_Social_Engineering_Malware_Malicious_Software_Xerox_WorkCentre_Pro

Detection rate for the malicious attachment: MD5: 1a339ecfac8d2446e2f9c7e7ff639c56 – detected by 17 out of 48 antivirus scanners as TROJ_UPATRE.AX; Heuristic.LooksLike.Win32.SuspiciousPE.J!89.

Once executed, the sample starts listening on ports 2544 and 7718.

It then creates the following Mutexes on the affected hosts:
Local\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Local\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Global\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Global\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Global\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Global\{DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A}
Global\{BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A}
Global\{5492A9EF-998E-AF7F-11EB-B06D3016937F}
Global\{5492A9EF-998E-AF7F-75EA-B06D5417937F}
Global\{5492A9EF-998E-AF7F-4DE9-B06D6C14937F}
Global\{5492A9EF-998E-AF7F-65E9-B06D4414937F}
Global\{5492A9EF-998E-AF7F-89E9-B06DA814937F}
Global\{5492A9EF-998E-AF7F-BDE9-B06D9C14937F}
Global\{5492A9EF-998E-AF7F-51E8-B06D7015937F}
Global\{5492A9EF-998E-AF7F-81E8-B06DA015937F}
Global\{5492A9EF-998E-AF7F-FDE8-B06DDC15937F}
Global\{5492A9EF-998E-AF7F-0DEF-B06D2C12937F}
Global\{5492A9EF-998E-AF7F-5DEF-B06D7C12937F}
Global\{5492A9EF-998E-AF7F-F1EE-B06DD013937F}
Global\{5492A9EF-998E-AF7F-89EB-B06DA816937F}
Global\{5492A9EF-998E-AF7F-F9EF-B06DD812937F}
Global\{5492A9EF-998E-AF7F-E5EF-B06DC412937F}
Global\{5492A9EF-998E-AF7F-0DEE-B06D2C13937F}
Global\{5492A9EF-998E-AF7F-09ED-B06D2810937F}
Global\{5492A9EF-998E-AF7F-51EF-B06D7012937F}
Global\{5492A9EF-998E-AF7F-35EC-B06D1411937F}
Global\{2E1C200D-106C-D5F1-DBC9-BE58FA349D4A}

Drops the following MD5s:
MD5: 1a339ecfac8d2446e2f9c7e7ff639c56
MD5: 17c78eb30d31161e9aed1ea25889e423
MD5: 09bbe8cd0cfe7770a62faa68723c8804
MD5: d1a55715c1360daab7882bf45e820b31

And phones back to:
smclan.com – 209.236.71.58

The following malicious domains are also currently responding to the same IP:
beebled.com
coffeeofgold.com
learnpkpd.com
smclan.com
wordpressonwindows.com
adgnow.com
eddietobey.com
kestrel.aero

And the following malicious domains are known to have responded to the same IP:
atrocitycomplex.com
getdailypaymentsnow.com
giltnetwork.com
heartlessbastardseo.com
juanherreraplaza.com
landings.romancesdiscretos.com
mydecay.com
revoluza-coupon.com
team4048.org
careerfortune.com
justsaylovemovie.com
kassysgroup.com
stagewrightfilms.com
zachary-scott.com

Webroot SecureAnywhere users are proactively protected from these threats.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This