Over the last two months, we’ve been closely monitoring — and proactively protecting from — the malicious campaigns launched by cybercriminals who are no strangers to the concept of social engineering topic rotation. Their purpose is to extend a campaign’s life cycle, or to generally increase a botnet’s infected population by spamming out tens of thousands of fake emails, exposing users to malicious software. The most recent campaign launched by the same cybercriminal(s), is once again impersonating T-Mobile U.K in an attempt to trick mobile users into thinking that they’ve received a legitimate MMS Gallery notification. In reality though, once the attachment is executed, the victim’s PC will automatically join the botnet operated by the cybercriminal(s) behind the campaign, ultimately undermining the confidentiality and integrity of the host.
Sample screenshot of the spamvertised email:
Detection rate for the spamvertised attachment: MD5: bff8af7432ced6e574e85d9241794f80 – detected by 8 out of 47 antivirus scanners as Trojan.Zbot; W32/Trojan2.OADJ.
Once executed, the sample phones back to networksecurityx.hopto.org. Go through related assessments of campaigns known to have been launched by the same cybercriminal(s), also phoning back to the same C&C server:
- ‘T-Mobile MMS message has arrived’ themed emails lead to malware
- Spamvertised T-Mobile ‘Picture ID Type:MMS” themed emails lead to malware
- U.K users targeted with fake ‘Confirming your Sky offer’ malware serving emails
- Cybercriminals spamvertise tens of thousands of fake ‘Sent from my iPhone’ themed emails, expose users to malware
- Fake WhatsApp ‘Voice Message Notification/1 New Voicemail’ themed emails lead to malware
Related malicious MD5s that are known to have phoned back to the same C&C server over the last 24 hours:
We’ve also observed two newly introduced C&C servers within these samples, namely, dnshosting1.ws – 18.104.22.168 and 22.214.171.124.
Webroot SecureAnywhere users are proactively protected from these threats.