Cybercriminals continue spamvertising tens of thousands of malicious emails on their way to socially engineer gullible end users, ultimately increasing their botnet’s infected population through the systematic and persistent rotation of popular brands.

We’ve recently intercepted a currently circulating malicious campaign enticing users into executing the fake attachment.

More details:

Detection rate for a sampled malware: MD5: 8b54dedf5acc19a4e9060f0be384c74d – detected by 43 out of 54 antivirus scanners as Backdoor.Win32.Androm.elwa

Once executed, the sample starts listening on port 30073.

It then creates the following Mutexes on the affected hosts:
Local\{6FC54A61-D264-7CF8-D58B-19468FF29DE4}
Local\{21D28140-1945-32EF-D58B-19468FF29DE4}
Local\{3C2F38F1-A0F4-2F12-D58B-19468FF29DE4}
Global\{29B0195A-815F-3A8D-D58B-19468FF29DE4}
Global\{1D55DC30-4435-0E68-D58B-19468FF29DE4}
Global\{B9D945F4-DDF1-AAE4-1BA9-177341D093D1}
Global\{B9D945F4-DDF1-AAE4-1FA9-177345D093D1}
Global\{B9D945F4-DDF1-AAE4-7BA8-177321D193D1}
Global\{B9D945F4-DDF1-AAE4-43AB-177319D293D1}
Global\{B9D945F4-DDF1-AAE4-6BAB-177331D293D1}
Global\{B9D945F4-DDF1-AAE4-87AB-1773DDD293D1}
Global\{B9D945F4-DDF1-AAE4-B3AB-1773E9D293D1}
Global\{B9D945F4-DDF1-AAE4-5FAA-177305D393D1}
Global\{B9D945F4-DDF1-AAE4-8FAA-1773D5D393D1}
Global\{B9D945F4-DDF1-AAE4-F7AA-1773ADD393D1}
Global\{B9D945F4-DDF1-AAE4-3BAD-177361D493D1}
Global\{B9D945F4-DDF1-AAE4-5FAD-177305D493D1}
Global\{B9D945F4-DDF1-AAE4-9FAC-1773C5D593D1}
Global\{B9D945F4-DDF1-AAE4-F3AC-1773A9D593D1}
Global\{B9D945F4-DDF1-AAE4-D3A9-177389D093D1}
Global\{B9D945F4-DDF1-AAE4-FFAD-1773A5D493D1}
Global\{B9D945F4-DDF1-AAE4-03AC-177359D593D1}
Global\{B9D945F4-DDF1-AAE4-1BAC-177341D593D1}
Global\{B9D945F4-DDF1-AAE4-E7AD-1773BDD493D1}
Global\{5E86DCC0-44C5-4DBB-D58B-19468FF29DE4}
Global\{32526B1B-F31E-216F-D58B-19468FF29DE4}
Global\{68DA68FA-F0FF-7BE7-D58B-19468FF29DE4}
Global\{24816566-FD63-37BC-D58B-19468FF29DE4}
Global\{B9D945F4-DDF1-AAE4-5BAB-177301D293D1}
Global\{4E6EC1F5-59F0-5D53-D58B-19468FF29DE4}

Once executed MD5: 8b54dedf5acc19a4e9060f0be384c74d also drops the following malicious MD5 on the affected hosts – MD5: 59916e7de4064548c9901e8fdf83b283

It then phones back to the following C&C servers:
hxxp://62.76.189.58:8080/dron/ge.php
hxxp://62.76.41.73:8080/tst/b_cr.exe
62.76.41.73
62.76.185.30
95.101.0.115

Spamvertised_Malware_Malicious_Software_Social_Engineering_Invoice

Detection rate for the dropped sample: MD5: 596ba17393b18b8432cd14a127d7c6e2 – detected by 36 out of 54 antivirus scanners as Trojan-Spy.Win32.Zbot.tfdc

Related malicious MD5s known to have phoned back to the same C&C server (62.76.41.73):
MD5: 0993f88c5d0c8b0a16100165b897525b
MD5: f9da502e4780be34b9ec0fcc359926f2
MD5: 90e92050ab83f1cf2dd99cc26e793d96
MD5: b33bc727daca6c91c172e121adaecd92

Related malicious MD5s known to have phoned back to the same C&C server (95.101.0.115):
MD5: afbc1eb2875f7dc386553eaf80f63b99
MD5: 50aa21c411f3e661a938cd7896b8218b
MD5: aceed785393c5e4bcebe40326c21acee
MD5: 0161b531593d5201e17b5883c658035c
MD5: 9e1d9d0244eca8cb954eab4165ed666b
MD5: f0a0f7c19b515bd68f5e897d6d34a880

Webroot SecureAnywhere users are proactively protected from these threats.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This