By Dancho Danchev
Over the past 24 hours, we intercepted tens of thousands of malicious emails attempting to socially engineer BofA’s CashPro users into downloading and executing a bogus online digital certificate attached to the fake emails.
Sample screenshot of the spamvertised email:
Detection rate for the malicious executable: MD5: bfe7c4846823174cbcbb10de9daf426b – detected by 34 out of 46 antivirus scanners as Password-Stealer.
The attachment uses the following naming convention:
Once extracted, the malicious executable masks its name with the following convention:
Once executed, the sample creates the following Registry Key:
And sets the following Registry Value:
HWID = 7B 39 35 39 37 36 32 38 46 2D 37 38 37 38 2D 34 33 41 31 2D 38 43 45 41 2D 32 41 43 43 32 33 44 39 36 32 39 45 7D
It then attempts to connect to 22.214.171.124; 17.optimaxmagnetics.us, and successfully establishes a connection with the C&C server at 126.96.36.199:8080/forum/viewtopic.php
More MD5s are known to have phoned back to the same IP:
MD5: 4C46DC410268C19DD561DB92BD52D02D – 188.8.131.52:8080/ponyb/gate.php
MD5: 5F0084494777BC4F76F6919E284C6AA9 – 184.108.40.206:8080/forum/viewtopic.php
MD5: 6E360ACA1BE5569A681832DF8B16F320 – 220.127.116.11:8080/forum/viewtopic.php
18.104.22.168 responds to host.elenskids.com. What’s particularly interesting about this host is that it’s the official Web site of Elen’s Kids Modeling & Talent Management (operated by LANFusion LLC), who appear to be running an advance fee type of fraudulent scheme, according to several complaints about their activities.