We have recently intercepted a malicious spam campaign, that’s attempting to trick users into thinking that they’ve received a non-existent “changelog.” Once gullible and socially engineered users execute the malicious attachment, their PCs automatically become part of the botnet operated by the cybercriminal/gang of cybercriminals.
Sample screenshot of the spamvertised email:
Detection rate for the malicious attachment:
MD5: e01ea945b8d055c5c115ab58749ac502 – detected by 23 out of 46 antivirus scanners as Worm:Win32/Cridex.E.
Upon execution, the sample creates the following processess on the affected hosts:
C:WINDOWSsystem32cmd.exe” /c “C:DOCUME~1<USER>~1LOCALS~1Tempexp1.tmp.bat
C:Documents and Settings<USER>Application DataKB00927107.exe
The following Registry Keys:
The following Registry Values:
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] -> KB00121600.exe = “”%AppData%KB00121600.exe””
As well as the following Mutexes:
It then phones back to hxxp://188.8.131.52:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/ and to hxxp://184.108.40.206:8080/AJtw/UCyqrDAA/Ud+asDAA/
We’ve already seen the same C&C (220.127.116.11) used in a previously profiled malicious campaign:
- ‘Terminated Wire Transfer Notification/ACH File ID” themed malicious campaigns lead to Black Hole Exploit Kit
Users are advised to avoid interacting with these emails, and to be extra vigilant for similar social engineering driven malicious campaigns.
Webroot SecureAnywhere users are proactively protected from this threat.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.