Fake ‘iPhone Picture Snapshot Message’ themed emails lead to malware

We’ve just intercepted a currently circulating malicious spam campaign that’s attempting to trick iPhone owners into thinking that they’ve received a ‘picture snapshot message’. Once users execute the malicious attachment, their PCs automatically join the botnet operated by the cybercriminal/gang of cybercriminals, whose activities we’ve been closely monitoring over the last couple of months.

More details:

Detection rate for the malicious attachment – MD5: b7fa4173cf694f53a2597e9eca21ab4c – detected by 10 out of 46 antivirus scanners as Trojan-PSW.Win32.Tepfer.orbb; Troj/Agent-ADAU.

Once executed it starts listening on port 5179.

The sample then creates the following Mutexes:
Groove:PathMutex:[LUt+jL/YbxUWwjk7hRky++rqRco=]
Local{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Local{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Local{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Local{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Local{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Local{911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A}
Global{2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A}
Global{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Global{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Global{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Global{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Global{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Global{BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A}
Global{3158EDA2-DDC3-CAB5-11EB-B06D3016937F}
Global{3158EDA2-DDC3-CAB5-75EA-B06D5417937F}
Global{3158EDA2-DDC3-CAB5-4DE9-B06D6C14937F}
Global{3158EDA2-DDC3-CAB5-65E9-B06D4414937F}
Global{3158EDA2-DDC3-CAB5-89E9-B06DA814937F}
Global{3158EDA2-DDC3-CAB5-BDE9-B06D9C14937F}
Global{3158EDA2-DDC3-CAB5-51E8-B06D7015937F}
Global{3158EDA2-DDC3-CAB5-81E8-B06DA015937F}
Global{3158EDA2-DDC3-CAB5-FDE8-B06DDC15937F}
Global{3158EDA2-DDC3-CAB5-0DEF-B06D2C12937F}
Global{3158EDA2-DDC3-CAB5-5DEF-B06D7C12937F}
Global{3158EDA2-DDC3-CAB5-95EE-B06DB413937F}
Global{3158EDA2-DDC3-CAB5-F1EE-B06DD013937F}
Global{3158EDA2-DDC3-CAB5-89EB-B06DA816937F}
Global{3158EDA2-DDC3-CAB5-F9EF-B06DD812937F}
Global{3158EDA2-DDC3-CAB5-E5EF-B06DC412937F}
Global{3158EDA2-DDC3-CAB5-0DEE-B06D2C13937F}
Global{3158EDA2-DDC3-CAB5-09ED-B06D2810937F}
Global{3158EDA2-DDC3-CAB5-51EF-B06D7012937F}
Global{3158EDA2-DDC3-CAB5-35EC-B06D1411937F}
Global{3158EDA2-DDC3-CAB5-D5EB-B06DF416937F}
Global{DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A}
Global{2E1C200D-106C-D5F1-DBC9-BE58FA349D4A}

It then phones back to the following C&C servers+downloads additional malware:
hxxp://62.76.187.113/inop/ge.php (62-76-187-113.clodo.ru, AS57010)
hxxp://62.76.187.113/par/2.exe
68.22.158.150
75.1.200.201
203.45.203.83
99.26.122.34
108.74.172.39
68.117.10.58
71.90.134.19
174.96.27.128
68.76.122.163
108.60.184.54
67.77.13.23
108.202.187.155
90.156.118.144
203.81.192.36
123.238.64.66
78.8.206.100
108.197.50.249
66.63.204.26
189.253.90.151
108.215.5.249
27.87.30.242
94.240.232.143
95.104.30.151
50.77.206.10
78.139.149.134
77.21.184.219
95.247.117.146
41.222.248.145
42.98.129.251
64.180.81.249
83.228.0.230
69.156.49.21
71.194.139.192
79.37.7.109

We’ve already seen some of the C&C IPs (108.74.172.39; 90.156.118.144; 66.63.204.26; 94.240.232.143) in the following previous profiled campaigns, launched by the same cybercriminal/gang of cybercriminals:

• FedWire ‘Your Wire Transfer’ themed emails lead to malware
• Citibank ‘Merchant Billing Statement’ themed emails lead to malware
• Cybercriminals impersonate New York State’s Department of Motor Vehicles (DMV), serve malware
• Fake ‘Unsuccessful Fax Transmission’ themed emails lead to malware
• Spamvertised ‘Export License/Invoice Copy’ themed emails lead to malware
• Cybercriminals impersonate Bank of America (BofA), serve malware

Detection rate for the additionally downloaded malware – 2.exe – MD5: 8c8d43c8cfacf6d5c04e6f6ac7d4ff54 – detected by 2 out of 46 antivirus scanners as UDS:DangerousObject.Multi.Generic.

Once executed it starts listening on port 5288.

Creates the following Mutexes:
Local{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Local{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Local{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Local{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Local{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Local{911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A}
Global{2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A}
Global{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Global{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Global{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Global{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Global{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Global{BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A}
Global{36C6EA7F-DA1E-CD2B-11EB-B06D3016937F}
Global{36C6EA7F-DA1E-CD2B-75EA-B06D5417937F}
Global{36C6EA7F-DA1E-CD2B-4DE9-B06D6C14937F}
Global{36C6EA7F-DA1E-CD2B-65E9-B06D4414937F}
Global{36C6EA7F-DA1E-CD2B-89E9-B06DA814937F}
Global{36C6EA7F-DA1E-CD2B-BDE9-B06D9C14937F}
Global{36C6EA7F-DA1E-CD2B-51E8-B06D7015937F}
Global{36C6EA7F-DA1E-CD2B-81E8-B06DA015937F}
Global{36C6EA7F-DA1E-CD2B-FDE8-B06DDC15937F}
Global{36C6EA7F-DA1E-CD2B-0DEF-B06D2C12937F}
Global{36C6EA7F-DA1E-CD2B-5DEF-B06D7C12937F}
Global{36C6EA7F-DA1E-CD2B-95EE-B06DB413937F}
Global{36C6EA7F-DA1E-CD2B-F1EE-B06DD013937F}
Global{36C6EA7F-DA1E-CD2B-89EB-B06DA816937F}
Global{36C6EA7F-DA1E-CD2B-F9EF-B06DD812937F}
Global{36C6EA7F-DA1E-CD2B-E5EF-B06DC412937F}
Global{36C6EA7F-DA1E-CD2B-0DEE-B06D2C13937F}
Global{36C6EA7F-DA1E-CD2B-09ED-B06D2810937F}
Global{36C6EA7F-DA1E-CD2B-51EF-B06D7012937F}
Global{36C6EA7F-DA1E-CD2B-35EC-B06D1411937F}
Global{36C6EA7F-DA1E-CD2B-55EF-B06D7412937F}
Global{DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A}
Global{2E1C200D-106C-D5F1-DBC9-BE58FA349D4A}

It then phones back to the following C&C servers:
68.22.158.150
75.1.200.201
203.45.203.83
99.26.122.34
108.74.172.39
68.117.10.58
71.90.134.19
174.96.27.128
68.76.122.163
108.60.184.54
67.77.13.23
108.202.187.155
90.156.118.144
203.81.192.36
123.238.64.66
78.8.206.100
108.197.50.249
66.63.204.26
189.253.90.151
108.215.5.249
27.87.30.242
50.77.206.10
94.240.232.143
95.104.30.151
78.139.149.134
77.21.184.219
95.247.117.146
41.222.248.145
42.98.129.251
64.180.81.249
83.228.0.230
69.156.49.21
71.194.139.192
79.37.7.109
95.224.106.243
96.10.227.54
157.157.224.14

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.