A currently ongoing malicious spam campaign is attempting to trick users into thinking that they’ve received a legitimate Excel ‘Company Reports’ themed file. In reality through, once socially engineered users execute the malicious attachment on their PCs, it automatically opens a backdoor allowing the cybercriminals behind the campaign to gain complete access to their host, potentially abusing it a variety of fraudulent ways.

Sample screenshots of the spamvertised email:

Fake_Malicious_Rogue_Email_Spam_Spamvertised_Malware_Malicious_Software_Social_Engineering_Botnet_Company_Reports

Detection rate for the spamvertised attachment: MD5: 5138b3b410a1da4cbc3fcc2d9c223584 – detected by 23 out of 48 antivirus scanners as Trojan.Win32.Agent.aclil; TSPY_ZBOT.EH

Once executed, the sample starts listening on ports 3188 and 4964.

It then creates the following Mutexes:
Local\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Local\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Local\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Local\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Local\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Local\{911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A}
Global\{2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A}
Global\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Global\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Global\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Global\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Global\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Global\{BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A}
Global\{B4E44AB6-7AD7-4F09-11EB-B06D3016937F}
Global\{B4E44AB6-7AD7-4F09-75EA-B06D5417937F}
Global\{B4E44AB6-7AD7-4F09-4DE9-B06D6C14937F}
Global\{B4E44AB6-7AD7-4F09-65E9-B06D4414937F}
Global\{B4E44AB6-7AD7-4F09-89E9-B06DA814937F}
Global\{B4E44AB6-7AD7-4F09-BDE9-B06D9C14937F}
Global\{B4E44AB6-7AD7-4F09-51E8-B06D7015937F}
Global\{B4E44AB6-7AD7-4F09-81E8-B06DA015937F}
Global\{B4E44AB6-7AD7-4F09-FDE8-B06DDC15937F}
Global\{B4E44AB6-7AD7-4F09-0DEF-B06D2C12937F}
Global\{B4E44AB6-7AD7-4F09-5DEF-B06D7C12937F}
Global\{B4E44AB6-7AD7-4F09-95EE-B06DB413937F}
Global\{B4E44AB6-7AD7-4F09-F1EE-B06DD013937F}
Global\{B4E44AB6-7AD7-4F09-89EB-B06DA816937F}
Global\{B4E44AB6-7AD7-4F09-F9EF-B06DD812937F}
Global\{B4E44AB6-7AD7-4F09-E5EF-B06DC412937F}
Global\{B4E44AB6-7AD7-4F09-0DEE-B06D2C13937F}
Global\{B4E44AB6-7AD7-4F09-09ED-B06D2810937F}
Global\{B4E44AB6-7AD7-4F09-51EF-B06D7012937F}
Global\{B4E44AB6-7AD7-4F09-35EC-B06D1411937F}
Global\{B4E44AB6-7AD7-4F09-CDE8-B06DEC15937F}
Global\{DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A}
Global\{2E1C200D-106C-D5F1-DBC9-BE58FA349D4A}

And drops the following MD5s on the affected hosts:
MD5: 9319669e8561f184e9377153f763437c
MD5: 396eba6eaf5452072c2d09c1b74bee1e
MD5: adb551e9081900756f8794fef5e4794b

The sample then phones back to det0nator.com – 38.102.226.14 on port 443, as well as to the following C&C servers:
38.102.226.14
107.211.213.205
173.164.221.193
76.64.181.164
67.68.13.117
70.66.226.202
111.252.181.221
174.95.65.84
86.169.78.218
217.35.75.232
108.65.194.40
172.242.78.165
68.162.220.34
193.193.241.194
173.212.94.63
24.115.24.89
217.35.80.36
210.210.112.17
174.94.53.249
68.98.96.4
84.59.129.23
216.115.141.73
69.245.77.205
211.125.248.79
98.254.137.81
178.236.50.214
95.229.188.122
31.192.48.109
82.211.142.218
69.84.103.11
180.241.104.37
120.29.2.174
188.13.56.209
212.42.18.65
14.97.223.231
2.127.91.192
140.247.219.83

Known to have been downloaded from the same IP (38.102.226.14) are also the following malicious MD5s:
MD5: 623a3730c773871779b4d768e58904d7
MD5: f71d67cb677f567990992225446a07a3

The following MD5s are known to have phoned back to the same IP (38.102.226.14):
MD5: 0495c0ed5b53572fd271ba6ad1e3bdbe
MD5: 618381de2f1b41a0e82d0da777eb5f26

Sample malicious MD5s known to have phoned back to the same C&C servers over the last couple of days:
MD5: 1126e4ae1bae2f990e4e80b95d57e45a
MD5: 987416580af8cfe843ae5d9c744180ce
MD5: 63ff58a510b547ec7c10fa3e18a2008d
MD5: a06763422cb2b6dc272229acba4307e7
MD5: 16753b7a3923f10e7081cdb3a36c5d5c
MD5: 0495c0ed5b53572fd271ba6ad1e3bdbe
MD5: c732289e0f768b487d38ab4127f2dbf0
MD5: cd0348cf90a042975f1ad301aa477af3
MD5: bb7bd0541c877c87213803f1fb28ef6e
MD5: 1126e4ae1bae2f990e4e80b95d57e45a
MD5: c77788267424555791887ac7e32563c3
MD5: a06763422cb2b6dc272229acba4307e7
MD5: bce63fbf16883ad18c0af1f40f9d2ce7
MD5: 37d8633566787c6bed74e782e92a699a
MD5: 773d52d6fdc3d0345a35d40294641242
MD5: 10f11e6959f75dfb48e610d9209614d6
MD5: e007ba6d9fbe53bfac99f15111fa4da5
MD5: cd6ff96ecde6806f41e9336437f97c3c

Webroot SecureAnywhere users are proactively protected from these threats.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This