Reading Time: ~2 min.

Cybercriminals are currently mass mailing tens of thousands of malicious emails, supposedly including a photo attachment that’s been “Sent from an iPhone”. The social engineering driven spam campaign is, however, the latest attempt by a cybercriminal/group of cybercriminals that we’ve been monitor for a while, to attempt to trick gullible users into unknowingly joining the botnet operated by the malicious actor(s) behind the campaign.

Detection rate for the spamvertised attachment: MD5: 46e077f058f5a6eddee3c851f8e56838 – detected by 36 out of 47 antivirus scanners as Trojan.Win32.Neurevt.jl; Trojan:Win32/Neurevt.A.

Once executed, the sample creates the following Registry Keys on the affected hosts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ijiujsnjb.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
HKEY_CURRENT_USER\Software\Classes\CLSID\{1619728A-151F-0C46-98D4-171F5E70A2E0}
HKEY_CURRENT_USER\Software\Win7zip

Once executed, the sample attempts to contact the following C&C servers:
91.109.14.224
31.7.35.112
49.50.8.93
173.0.131.15
209.50.251.101
88.198.7.211
64.120.153.69
219.94.206.70
173.231.139.57

next to the well known by now, networksecurityx.hopto.org, a C&C host that we’ve already profiled in several analyses.

Moreover, the following malicious MD5s are also known to have phoned back to these C&C hosts:
MD5: b0dbfd7e359d4830d7ff4a5f40a78204
MD5: 5b904359d9f8922e209141fbccbacf4f
MD5: 4c6baee04409f0fe04a616946f2c2230
MD5: a64eceab34bf8eaa4615bc0f477f8279
MD5: 71c2d1d1c46f0c458ab88127b020fd02
MD5: 58282fd31e84be35d8e904542e96b1ba
MD5: 6fefcd92fb6758f77b1ef0b6fccc9870
MD5: 04492fd5c0e82e45f00a8e125728e15b
MD5: 9244e8799ffd75f2d0666a441b5bc84e
MD5: 9591c937c6da209b21ebbdf8a37e2ddd
MD5: d966aa83c96c81faf118dde9836636e2
MD5: 8e59c5683fe56e3c1576ae360776dad5
MD5: 3d75e483f9fad44d9cae483628652a8e
MD5: ed97aa41539ca162479534fd9ace2bc0
MD5: b20cc2ad04b4fffaffcf6fa17c5f22ce
MD5: 5640dfbfe84321811c3374c2453c96b7
MD5: a416fa920ef2219bcd33ef2682ee2308
MD5: ebe9d1ea6a41d4e7c402ece7ecca398b
MD5: 231aef609786d8076b33d475ac7a9702
MD5: c965119e445379db79308011cec6b967

Webroot SecureAnywhere users are proactively protected from these threats.

Blog Staff

About the Author

Blog Staff

Facebook Comments
Share This