Reading Time: ~ 1 min.

Cybercriminals are currently mass mailing tens of thousands of malicious emails, supposedly including a photo attachment that’s been “Sent from an iPhone”. The social engineering driven spam campaign is, however, the latest attempt by a cybercriminal/group of cybercriminals that we’ve been monitor for a while, to attempt to trick gullible users into unknowingly joining the botnet operated by the malicious actor(s) behind the campaign.

Detection rate for the spamvertised attachment: MD5: 46e077f058f5a6eddee3c851f8e56838 – detected by 36 out of 47 antivirus scanners as Trojan.Win32.Neurevt.jl; Trojan:Win32/Neurevt.A.

Once executed, the sample creates the following Registry Keys on the affected hosts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ijiujsnjb.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
HKEY_CURRENT_USER\Software\Classes\CLSID\{1619728A-151F-0C46-98D4-171F5E70A2E0}
HKEY_CURRENT_USER\Software\Win7zip

Once executed, the sample attempts to contact the following C&C servers:
91.109.14.224
31.7.35.112
49.50.8.93
173.0.131.15
209.50.251.101
88.198.7.211
64.120.153.69
219.94.206.70
173.231.139.57

next to the well known by now, networksecurityx.hopto.org, a C&C host that we’ve already profiled in several analyses.

Moreover, the following malicious MD5s are also known to have phoned back to these C&C hosts:
MD5: b0dbfd7e359d4830d7ff4a5f40a78204
MD5: 5b904359d9f8922e209141fbccbacf4f
MD5: 4c6baee04409f0fe04a616946f2c2230
MD5: a64eceab34bf8eaa4615bc0f477f8279
MD5: 71c2d1d1c46f0c458ab88127b020fd02
MD5: 58282fd31e84be35d8e904542e96b1ba
MD5: 6fefcd92fb6758f77b1ef0b6fccc9870
MD5: 04492fd5c0e82e45f00a8e125728e15b
MD5: 9244e8799ffd75f2d0666a441b5bc84e
MD5: 9591c937c6da209b21ebbdf8a37e2ddd
MD5: d966aa83c96c81faf118dde9836636e2
MD5: 8e59c5683fe56e3c1576ae360776dad5
MD5: 3d75e483f9fad44d9cae483628652a8e
MD5: ed97aa41539ca162479534fd9ace2bc0
MD5: b20cc2ad04b4fffaffcf6fa17c5f22ce
MD5: 5640dfbfe84321811c3374c2453c96b7
MD5: a416fa920ef2219bcd33ef2682ee2308
MD5: ebe9d1ea6a41d4e7c402ece7ecca398b
MD5: 231aef609786d8076b33d475ac7a9702
MD5: c965119e445379db79308011cec6b967

Webroot SecureAnywhere users are proactively protected from these threats.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This