Cybercriminals are currently mass mailing tens of thousands of malicious emails, supposedly including a photo attachment that’s been “Sent from an iPhone”. The social engineering driven spam campaign is, however, the latest attempt by a cybercriminal/group of cybercriminals that we’ve been monitor for a while, to attempt to trick gullible users into unknowingly joining the botnet operated by the malicious actor(s) behind the campaign.
Detection rate for the spamvertised attachment: MD5: 46e077f058f5a6eddee3c851f8e56838 – detected by 36 out of 47 antivirus scanners as Trojan.Win32.Neurevt.jl; Trojan:Win32/Neurevt.A.
Once executed, the sample creates the following Registry Keys on the affected hosts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ijiujsnjb.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
Once executed, the sample attempts to contact the following C&C servers:
next to the well known by now, networksecurityx.hopto.org, a C&C host that we’ve already profiled in several analyses.
Moreover, the following malicious MD5s are also known to have phoned back to these C&C hosts:
Webroot SecureAnywhere users are proactively protected from these threats.