Fake ‘Annual Form (STD-261) – Authorization to Use Privately Owned Vehicle on State Business’ themed emails lead to malware

Want to file for mileage reimbursement through a STD-261 form? You may want to skip the tens of thousands of malicious emails currently in circulation, attempting to trick users into executing the malicious attachment. Once downloaded, your PC automatically joins the botnet operated by the cybercriminal(s) behind the campaign, undermining the confidentiality and integrity of the host.

Sample screenshot of the spamvertised email:

Detection rate for the spamvertised attachment: MD5: 3aaa04b0762d8336379b8adedad5846b – detected by 21 out of 47 antivirus scanners as Trojan.Win32.Bublik.bkri; TrojanDownloader:Win32/Upatre.A.

Once executed, the sample starts listening on ports 8412 and 3495.

It also creates the following Mutexes:
Local\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Local\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Local\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Local\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Local\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Local\{911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A}
Global\{2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A}
Global\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Global\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Global\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Global\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Global\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Global\{BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A}
Global\{896D5E41-6E20-7280-11EB-B06D3016937F}
Global\{896D5E41-6E20-7280-75EA-B06D5417937F}
Global\{896D5E41-6E20-7280-4DE9-B06D6C14937F}
Global\{896D5E41-6E20-7280-65E9-B06D4414937F}
Global\{896D5E41-6E20-7280-89E9-B06DA814937F}
Global\{896D5E41-6E20-7280-BDE9-B06D9C14937F}
Global\{896D5E41-6E20-7280-51E8-B06D7015937F}
Global\{896D5E41-6E20-7280-81E8-B06DA015937F}
Global\{896D5E41-6E20-7280-FDE8-B06DDC15937F}
Global\{896D5E41-6E20-7280-0DEF-B06D2C12937F}
Global\{896D5E41-6E20-7280-5DEF-B06D7C12937F}
Global\{896D5E41-6E20-7280-95EE-B06DB413937F}
Global\{896D5E41-6E20-7280-F1EE-B06DD013937F}
Global\{896D5E41-6E20-7280-89EB-B06DA816937F}
Global\{896D5E41-6E20-7280-F9EF-B06DD812937F}
Global\{896D5E41-6E20-7280-E5EF-B06DC412937F}
Global\{896D5E41-6E20-7280-0DEE-B06D2C13937F}
Global\{896D5E41-6E20-7280-09ED-B06D2810937F}
Global\{896D5E41-6E20-7280-51EF-B06D7012937F}
Global\{896D5E41-6E20-7280-35EC-B06D1411937F}
Global\{896D5E41-6E20-7280-61EC-B06D4011937F}
Global\{DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A}

Drops the following files on the affected hosts:
MD5: 3659e0dc0323e769aabfeb668a7d1ecb
MD5: 617973f2d58f541913678f4d15e61d60
MD5: 1c23c5bdfd8f8f80ff2654208833ebdf

It then attempts to phone back to the following C&C servers:
122.201.103.88
122.201.103.86
46.49.119.78
85.100.41.9
79.187.164.155
74.243.130.50
86.180.70.185
176.205.29.45
58.252.57.193
93.177.184.173
108.65.194.40
86.147.226.12
217.35.80.36
84.58.47.98
85.34.231.122
61.250.167.140
75.99.113.250
190.204.248.56
86.160.8.233
46.48.251.37
68.162.220.34
82.211.142.218
31.192.48.109
46.49.93.88
60.44.176.185
23.24.39.197

Naturally, we’re also aware of related malicous MD5s that are known to have phoned back to the same C&C servers as well:
MD5: 75c4209771d322d1b2c404fe3f3a9b95
MD5: 96b7b1f503be8b361c95389d0370cb2d
MD5: 9236cdff457e2ff07a05c11ba71e7332
MD5: d3e6175dd54eb537636142f3dd74bfd3
MD5: 6a2905e94eabff2d7793614d0b9f05bb
MD5: 9f63177a6c30b081e2216e438729cda4
MD5: d281140c890b06d76692f6fed8ed5e7e
MD5: 258f5c7bdee9f063dd163c35c5ef0b12
MD5: c8cb617b8318fab2e1fee0f838e14841
MD5: def02766def420e49dbf3ce0af2f60b9
MD5: 9d07184f4375671623a7f442230d8745
MD5: cf1f61ad29dc56a7689f6fa0c1c5bf2e
MD5: 20cb4b66d2a1d35ef635d66bc7e8ad20
MD5: c30d4650897da4735eb756863a30fc95
MD5: da514188b7c911d2a5c8568f2807a68c
MD5: c8032899076e28c4edf83e59aeeeb981
MD5: ee7ecadfc3a7d879d72537ddcb815253
MD5: edbdf3a3086430d96f57f85d15bbe8f1
MD5: e226dcf34a0c71a6f552d61ee9789932
MD5: 860701c889c40f17d5811f58c3c29877
MD5: d3bac5410920def9594b3170dbcdc711
MD5: f192f19de1b6fa3b0b10efd1343eb63c
MD5: eddc590c10a9cb482a1eba8596094dee
MD5: 8af455cf950ee44db2b67bab23a62f82

Webroot SecureAnywhere users are proactively protected from these threats.

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.