Spamvertised ‘Notification of payment received’ themed emails lead to malware

PayPal users, watch what you click on!

We’ve recently intercepted a currently circulating malicious spamvertised campaign which is impersonating PayPal in an attempt to trick socially engineered end users into clicking on the malware-serving links found in the emails.

More details:

Sample screenshot of the spamvertised email:

Malicious URL redirection chain: hxxp://hoodflixxx.com/PP_det.html -> hxxp://62.76.43.78/p2p/PP_detalis_726716942049.pdf.exe

Detection rate for a sample malware MD5: aa1762e9ba4b552421971ef2e4de9208 – detected by 2 out of 51 antivirus scanners as Spyware.Zbot.ED.

Once executed, the sample starts listening on ports 9296, and 3198. It also drops the following malicious MD5: e8007be046dcc5b6f8e29d4d8233fd78 on the affected hosts.

It then phones back to the following C&C servers:
81.157.189.166
81.149.93.141
81.130.195.125
143.225.154.3
76.22.162.44
99.73.173.219
174.89.110.91
23.97.72.192
168.63.211.182
75.1.220.146
77.239.59.243
94.88.99.85
37.57.41.161
46.171.141.202
23.98.64.182
221.193.254.122
191.234.52.206
138.91.18.14
23.98.42.224
168.61.87.1
137.117.69.203
72.190.57.143
109.158.32.240
88.61.116.225
94.98.191.169
105.236.47.68
173.200.116.226
137.117.196.168
221.214.141.155
83.110.198.24
222.14.178.194

Related malicious MD5s known to have phoned back to the following C&C (81.149.93.141) server:
MD5: 108a74d39c3bce71ba5686b55658358e
MD5: a2bde0d1389b3bdbcd9f612ae683edd8
MD5: c9ec831991c4962ba5c984f78e13bef5
MD5: 4ee923a7769430785dd1f309aad0a12b

Once executed MD5: 108a74d39c3bce71ba5686b55658358e phones back to the following C&C servers:
81.149.93.141:7325
81.130.195.125:2607
130.37.198.100:2430
213.120.146.245:6585
143.225.154.3:7621

Once executed MD5: a2bde0d1389b3bdbcd9f612ae683edd8 phones back to the following C&C servers:
hxxp://81.149.93.141:7325
hxxp://81.130.195.125:2607
hxxp://130.37.198.100:2430
hxxp://13.120.146.245:6585
hxxp://143.225.154.3:7621

Known to have phoned back to the following C&C server (81.130.195.125) are also the following malicious MD5s:
MD5: ffb9cad511d90734a0d6151086994fb6
MD5: 108a74d39c3bce71ba5686b55658358e
MD5: a2bde0d1389b3bdbcd9f612ae683edd8
MD5: 4ee923a7769430785dd1f309aad0a12b
MD5: 188df9486ab259d5a1340f842c4f3e78
MD5: e49e7b907499c8b4e31447eaffd112b1

Once executed, MD5: e49e7b907499c8b4e31447eaffd112b1 phones back to the following C&C servers:
hxxp://94.88.99.85:8596
hxxp://81.130.195.125:2607
hxxp://130.37.198.100:2430
hxxp://109.153.212.95:4808

Webroot SecureAnywhere users are proactively protected from these threats.

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.