{"id":10056,"date":"2013-03-12T00:00:47","date_gmt":"2013-03-12T07:00:47","guid":{"rendered":"http:\/\/blog.webroot.com\/?p=10056"},"modified":"2018-05-29T10:25:18","modified_gmt":"2018-05-29T16:25:18","slug":"fake-bofa-cashpro-online-digital-certificate-themed-emails-lead-to-malware","status":"publish","type":"post","link":"https://www.webroot.com/blog/2013\/03\/12\/fake-bofa-cashpro-online-digital-certificate-themed-emails-lead-to-malware\/","title":{"rendered":"Fake BofA CashPro ‘Online Digital Certificate” themed emails lead to malware"},"content":{"rendered":"

By Dancho\u00a0Danchev<\/strong><\/p>\n

Over the past 24 hours, we intercepted tens of thousands of malicious emails attempting to socially engineer BofA’s\u00a0CashPro<\/strong><\/a> users into downloading\u00a0and executing a bogus online digital certificate attached to the fake emails.<\/p>\n

More details:<\/p>\n

<\/p>\n

Sample screenshot of \u00a0the spamvertised email:<\/strong><\/p>\n

\"Email_Spam_Malware_CashPro_Social_Engineering\"<\/a><\/p>\n

Detection rate for the malicious executable:\u00a0MD5: bfe7c4846823174cbcbb10de9daf426b<\/strong><\/a> – detected by 34 out of 46 antivirus scanners as Password-Stealer.<\/p>\n

The attachment uses the following naming convention:<\/strong>
\ncashpro_cert_7585cc6726.zip<\/em>
\ncashpro_cert_cc1d4a119071.zip<\/em><\/p>\n

Once extracted, the malicious executable masks its name with the following convention:<\/strong>
\nCASHPRO_CERT_ID_5764578926487346283945238645298374628937894273648528523905625-23652659235-235-235-235235237562372463478238452835482354823482346287548.CRT.EXE<\/em><\/p>\n

Once executed, the sample creates the following Registry Key:<\/strong>
\nHKEY_CURRENT_USERSoftwareWinRAR<\/em><\/p>\n

And sets the following Registry Value:<\/strong>
\nHWID\u00a0= 7B\u00a039 35 39 37 36 32 38 46 2D 37 38 37 38 2D 34 33 41 31 2D 38 43 45 41 2D 32 41 43 43 32 33 44 39 36 32 39 45 7D<\/em><\/p>\n

It then attempts to connect to 74.207.227.67<\/strong>; 17.optimaxmagnetics.us<\/strong>, and successfully establishes a connection with the C&C server at\u00a050.28.90.36:8080\/forum\/viewtopic.php<\/strong><\/p>\n

More MD5s are known to have phoned back to the same IP:
\nMD5: 4C46DC410268C19DD561DB92BD52D02D<\/strong><\/a> – 50.28.90.36:8080\/ponyb\/gate.php<\/em>
\nMD5: 5F0084494777BC4F76F6919E284C6AA9<\/strong><\/a> – 50.28.90.36:8080\/forum\/viewtopic.php<\/em>
\nMD5: 6E360ACA1BE5569A681832DF8B16F320<\/strong><\/a> – 50.28.90.36:8080\/forum\/viewtopic.php<\/em><\/p>\n

50.28.90.36<\/strong> responds to host.elenskids.com<\/strong>. What’s particularly interesting about this host is that it’s the official Web site of Elen’s Kids Modeling & Talent Management<\/strong><\/a> (operated by LANFusion LLC<\/strong><\/a>), who appear to be running an advance fee type of fraudulent scheme<\/strong><\/a>, according to several complaints about their activities.<\/p>\n

You can find more about Dancho\u00a0Danchev at his\u00a0LinkedIn Profile<\/strong><\/a>. You can also\u00a0follow him on \u00a0Twitter<\/strong><\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

By Dancho\u00a0Danchev Over the past 24 hours, we intercepted tens of thousands of malicious emails attempting to socially engineer BofA’s\u00a0CashPro users into downloading\u00a0and executing a bogus online digital certificate attached to the fake emails. More details:<\/p>\n","protected":false},"author":65,"featured_media":17052,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[13469,13463,13481,13459,13471,13461,13465,13467,13473,13475,7607,13477,22375,6173,5735,3561,4065,5717,4501,3875],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/10056"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=10056"}],"version-history":[{"count":3,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/10056\/revisions"}],"predecessor-version":[{"id":24557,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/10056\/revisions\/24557"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17052"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=10056"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=10056"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=10056"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=10056"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}