{"id":14489,"date":"2013-10-02T00:00:55","date_gmt":"2013-10-02T06:00:55","guid":{"rendered":"https://www.webroot.com/blog/?p=14489"},"modified":"2018-10-05T12:53:59","modified_gmt":"2018-10-05T18:53:59","slug":"t-mobile-mms-message-arrived-themed-emails-lead-malware","status":"publish","type":"post","link":"https://www.webroot.com/blog/2013\/10\/02\/t-mobile-mms-message-arrived-themed-emails-lead-malware\/","title":{"rendered":"&#8216;T-Mobile MMS message has arrived&#8217; themed emails lead to malware"},"content":{"rendered":"<p>A circulating malicious spam campaign attempts to trick <a href=\"https:\/\/www.webroot.com\/blog\/2012\/11\/29\/cybercriminals-impersonate-t-mobile-u-k-serve-malware\/\"><strong>T-Mobile<\/strong><\/a> customers into thinking that they&#8217;ve received a password-protected MMS. However, once gullible and socially engineered users execute the malicious attachment, they automatically compromise the confidentiality and integrity of their PCs, allowing the cybercriminals behind the campaign to gain complete control of their PCs.<\/p>\n<p><!--more--><\/p>\n<p>Detection rate for the spamvertised sample &#8211; <a href=\"https:\/\/www.virustotal.com\/en\/file\/a9e3c6ff238cd1e4a5a2d3312bfad59091c25698e6c072623af279a58ebbe254\/analysis\/1379599644\/\"><strong>MD5: 5d69a364ffa8d641237baf4ec7bd641f<\/strong><\/a> &#8211; detected by 11 out of 48 antivirus scanners as W32\/Trojan.XTWU-6193; TR\/Sharik.B; Trojan.DownLoader9.22851<\/p>\n<p>Once executed, the sample phones back to <strong>networksecurityx.hopto.org<\/strong> &#8211; 69.65.19.117<\/p>\n<p><strong>The following subdomains are also known to have phoned back to the same IP in that past:<\/strong><br \/>\n<em>1216289731481872.no-ip.info<\/em><br \/>\n<em>128096312288.no-ip.info<\/em><br \/>\n<em>130715253.no-ip.info<\/em><br \/>\n<em>1364170516.hopto.org<\/em><br \/>\n<em>1365606917.hopto.org<\/em><br \/>\n<em>1365607817.hopto.org<\/em><br \/>\n<em>1365608717.hopto.org<\/em><br \/>\n<em>1365609617.hopto.org<\/em><br \/>\n<em>1365611417.hopto.org<\/em><br \/>\n<em>1365614117.hopto.org<\/em><br \/>\n<em>1365615017.hopto.org<\/em><br \/>\n<em>1365615917.hopto.org<\/em><br \/>\n<em>1365617717.hopto.org<\/em><br \/>\n<em>1365621317.hopto.org<\/em><br \/>\n<em>1365622217.hopto.org<\/em><br \/>\n<em>1365623117.hopto.org<\/em><br \/>\n<em>1365624017.hopto.org<\/em><br \/>\n<em>1365624917.hopto.org<\/em><br \/>\n<em>1365625816.hopto.org<\/em><\/p>\n<p><strong>The following malicious MD5s are also known to have phoned back to the same domain\/IP in the past:<\/strong><br \/>\nMD5: f65f5b77b0c761e4b832c4c6eb160abe<br \/>\nMD5: 04d70ee87b53c6b72667a64c90310c6c<br \/>\nMD5: f9012d4c5b184bfce0d38fbe59ed5f01<br \/>\nMD5: e04211eebf720db3a3020894c8902d91<br \/>\nMD5: 8ee9dcaa13c43ef1c597e6602f13a18d<br \/>\nMD5: 0f0bd979a4653bd1dd3851c2401bd6f5<br \/>\nMD5: bed1f172fc063ef6ef6462694ec08b57<br \/>\nMD5: 6d91c5519d7e775026256a8a03c94298<br \/>\nMD5: cef1668439de2c59392207a1e5b694be<br \/>\nMD5: e3e1500f61974748524a9c6ec24fba20<br \/>\nMD5: db188979d05cc07b9a2f28c629f665e7<br \/>\nMD5: 8ae4171c1ff33d5f28073abc459084e5<br \/>\nMD5: 440205bed295ffbcb7e8a97ba7fafe5f<br \/>\nMD5: 9454f19a4a4f8132eb67b8333a1c685b<br \/>\nMD5: 18ffaf17b6144fbd2557574b450b6890<br \/>\nMD5: 06a610c631b723ab818d9fc14ff462d1<br \/>\nMD5: c1133b01880db299f4b598bd04fc6816<\/p>\n<p><strong><a href=\"https:\/\/www.webroot.com\/us\/en\/home\/products\/complete\">Webroot\u00a0SecureAnywhere<\/a><\/strong>\u00a0users are proactively protected from these threats.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A circulating malicious spam campaign attempts to trick T-Mobile customers into thinking that they&#8217;ve received a password-protected MMS. However, once gullible and socially engineered users execute the malicious attachment, they automatically compromise the confidentiality and integrity of their PCs, allowing the cybercriminals behind the campaign to gain complete control of their PCs.<\/p>\n","protected":false},"author":65,"featured_media":17052,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[3881,4047,4065,5717,4323,16233,3875,3529],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/14489"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=14489"}],"version-history":[{"count":7,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/14489\/revisions"}],"predecessor-version":[{"id":25723,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/14489\/revisions\/25723"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17052"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=14489"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=14489"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=14489"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=14489"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}