{"id":15152,"date":"2013-11-27T12:00:55","date_gmt":"2013-11-27T19:00:55","guid":{"rendered":"https://www.webroot.com/blog/?p=15152"},"modified":"2018-10-05T13:09:12","modified_gmt":"2018-10-05T19:09:12","slug":"fake-octobers-billing-address-code-bac-form-themed-spam-campaign-leads-malware","status":"publish","type":"post","link":"https://www.webroot.com/blog/2013\/11\/27\/fake-octobers-billing-address-code-bac-form-themed-spam-campaign-leads-malware\/","title":{"rendered":"Fake ‘October’s Billing Address Code’ (BAC) form themed spam campaign leads to malware"},"content":{"rendered":"

Have you received a casual-sounding email enticing you into signing a Billing Address Code (BAC) form for October, in order for the Payroll Manager to proceed with the transaction? Based on our statistics, tens of thousands of users received these malicious spam emails over the last 24 hours, with the cybercriminal(s) behind them clearly interested in expanding the size of their botnet through good old fashioned ‘casual social engineering’ campaigns.<\/p>\n

<\/p>\n

Sample screenshot of the spamvertised email:<\/strong><\/p>\n

\"BAC_Billing_Address_Code_Form_Fake_Rogue_Malicious_Email_Social_Engineering_Malware_Malicious_Software_Botnet_Botnets\"<\/a><\/p>\n

Detection rate for the spamvertised malicious attachment<\/strong>: MD5: 36a685cf1436530686d1967b4a9d6680<\/a><\/strong> – detected by 20 out of 46 antivirus scanners as Win32\/TrojanDownloader.Waski.A.<\/p>\n

Once executed, the sample starts listening on ports 7442 and 1666.<\/p>\n

It then creates the following Mutexes on the affected hosts:<\/strong>
\nLocal\\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
\nLocal\\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
\nLocal\\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
\nLocal\\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
\nLocal\\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
\nLocal\\{911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A}
\nGlobal\\{2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A}
\nGlobal\\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
\nGlobal\\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
\nGlobal\\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
\nGlobal\\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
\nGlobal\\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
\nGlobal\\{BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A}
\nGlobal\\{9D48A1E2-9183-66A5-11EB-B06D3016937F}
\nGlobal\\{9D48A1E2-9183-66A5-75EA-B06D5417937F}
\nGlobal\\{9D48A1E2-9183-66A5-4DE9-B06D6C14937F}
\nGlobal\\{9D48A1E2-9183-66A5-65E9-B06D4414937F}
\nGlobal\\{9D48A1E2-9183-66A5-89E9-B06DA814937F}
\nGlobal\\{9D48A1E2-9183-66A5-BDE9-B06D9C14937F}
\nGlobal\\{9D48A1E2-9183-66A5-51E8-B06D7015937F}
\nGlobal\\{9D48A1E2-9183-66A5-81E8-B06DA015937F}
\nGlobal\\{9D48A1E2-9183-66A5-FDE8-B06DDC15937F}
\nGlobal\\{9D48A1E2-9183-66A5-0DEF-B06D2C12937F}
\nGlobal\\{9D48A1E2-9183-66A5-5DEF-B06D7C12937F}
\nGlobal\\{9D48A1E2-9183-66A5-95EE-B06DB413937F}
\nGlobal\\{9D48A1E2-9183-66A5-F1EE-B06DD013937F}
\nGlobal\\{9D48A1E2-9183-66A5-89EB-B06DA816937F}
\nGlobal\\{9D48A1E2-9183-66A5-F9EF-B06DD812937F}
\nGlobal\\{9D48A1E2-9183-66A5-E5EF-B06DC412937F}
\nGlobal\\{9D48A1E2-9183-66A5-0DEE-B06D2C13937F}
\nGlobal\\{9D48A1E2-9183-66A5-09ED-B06D2810937F}
\nGlobal\\{9D48A1E2-9183-66A5-51EF-B06D7012937F}
\nGlobal\\{9D48A1E2-9183-66A5-35EC-B06D1411937F}
\nGlobal\\{9D48A1E2-9183-66A5-A9E8-B06D8815937F}
\nGlobal\\{DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A}
\nGlobal\\{2E1C200D-106C-D5F1-DBC9-BE58FA349D4A}<\/p>\n

Drops the following MD5s: MD5: cf8ab39c0a2561eb9df2c22496d20b3b<\/strong>; MD5: 75fe668007e66601724af592f8ca8985<\/strong>; MD5: 6abdc5f7f9599e3971af4202cf4ed4da<\/strong>.<\/p>\n

And phones back to the following C&C servers:<\/strong>
\noffensivejokescolin.com – 38.102.226.253
\n85.100.41.9
\n113.161.95.98
\n172.245.217.122
\n93.177.152.17
\n114.24.192.181
\n63.227.34.28
\n76.70.9.123
\n206.190.252.6
\n60.244.87.31
\n70.27.195.251
\n217.36.122.144
\n173.239.143.42
\n86.135.144.6
\n69.95.46.22
\n85.24.208.124
\n86.147.226.12
\n79.129.27.234
\n94.64.239.197
\n58.252.57.193
\n194.250.81.234
\n62.23.247.20
\n75.99.113.250
\n82.91.203.169
\n178.23.32.115
\n85.206.22.117
\n31.192.48.109
\n187.188.136.31
\n178.192.71.93
\n213.96.69.3<\/p>\n

The following malicious MD5s are also known to have phoned back to the same C&C servers:<\/strong>
\nMD5: 3752b2f92671cd051a77b04fd2fed383
\nMD5: 6bafe2fc65cf34ae6f103121d9325416
\nMD5: 4ae6a46a228da040fe25db0f419ae727
\nMD5: ed52d9f9fcc60d12166905e359c99020
\nMD5: 74e5acef47b9c57c7756cf130e8d4805
\nMD5: 1888be386f701199b282840cc0c5354f
\nMD5: 1b2590ee13cf6bda134a162708f8270a
\nMD5: adb1e09a26a6b22090b23432f0547ba3
\nMD5: 9b57ac8d44cede55be2079a4b400fffd
\nMD5: b1e332efb4e83189c7f5e84bc93e205b
\nMD5: 6c67f2add5a6eacb4c69f9efdbbb8cde
\nMD5: e65c0fd804992ea7e246f2385e32a0e1
\nMD5: bba80e9fabb476830d5216f1fa264489
\nMD5: 4dfa5221aae9945989fd815342d19c12
\nMD5: 49969b7e553ee03707f1e3ef333c2406
\nMD5: 86680fde2ef1ab2681262d39369999e8
\nMD5: 8b45bf7f9f4104c1e15cca8eb7f80581
\nMD5: c7d1a47b80f7910a03db8fa9791d2aec
\nMD5: b899ba5037db4babda49603603912bb9
\nMD5: d3cd3c07a4f82ed30bbc0af597f5391a
\nMD5: a6cb214dc74fb7aadb22e732720daff0
\nMD5: 7b821616bf2a78472286d61c19e03bd1
\nMD5: 9f257f99a479d2f7b19c21255719a995
\nMD5: bc89a2185ab2f317a5a58e7a7c35daa8
\nMD5: 916c95e50ec4d6010a2818de50a94ff5
\nMD5: 32cfae63aa9be58e32829fe6c4f89a85
\nMD5: e40b6d4953b7923d52b0315429d16c10<\/p>\n

Webroot\u00a0SecureAnywhere<\/a><\/strong>\u00a0users are proactively protected from these threats.<\/p>\n","protected":false},"excerpt":{"rendered":"

Have you received a casual-sounding email enticing you into signing a Billing Address Code (BAC) form for October, in order for the Payroll Manager to proceed with the transaction? Based on our statistics, tens of thousands of users received these malicious spam emails over the last 24 hours, with the cybercriminal(s) behind them clearly interested […]<\/p>\n","protected":false},"author":65,"featured_media":17052,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[22369,22367,3493,4065,16541,4603,3875,4417,5883,3529],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/15152"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=15152"}],"version-history":[{"count":9,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/15152\/revisions"}],"predecessor-version":[{"id":25777,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/15152\/revisions\/25777"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17052"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=15152"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=15152"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=15152"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=15152"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}