{"id":16562,"date":"2014-05-13T13:53:31","date_gmt":"2014-05-13T19:53:31","guid":{"rendered":"https://www.webroot.com/blog/?p=16562"},"modified":"2023-11-02T12:12:46","modified_gmt":"2023-11-02T18:12:46","slug":"spamvertised-notification-payment-received-themed-emails-lead-malware","status":"publish","type":"post","link":"https://www.webroot.com/blog/2014\/05\/13\/spamvertised-notification-payment-received-themed-emails-lead-malware\/","title":{"rendered":"Spamvertised ‘Notification of payment received’ themed emails lead to malware"},"content":{"rendered":"

PayPal users, watch what you click on!<\/p>\n

We’ve recently intercepted a currently circulating malicious spamvertised campaign which is impersonating PayPal\u00a0in an attempt to trick socially engineered end users into clicking on the malware-serving links found in the emails.<\/p>\n

More details:<\/p>\n

Sample screenshot of the spamvertised email:<\/strong><\/p>\n

\"Spamvertised_PayPal_Malware_Malicious_Software_Social_Engineering\"<\/a><\/p>\n

Malicious URL redirection chain:<\/strong> hxxp:\/\/hoodflixxx.com\/PP_det.html<\/em> -> hxxp:\/\/62.76.43.78\/p2p\/PP_detalis_726716942049.pdf.exe<\/em><\/p>\n

Detection rate for a sample malware MD5: aa1762e9ba4b552421971ef2e4de9208<\/strong><\/a> – detected by 2 out of 51 antivirus scanners as Spyware.Zbot.ED.<\/p>\n

Once executed, the sample starts listening on ports 9296, and 3198. It also\u00a0drops the following malicious MD5: e8007be046dcc5b6f8e29d4d8233fd78 on the affected hosts.<\/p>\n

It then phones back to the following C&C servers:<\/strong>
\n81.157.189.166
\n81.149.93.141
\n81.130.195.125
\n143.225.154.3
\n76.22.162.44
\n99.73.173.219
\n174.89.110.91
\n23.97.72.192
\n168.63.211.182
\n75.1.220.146
\n77.239.59.243
\n94.88.99.85
\n37.57.41.161
\n46.171.141.202
\n23.98.64.182
\n221.193.254.122
\n191.234.52.206
\n138.91.18.14
\n23.98.42.224
\n168.61.87.1
\n137.117.69.203
\n72.190.57.143
\n109.158.32.240
\n88.61.116.225
\n94.98.191.169
\n105.236.47.68
\n173.200.116.226
\n137.117.196.168
\n221.214.141.155
\n83.110.198.24
\n222.14.178.194<\/p>\n

Related malicious MD5s known to have phoned back to the following C&C (81.149.93.141) server:<\/strong>
\nMD5: 108a74d39c3bce71ba5686b55658358e
\nMD5: a2bde0d1389b3bdbcd9f612ae683edd8
\nMD5: c9ec831991c4962ba5c984f78e13bef5
\nMD5: 4ee923a7769430785dd1f309aad0a12b<\/p>\n

Once executed MD5: 108a74d39c3bce71ba5686b55658358e phones back to the following C&C servers:<\/strong>
\n81.149.93.141:7325
\n81.130.195.125:2607
\n130.37.198.100:2430
\n213.120.146.245:6585
\n143.225.154.3:7621<\/p>\n

Once executed MD5: a2bde0d1389b3bdbcd9f612ae683edd8 phones back to the following C&C servers:<\/strong>
\nhxxp:\/\/81.149.93.141:7325
\nhxxp:\/\/81.130.195.125:2607
\nhxxp:\/\/130.37.198.100:2430
\nhxxp:\/\/13.120.146.245:6585
\nhxxp:\/\/143.225.154.3:7621<\/p>\n

Known to have phoned back to the following C&C server (81.130.195.125) are also the following malicious MD5s:<\/strong>
\nMD5: ffb9cad511d90734a0d6151086994fb6
\nMD5: 108a74d39c3bce71ba5686b55658358e
\nMD5: a2bde0d1389b3bdbcd9f612ae683edd8
\nMD5: 4ee923a7769430785dd1f309aad0a12b
\nMD5: 188df9486ab259d5a1340f842c4f3e78
\nMD5: e49e7b907499c8b4e31447eaffd112b1<\/p>\n

Once executed, MD5: e49e7b907499c8b4e31447eaffd112b1 phones back to the following C&C servers:<\/strong>
\nhxxp:\/\/94.88.99.85:8596
\nhxxp:\/\/81.130.195.125:2607
\nhxxp:\/\/130.37.198.100:2430
\nhxxp:\/\/109.153.212.95:4808<\/p>\n

Webroot\u00a0SecureAnywhere<\/a><\/strong>\u00a0users are proactively protected from these threats.<\/p>\n","protected":false},"excerpt":{"rendered":"

PayPal users, watch what you click on! We’ve recently intercepted a currently circulating malicious spamvertised campaign which is impersonating PayPal\u00a0in an attempt to trick socially engineered end users into clicking on the malware-serving links found in the emails. More details: Sample screenshot of the spamvertised email:<\/p>\n","protected":false},"author":65,"featured_media":17052,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[17727,17729,22369,22367,13139,14055,4065,15475,17719,17723,17721,17725,11489,8933,3875,4417,5883,3529],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/16562"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=16562"}],"version-history":[{"count":15,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/16562\/revisions"}],"predecessor-version":[{"id":32291,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/16562\/revisions\/32291"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17052"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=16562"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=16562"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=16562"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=16562"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}