{"id":16680,"date":"2014-06-17T11:38:04","date_gmt":"2014-06-17T17:38:04","guid":{"rendered":"https://www.webroot.com/blog/?p=16680"},"modified":"2023-11-02T12:28:38","modified_gmt":"2023-11-02T18:28:38","slug":"spamvertised-inovice-june-themed-emails-lead-malware","status":"publish","type":"post","link":"https://www.webroot.com/blog/2014\/06\/17\/spamvertised-inovice-june-themed-emails-lead-malware\/","title":{"rendered":"Spamvertised &#8216;June invoice&#8221; themed emails lead to malware"},"content":{"rendered":"<p>Cybercriminals continue spamvertising tens of thousands of malicious emails on their way to socially engineer gullible end users, ultimately increasing their botnet&#8217;s infected population through the systematic and persistent rotation of popular brands.<\/p>\n<p>We&#8217;ve recently intercepted a currently circulating malicious campaign enticing users into executing the fake attachment.<\/p>\n<p>More details:<\/p>\n<p><!--more--><\/p>\n<p><strong>Detection rate for a sampled malware:<\/strong> <a href=\"https:\/\/www.virustotal.com\/en\/file\/1f96459c0ead337cf13478236d13c76a5f7606bbf912e3963abc3b24180b1640\/analysis\/1403011569\/\"><strong>MD5: 8b54dedf5acc19a4e9060f0be384c74d<\/strong><\/a> &#8211; detected by 43 out of 54 antivirus scanners as Backdoor.Win32.Androm.elwa<\/p>\n<p>Once executed, the sample starts listening on port 30073.<\/p>\n<p><strong>It then creates the following Mutexes on the affected hosts:<\/strong><br \/>\nLocal\\{6FC54A61-D264-7CF8-D58B-19468FF29DE4}<br \/>\nLocal\\{21D28140-1945-32EF-D58B-19468FF29DE4}<br \/>\nLocal\\{3C2F38F1-A0F4-2F12-D58B-19468FF29DE4}<br \/>\nGlobal\\{29B0195A-815F-3A8D-D58B-19468FF29DE4}<br \/>\nGlobal\\{1D55DC30-4435-0E68-D58B-19468FF29DE4}<br \/>\nGlobal\\{B9D945F4-DDF1-AAE4-1BA9-177341D093D1}<br \/>\nGlobal\\{B9D945F4-DDF1-AAE4-1FA9-177345D093D1}<br \/>\nGlobal\\{B9D945F4-DDF1-AAE4-7BA8-177321D193D1}<br \/>\nGlobal\\{B9D945F4-DDF1-AAE4-43AB-177319D293D1}<br \/>\nGlobal\\{B9D945F4-DDF1-AAE4-6BAB-177331D293D1}<br \/>\nGlobal\\{B9D945F4-DDF1-AAE4-87AB-1773DDD293D1}<br \/>\nGlobal\\{B9D945F4-DDF1-AAE4-B3AB-1773E9D293D1}<br \/>\nGlobal\\{B9D945F4-DDF1-AAE4-5FAA-177305D393D1}<br \/>\nGlobal\\{B9D945F4-DDF1-AAE4-8FAA-1773D5D393D1}<br \/>\nGlobal\\{B9D945F4-DDF1-AAE4-F7AA-1773ADD393D1}<br \/>\nGlobal\\{B9D945F4-DDF1-AAE4-3BAD-177361D493D1}<br \/>\nGlobal\\{B9D945F4-DDF1-AAE4-5FAD-177305D493D1}<br \/>\nGlobal\\{B9D945F4-DDF1-AAE4-9FAC-1773C5D593D1}<br \/>\nGlobal\\{B9D945F4-DDF1-AAE4-F3AC-1773A9D593D1}<br \/>\nGlobal\\{B9D945F4-DDF1-AAE4-D3A9-177389D093D1}<br \/>\nGlobal\\{B9D945F4-DDF1-AAE4-FFAD-1773A5D493D1}<br \/>\nGlobal\\{B9D945F4-DDF1-AAE4-03AC-177359D593D1}<br \/>\nGlobal\\{B9D945F4-DDF1-AAE4-1BAC-177341D593D1}<br \/>\nGlobal\\{B9D945F4-DDF1-AAE4-E7AD-1773BDD493D1}<br \/>\nGlobal\\{5E86DCC0-44C5-4DBB-D58B-19468FF29DE4}<br \/>\nGlobal\\{32526B1B-F31E-216F-D58B-19468FF29DE4}<br \/>\nGlobal\\{68DA68FA-F0FF-7BE7-D58B-19468FF29DE4}<br \/>\nGlobal\\{24816566-FD63-37BC-D58B-19468FF29DE4}<br \/>\nGlobal\\{B9D945F4-DDF1-AAE4-5BAB-177301D293D1}<br \/>\nGlobal\\{4E6EC1F5-59F0-5D53-D58B-19468FF29DE4}<\/p>\n<p>Once executed <a href=\"https:\/\/www.virustotal.com\/en\/file\/587ef476ccf538621243959d727f475adc2b6b4903cb71a4a40afa111cd1908d\/analysis\/\"><strong>MD5: 8b54dedf5acc19a4e9060f0be384c74d<\/strong><\/a> also drops the following malicious MD5 on the affected hosts &#8211; <a href=\"https:\/\/www.virustotal.com\/en\/file\/587ef476ccf538621243959d727f475adc2b6b4903cb71a4a40afa111cd1908d\/analysis\/\"><strong>MD5: 59916e7de4064548c9901e8fdf83b283<\/strong><\/a><\/p>\n<p><strong>It then phones back to the following C&amp;C servers:<\/strong><br \/>\nhxxp:\/\/62.76.189.58:8080\/dron\/ge.php<br \/>\nhxxp:\/\/62.76.41.73:8080\/tst\/b_cr.exe<br \/>\n62.76.41.73<br \/>\n62.76.185.30<br \/>\n95.101.0.115<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" width=\"715\" height=\"779\" class=\"size-full wp-image-16685 alignnone\" src=\"https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2014\/06\/Spamvertised_Malware_Malicious_Software_Social_Engineering_Invoice.png\" alt=\"Spamvertised_Malware_Malicious_Software_Social_Engineering_Invoice\" srcset=\"https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2014\/06\/Spamvertised_Malware_Malicious_Software_Social_Engineering_Invoice.png 715w, https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2014\/06\/Spamvertised_Malware_Malicious_Software_Social_Engineering_Invoice-275x300.png 275w\" sizes=\"(max-width: 715px) 100vw, 715px\" \/><\/p>\n<p>Detection rate for the dropped sample: <a href=\"https:\/\/www.virustotal.com\/en\/file\/8d0c7f67057f063f27f8abdf9c6a4050e47f96f7d7f425be70a79008eb4f68a2\/analysis\/\"><strong>MD5: 596ba17393b18b8432cd14a127d7c6e2<\/strong><\/a> &#8211; detected by 36 out of 54 antivirus scanners as Trojan-Spy.Win32.Zbot.tfdc<\/p>\n<p><strong>Related malicious MD5s known to have phoned back to the same C&amp;C server (62.76.41.73):<\/strong><br \/>\nMD5: 0993f88c5d0c8b0a16100165b897525b<br \/>\nMD5: f9da502e4780be34b9ec0fcc359926f2<br \/>\nMD5: 90e92050ab83f1cf2dd99cc26e793d96<br \/>\nMD5: b33bc727daca6c91c172e121adaecd92<\/p>\n<p><strong>Related malicious MD5s known to have phoned back to the same C&amp;C server (95.101.0.115):<\/strong><br \/>\nMD5: afbc1eb2875f7dc386553eaf80f63b99<br \/>\nMD5: 50aa21c411f3e661a938cd7896b8218b<br \/>\nMD5: aceed785393c5e4bcebe40326c21acee<br \/>\nMD5: 0161b531593d5201e17b5883c658035c<br \/>\nMD5: 9e1d9d0244eca8cb954eab4165ed666b<br \/>\nMD5: f0a0f7c19b515bd68f5e897d6d34a880<\/p>\n<p><strong><a href=\"https:\/\/www.webroot.com\/us\/en\/home\/products\/complete\">Webroot\u00a0SecureAnywhere<\/a><\/strong>\u00a0users are proactively protected from these threats.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cybercriminals continue spamvertising tens of thousands of malicious emails on their way to socially engineer gullible end users, ultimately increasing their botnet&#8217;s infected population through the systematic and persistent rotation of popular brands. We&#8217;ve recently intercepted a currently circulating malicious campaign enticing users into executing the fake attachment. More details:<\/p>\n","protected":false},"author":65,"featured_media":17052,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[17963,17961,17957,3863,3871,22369,22453,11067,11021,4065,15475,15471,17959,14979,15473,15469,15467,23205,23127,3529],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/16680"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=16680"}],"version-history":[{"count":10,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/16680\/revisions"}],"predecessor-version":[{"id":32307,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/16680\/revisions\/32307"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17052"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=16680"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=16680"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=16680"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=16680"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}