By Dancho Danchev
The Electronic Frontier Foundation (EFF) is reporting on a recently intercepted malicious documents distributed over Skype, apparently targeting Syrian activists.
Upon viewing the document, it drops additional files on the infected hosts, and opens a backdoor allowing the cyber spies behind the campaign access to the infected PC.
Webroot has obtained a copy of the malware and analyzed its malicious payload.
Screenshot of the spamvertised malicious document:
The malicious document has a MD5 of bc403bef3c2372cb4c76428d42e8d188 and is currently detected by 11 out of 42 antivirus scanners as Backdoor:Win32/Fynloski.A; TROJ_GEN.R47B5F1.
Upon viewing it, it displays the above shown document, next to dropping the following files on the infected host:
- Aleppo plan.pdf – MD5: 6B0711F56086BAD87D214B6BDC94EAC8
- explorer.exe – MD5: EC99A9BA6FD95B806FCE0FE51538910E
- Firefox.dll – MD5: 646F3831C9988021DC292173DBC75B06
- Startup\(empty).lnk – MD5: 78C7F53D4098D9AB4141D7636CAC443E
- Firefox.dll – MD5: D41D8CD98F00B204E9800998ECF8427E
Once the infection takes place, the affected host wil attempt to connect to 220.127.116.11 on port 880. Another MD5 is known to have used this C&C IP before, for instance:
MD5: AF77B9BBA26100EA133C55385C50AFE9 attempts to obtain hxxp://18.104.22.168/Update/Update.bin – detected by 31 out of 42 antivirus scanners as Trojan-Dropper.Win32.Injector.avvq; Trojan:Win32/Meroweq.A
The same C&C was previously used in February, 2012, again in an attempt by cyber spies to target Syrian activists.
Webroot SecureAnywhere users are proactively protected from this threat.