By Dancho Danchev
Cybercriminals are mass mailing malicious emails about a meeting you wouldn’t want to attend – unless you want to compromise the integrity of your computer.
Once executed, the malicious attachment opens a backdoor on the affected host, allowing the cybercriminals behind the campaign to gain complete access to the affected host. Naturally, we’ve been monitoring their operations for quite some time, and are easily able to identify multiple connections between their previously launched campaigns.
Sample screenshot of the spamvertised email:
Sample detection rate for the malicious executable: MD5: a684feff699bb7e3b8814c32c1da8277 – detected by 38 out of 44 antivirus scanners as Worm:Win32/Cridex.E.
PEiD Signature of the sample: PureBasic 4.x -> Neil Hodgson
It also creates the following registry keys:
The newly created Registry Value is:
KB00121600.exe = “”%AppData%\KB00121600.exe” so that KB00121600.exe runs every time Windows starts.
Upon execution, the sample phones back to 220.127.116.11:8080/AJw/UCygrDAA/Ud+asDAA (AS10316).
We’ve seen the same pseudo-random characters used in command and control communications profiled in several campaigns – “‘American Express Alert: Your Transaction is Aborted’ themed emails serve client-side exploits and malware“; “Bogus IRS ‘Your tax return appeal is declined’ themed emails lead to malware“; “Cybercriminals spamvertise bogus ‘Microsoft License Orders’ serve client-side exploits and malware“.
We’ve also seen the same IP (18.104.22.168) used as name server in a previously profiled malicious campaign (ns37.ceredinopl.ru – 22.214.171.124) – “Bogus Facebook ‘pending notifications’ themed emails serve client-side exploits and malware“, indicating that these campaigns are also connected.
More MD5s are known to have phoned back to the same IP in the past:
MD5: 87a22699e0e6dfc89c57d7ad3483f264 – detected by 12 out of 42 antivirus scanners as VirTool:Win32/Obfuscator.ACP
MD5: 8229f69bc416cdca7f314f19fe7b4e18 – detected by 28 out of 44 antivirus scanners as Worm:Win32/Cridex.E
MD5: f739f99f978290f5fc9a812f2a559bbb – detected by 23 out of 43 antivirus scanners as VirTool:Win32/CeeInject.EW
Webroot SecureAnywhere users are proactively protected from these threats.