Bogus ‘Meeting Reminder” themed emails serve malware

Posted on by

By Dancho Danchev

Cybercriminals are mass mailing malicious emails about a meeting you wouldn’t want to attend – unless you want to compromise the integrity of your computer.

Once executed, the malicious attachment opens a backdoor on the affected host, allowing the cybercriminals behind the campaign to gain complete access to the affected host. Naturally, we’ve been monitoring their operations for quite some time, and are easily able to identify multiple connections between their previously launched campaigns.

More details:

Sample screenshot of the spamvertised email:

Sample detection rate for the malicious executable: MD5: a684feff699bb7e3b8814c32c1da8277 – detected by 38 out of 44 antivirus scanners as Worm:Win32/Cridex.E.

PEiD Signature of the sample: PureBasic 4.x -> Neil Hodgson

It also creates the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CFBDC89D4
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S25BC2D7B

The newly created Registry Value is:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
KB00121600.exe = “”%AppData%\KB00121600.exe” so that KB00121600.exe runs every time Windows starts.

Upon execution, the sample phones back to 64.150.187.72:8080/AJw/UCygrDAA/Ud+asDAA (AS10316).

We’ve seen the same pseudo-random characters used in command and control communications profiled in several campaigns – “‘American Express Alert: Your Transaction is Aborted’ themed emails serve client-side exploits and malware“; “Bogus IRS ‘Your tax return appeal is declined’ themed emails lead to malware“; “Cybercriminals spamvertise bogus ‘Microsoft License Orders’ serve client-side exploits and malware“.

We’ve also seen the same IP (64.150.187.72) used as name server in a previously profiled malicious campaign (ns37.ceredinopl.ru64.150.187.72) – “Bogus Facebook ‘pending notifications’ themed emails serve client-side exploits and malware“, indicating that these campaigns are also connected.

More MD5s are known to have phoned back to the same IP in the past:
MD5: 87a22699e0e6dfc89c57d7ad3483f264 – detected by 12 out of 42 antivirus scanners as VirTool:Win32/Obfuscator.ACP
MD5: 8229f69bc416cdca7f314f19fe7b4e18 – detected by 28 out of 44 antivirus scanners as Worm:Win32/Cridex.E
MD5: f739f99f978290f5fc9a812f2a559bbb – detected by 23 out of 43 antivirus scanners as VirTool:Win32/CeeInject.EW
MD5: cb69622f8188ae1b2a2b67e9153aaed4

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

One thought on “Bogus ‘Meeting Reminder” themed emails serve malware

  1. Pingback: Malicious ‘Security Update for Banking Accounts’ emails lead to Black Hole Exploit Kit « Webroot Threat Blog – Internet Security Threat Updates from Around the World

Join the Conversation

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s