By Dancho Danchev
Cybercriminals are currently mass mailing tens of thousands of emails, impersonating Chase in an attempt to trick its customers into executing the malicious attachment found in the fake email. Upon execution, the sample downloads additional malware on the affected hosts, and opens a backdoor allowing the cybercriminals behind the campaign complete access to the host.
Sample screenshot of the spamvertised email:
We managed to intercept two separate campaigns launched by the same malicious party. What’s particularly interesting about the first is that, the cybercriminal/cybercriminals behind it applied low QA (Quality Assurance) since the actual filename found in the malicious archive exceeds 260 characters, resulting in a failed extraction process on Windows hosts.
“C:\Users\Workstation\Desktop\Statement_random_number.pdf.zip: Cannot create Statement_ID_random_number.pdf.exe
Total path and file name length must not exceed 260 characters. The system cannot find the path specified.“
Sample detection rate for the spamvertised attachment: MD5: 676c1a01739b855425f9492126b34d23 – detected by 42 out of 46 antivirus scanners as Trojan-PSW.Win32.Tepfer.cbrv.
The same MD5 is known to have downloaded two additional MD5s:
MD5: ED3C1D1EFC3789FABEDD630E3995F24B – detected by 35 out of 46 antivirus scanners as Trojan.Win32.Agent2.fjti
MD5: 6C7B44F2BC4FCF175C3CA5C0634E127C – detected by 30 out of 40 antivirus scanners as VirTool:Win32/Obfuscator.ACV
Upon execution, the sample attempts to download the following malicious executables:
All of these files have an identical MD5 - MD5: 77d94b9d2fa0569ef5aecf1b93985d81 – detected by 34 out of 45 antivirus scanners as W32/Kryptik.ALRY!tr.
Upon execution, it creates the following files on the affected host:
%AppData%\Labugu\imuffo.exe – MD5: 567C27851F534F624279B6B97E8D6B44
%AppData%\jianp.odq – MD5: C2327617D125D6612AF63D182C05F23B
%Temp%\tmp06c81ac7.bat – MD5: FBE24DEE826D245D60EDC053B9A86B31
As well as the following process:
C:\Documents and Settings\<USER>\Application Data\Idukah\owit.exe
To mark its presence on the system, the malware also creates the following Mutexes:
Makes DNS request to 3.soundfactor.org, then it establishes a TCP connection with 22.214.171.124:14511, as well as UDP connections to the following IPs:
Webroot SecureAnywhere users are proactively protected from these threats.