By Dancho Danchev

Over the past 24 hours, we intercepted tens of thousands of malicious emails attempting to socially engineer BofA’s CashPro users into downloading and executing a bogus online digital certificate attached to the fake emails.

More details:

Sample screenshot of  the spamvertised email:

Email_Spam_Malware_CashPro_Social_Engineering

Detection rate for the malicious executable: MD5: bfe7c4846823174cbcbb10de9daf426b – detected by 34 out of 46 antivirus scanners as Password-Stealer.

The attachment uses the following naming convention:
cashpro_cert_7585cc6726.zip
cashpro_cert_cc1d4a119071.zip

Once extracted, the malicious executable masks its name with the following convention:
CASHPRO_CERT_ID_5764578926487346283945238645298374628937894273648528523905625-23652659235-235-235-235235237562372463478238452835482354823482346287548.CRT.EXE

Once executed, the sample creates the following Registry Key:
HKEY_CURRENT_USERSoftwareWinRAR

And sets the following Registry Value:
HWID = 7B 39 35 39 37 36 32 38 46 2D 37 38 37 38 2D 34 33 41 31 2D 38 43 45 41 2D 32 41 43 43 32 33 44 39 36 32 39 45 7D

It then attempts to connect to 74.207.227.67; 17.optimaxmagnetics.us, and successfully establishes a connection with the C&C server at 50.28.90.36:8080/forum/viewtopic.php

More MD5s are known to have phoned back to the same IP:
MD5: 4C46DC410268C19DD561DB92BD52D02D50.28.90.36:8080/ponyb/gate.php
MD5: 5F0084494777BC4F76F6919E284C6AA950.28.90.36:8080/forum/viewtopic.php
MD5: 6E360ACA1BE5569A681832DF8B16F32050.28.90.36:8080/forum/viewtopic.php

50.28.90.36 responds to host.elenskids.com. What’s particularly interesting about this host is that it’s the official Web site of Elen’s Kids Modeling & Talent Management (operated by LANFusion LLC), who appear to be running an advance fee type of fraudulent scheme, according to several complaints about their activities.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This