Cybercriminals impersonate Vodafone U.K, spread malicious MMS notifications


By Dancho Danchev

Over the past couple of days, cybercriminals have launched yet another massive spam campaign, once again targeting U.K users. This time, they are impersonating Vodafone U.K, in an attempt to trick its customers into executing a bogus MMS attachment found in the malicious emails. Upon execution, the sample opens a backdoor on the affected hosts, allowing the cybercriminals behind the campaign complete access to the affected PC.

More details:

Sample screenshot from the spamvertised email:

Sample detection rate for the malicious attachment: MD5: 3ce2b9522a476515737d07b877dae06e – detected by 36 out of 44 antivirus scanners as Trojan-Downloader.Win32.Andromeda.coh.

Upon execution, the sample creates %AllUsersProfile%\svchost.exe on the host. It also creates a Registry Value – [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] -> SunJavaUpdateSched = “%AllUsersProfile%\svchost.exe” so that svchost.exe starts evert time Windows starts.

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

2 thoughts on “Cybercriminals impersonate Vodafone U.K, spread malicious MMS notifications

  1. Pingback: Cybercriminals resume spamvertising fake Vodafone ‘A new picture or video message’ themed emails, serve malware « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  2. Pingback: Phony T-Mobile, Vodaphone Notifications Duping U.K. Users | Threatpost

Join the Conversation

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s