Fake BofA CashPro ‘Online Digital Certificate” themed emails lead to malware

By Dancho Danchev

Over the past 24 hours, we intercepted tens of thousands of malicious emails attempting to socially engineering BofA’s CashPro users into downloading and executing a bogus online digital certificate attached to the fake emails.

More details:

Sample screenshot of  the spamvertised email:


Detection rate for the malicious executable: MD5: bfe7c4846823174cbcbb10de9daf426b – detected by 34 out of 46 antivirus scanners as Password-Stealer.

The attachement uses the following naming convention:

Once extracted, the malicious executible masks its name with the following convention:

Once executed, the sample creates the following Registry Key:

And sets the following Registry Value:
HWID = 7B 39 35 39 37 36 32 38 46 2D 37 38 37 38 2D 34 33 41 31 2D 38 43 45 41 2D 32 41 43 43 32 33 44 39 36 32 39 45 7D

It then attempts to connect to; 17.optimaxmagnetics.us, and successfully establishes a connection with the C&C server at

More MD5s are known to have phoned back to the same IP:
MD5: 4C46DC410268C19DD561DB92BD52D02D50.28.90.36:8080/ponyb/gate.php
MD5: 5F0084494777BC4F76F6919E284C6AA950.28.90.36:8080/forum/viewtopic.php
MD5: 6E360ACA1BE5569A681832DF8B16F32050.28.90.36:8080/forum/viewtopic.php responds to host.elenskids.com. What’s particularly interesting about this host is that it’s the official Web site of Elen’s Kids Modeling & Talent Management (operated by LANFusion LLC), who appear to be running an advance fee type of fraudulent scheme, according to several complaints about their activities.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Join the Conversation

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s