‘ADP Payroll Invoice’ themed emails lead to malware


By Dancho Danchev

Over the past week, we intercepted a massive ‘ADP Payroll Invoice” themed malicious spam campaign, enticing users into executing a malicious file attachment. Once users execute the sample, it downloads additional pieces of malware on the affected host, compromising the integrity, and violating the confidentiality of the affected PC.

More details:

Sample screenshot of the spamvertised email:

Email_Spam_ADP_Payroll_Invoice_Malware_Social_Engineering_Malicious_Software_Downloader_Botnet

Detection rate for the malicious attachment:
MD5: 54e9a0495fbd5c952af7507d15ebab90 – detected by 24 out of 46 antivirus scanners as Trojan.Win32.FakeAV.qqdm

Once executed, the sample creates the following files on the affected hosts:
C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\109086.exe
C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\132059.exe
C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\132981.exe
C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\135214.exe
C:\Documents and Settings\<USER>\Application Data\Orihgy\ikegfa.exe
C:\WINDOWS\system32\cmd.exe” /c “C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\tmp659bfaec.bat
C:\Documents and Settings\<USER>\Application Data\Upweg\ingo.exe
C:\WINDOWS\system32\cmd.exe” /c “C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\tmp2f8a78b4.bat
C:\Documents and Settings\<USER>\Application Data\Ycecn\hiocty.exe
C:\WINDOWS\system32\cmd.exe” /c “C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\tmp0ffe0049.bat
C:\Documents and Settings\<USER>\Application Data\Inizlo\kezy.exe
C:\WINDOWS\system32\cmd.exe” /c “C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\tmp97858d3e.bat

Deletes the following files:
C:\Documents and Settings\<USER>\Application Data\Orihgy\ikegfa.exe
C:\Documents and Settings\<USER>\Application Data\Upweg\ingo.exe
C:\Documents and Settings\<USER>\Application Data\Ycecn\hiocty.exe
C:\Documents and Settings\<USER>\Application Data\Inizlo\kezy.exe

Creates the following Registry Key:
HKEY_CURRENT_USER\Software\WinRAR

And sets the following Registry Value:
[HKEY_CURRENT_USER\Software\WinRAR] -> HWID = 7B 46 45 46 34 31 34 39 38 2D 39 32 38 39 2D 34 45 44 32 2D 41 36 31 46 2D 45 35 46 32 30 33 34 46 34 38 45 30 7D

It also creates the following Mutex:
Global\{CB561546-E774-D5EA-8F92-61FCBA8C42EE}

It then phones back to hxxp://www.rpc-ea.com:8080/forum/viewtopic.php and downloads additional malware samples from the following locations:
hxxp://axelditter.de/w91qZ5.exe
hxxp://infoshore.biz/cx5oMi.exe
hxxp://www.makefacebook.com/LxB8.exe
hxxp://www.qualitymachineinc.com/QabtyY.exe

Initiating the following TCP connections:
213.186.47.54:8080
195.93.201.42:80
216.55.186.239:80
77.92.151.6:80
66.118.64.208:80

Detection rates for the downloaded malware samples:
hxxp://infoshore.biz/cx5oMi.exeMD5: 13eeca375585322c676812cf9e2e9789 – detected by 3 out of 46 antivirus scanners as Heuristic.LooksLike.Win32.Suspicious.B
hxxp://axelditter.de/w91qZ5.exeMD5: 87c658970958bb5794354a91f8cc5a7d – detected by 18 out of 46 antivirus scanners as PWS:Win32/Zbot.gen!AM

Upon execution, MD5: 87c658970958bb5794354a91f8cc5a7d creates the following processess on the affected hosts:
C:\Documents and Settings\<USER>\Application Data\Axujpi\woovaw.exe”
C:\WINDOWS\system32\cmd.exe” /c “C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\tmp541b0e3b.bat”

The following Registry Keys:
HKEY_CURRENT_USER\Software\Microsoft\Hior

Sets the following Registry Values:
[HKEY_CURRENT_USER\Identities] -> Identity Login = 0x00098053
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] -> {3DFA1AE4-115C-AD7B-A6BA-A75086AF8442} = “”%AppData%\Apasav\iqpil.exe””
[HKEY_CURRENT_USER\Software\Microsoft\Hior] -> 21ae50c4 = “gQDD+nAQQMo=”; 1gi1fji2 = “owCu+g==”; eg614da = 86 6A AE FA 97 7B 71 CA 0B 18 89 8E

As well as the following Mutexes:
Global\{CB561546-E774-D5EA-8F92-61FCBA8C42EE}
Local\{FA4803F7-084F-6AC9-A6BA-A75086AF8442}

Upon execution MD5: 13eeca375585322c676812cf9e2e9789 creates the following processess on the affected hosts:
C:\Documents and Settings\<USER>\Application Data\Naarqu\nayhi.exe”” (successful)
C:\WINDOWS\system32\cmd.exe” /c “C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\tmp677a8160.bat”” (successful)

The following Registry Keys:
HKEY_CURRENT_USER\Software\Microsoft\Icuruq

The following Registry Values:
[HKEY_CURRENT_USER\Identities] -> Identity Login = 0x00098053
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] -> {3DFA1AE4-115C-AD7B-A6BA-A75086AF8442} = “”%AppData%\Cyviex\ylawq.exe””
[HKEY_CURRENT_USER\Software\Microsoft\Icuruq] -> 1f7edeb4 = 73 78 91 BC 8C 7E 3C 48; 1ih8g5e6 = 51 78 FC BC; 880c122 = 3B 2C FC BC 73 0F 0E 48 FB 16 69 C9

as well as the following Mutexes:
Global\{D43DCFB8-3D8A-CA81-0508-B06D3016937F}
Global\{D43DCFB8-3D8A-CA81-7109-B06D4417937F}
Global\{D43DCFB8-3D8A-CA81-490A-B06D7C14937F}
Global\{D43DCFB8-3D8A-CA81-610A-B06D5414937F}
Global\{D43DCFB8-3D8A-CA81-8D0A-B06DB814937F}
Global\{D43DCFB8-3D8A-CA81-990A-B06DAC14937F}
Global\{D43DCFB8-3D8A-CA81-350B-B06D0015937F}
Global\{D43DCFB8-3D8A-CA81-610B-B06D5415937F}
Global\{D43DCFB8-3D8A-CA81-B90B-B06D8C15937F}
Global\{D43DCFB8-3D8A-CA81-190C-B06D2C12937F}
Global\{D43DCFB8-3D8A-CA81-4D0C-B06D7812937F}
Global\{D43DCFB8-3D8A-CA81-650C-B06D5012937F}
Global\{D43DCFB8-3D8A-CA81-C10D-B06DF413937F}
Global\{D43DCFB8-3D8A-CA81-310E-B06D0410937F}
Global\{D43DCFB8-3D8A-CA81-610E-B06D5410937F}
Global\{D43DCFB8-3D8A-CA81-E50F-B06DD011937F}
Global\{D43DCFB8-3D8A-CA81-E90B-B06DDC15937F}
Global\{D43DCFB8-3D8A-CA81-DD0C-B06DE812937F}
Global\{D43DCFB8-3D8A-CA81-A10E-B06D9410937F}
Global\{D43DCFB8-3D8A-CA81-1D0E-B06D2810937F}
Global\{EEE5022F-F01D-F059-8F92-61FCBA8C42EE}
Global\{38E3341C-C62E-265F-8F92-61FCBA8C42EE}
Global\{340FE32E-111C-2AB3-8F92-61FCBA8C42EE}
Global\{340FE329-111B-2AB3-8F92-61FCBA8C42EE}
Global\{5E370004-F236-408B-8F92-61FCBA8C42EE}
Global\{D43DCFB8-3D8A-CA81-2D0D-B06D1813937F}
Global\{CB561546-E774-D5EA-8F92-61FCBA8C42EE}
Local\{55E9553D-A70F-4B55-8F92-61FCBA8C42EE}
Local\{744F300D-C23F-6AF3-8F92-61FCBA8C42EE}
Local\{55E9553C-A70E-4B55-8F92-61FCBA8C42EE}
MPSWabDataAccessMutex
MPSWABOlkStoreNotifyMutex
MSIdent Logon
MidiMapper_modLongMessage_RefCnt
MidiMapper_Configure

It then attempts multiple UDP connection attempts to the following IPs part of the botnet’s infrastructure:
109.162.153.126:25603
81.149.242.235:28768
88.241.148.26:19376
78.166.167.62:26509
88.232.36.188:11389
80.6.67.158:11016

If you catch an ADP impersonating email in the wild, please forward it to abuse@adp.com to notify ADP of the attack.

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

One thought on “‘ADP Payroll Invoice’ themed emails lead to malware

  1. Pingback: Nómina de ADP correos electrónicos con temas de factura conducir al malware - | Indagadores |Seguridad informatica |Seguridad en internet

Join the Conversation

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s