Spamvertised ‘Re: Changelog as promised’ themed emails lead to malware


By Dancho Danchev

We have recently intercepted a malicious spam campaign, that’s attempting to trick users into thinking that they’ve received a non-existent “changelog.” Once gullible and socially engineered users execute the malicious attachment, their PCs automatically become part of the botnet operated by the cybercriminal/gang of cybercriminals.

More details:

Sample screenshot of the spamvertised email:

Email_Spam_Malware_Malicious_Software_Social_Engineering_Changelog

Detection rate for the malicious attachment:
MD5: e01ea945b8d055c5c115ab58749ac502 – detected by 23 out of 46 antivirus scanners as Worm:Win32/Cridex.E.

Upon execution, the sample creates the following processess on the affected hosts:
C:\WINDOWS\system32\cmd.exe” /c “C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\exp1.tmp.bat
C:\Documents and Settings\<USER>\Application Data\KB00927107.exe

The following Registry Keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CFBDC89D4
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S25BC2D7B

The following Registry Values:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] -> KB00121600.exe = “”%AppData%\KB00121600.exe””

As well as the following Mutexes:
Local\XMM000003F0
Local\XMM00000200
Local\XMM000003F8
Local\XMI000003F8
Local\XMRFB119394
Local\XMM000005E4
Local\XMI000005E4
Local\XMM0000009C
Local\XMI0000009C
Local\XMM000000C8
Local\XMI000000C8

It then phones back to hxxp://85.214.143.90:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/ and to hxxp://91.121.90.92:8080/AJtw/UCyqrDAA/Ud+asDAA/

We’ve already seen the same C&C (85.214.143.90) used in a previously profiled malicious campaign:

Users are advised to avoid interacting with these emails, and to be extra vigilant for similar social engineering driven malicious campaigns.

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Join the Conversation

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s