By Dancho Danchev
Cybercriminals are currently mass mailing tens of thousands of fake emails impersonating the Westminster Hotel, in an attempt to trick users into thinking that they’ve received a legitimate booking confirmation. In reality through, once the socially engineered users execute the malicious attachments, their PCs automatically join the botnet operated by the cybercriminals behind the campaign.
Sample screenshot of the spamvertised email:
Detection rate for the malicious attachment – MD5: 7eed403cfd09ea301c4e10ba5ed5148a – detected by 6 out of 47 antivirus scanners as Trojan-PSW.Win32.Tepfer.nprd.
The UPX compressed executable creates an Alternate Data Stream (ADS), starts at Windows startup, and creates the following Mutexes:
It then phones back to the following C&C server:
We’ve already seen the same C&C directory structure in the previous profiled ‘Fake ‘Vodafone U.K Images’ themed malware serving spam campaign circulating in the wild‘ campaign.
We’re also aware of the following MD5s that are known to have phoned back to C&C servers with the same directory structure:
While we were investigating this campaign, we also found out that, apparently, the Westerminster Hotel in Rhyl, Denbighshire, did not renew their primarily domain name (westminster-rhyl.com – 22.214.171.124), allowing opportunistic ‘domainers’ to quickly snatch it. Not surprisingly, we also detected malicious activity with multiple malicious software phoning back to the current hosting IP of the Web site of the Westerminster Hotel in Rhyl, Denbighshire.
Sample MD5s known to have phoned back to the same IP (126.96.36.199):
Webroot SecureAnywhere users are proactively protected from these threats.