Fake ‘iPhone Picture Snapshot Message’ themed emails lead to malware


By Dancho Danchev

We’ve just intercepted a currently circulating malicious spam campaign that’s attempting to trick iPhone owners into thinking that they’ve received a ‘picture snapshot message’. Once users execute the malicious attachment, their PCs automatically join the botnet operated by the cybercriminal/gang of cybercriminals, whose activities we’ve been closely monitoring over the last couple of months.

More details:

Detection rate for the malicious attachment – MD5: b7fa4173cf694f53a2597e9eca21ab4c – detected by 10 out of 46 antivirus scanners as Trojan-PSW.Win32.Tepfer.orbb; Troj/Agent-ADAU.

Once executed it starts listening on port 5179.

The sample then creates the following Mutexes:
Groove:PathMutex:[LUt+jL/YbxUWwjk7hRky++rqRco=]
Local\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Local\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Local\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Local\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Local\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Local\{911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A}
Global\{2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A}
Global\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Global\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Global\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Global\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Global\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Global\{BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A}
Global\{3158EDA2-DDC3-CAB5-11EB-B06D3016937F}
Global\{3158EDA2-DDC3-CAB5-75EA-B06D5417937F}
Global\{3158EDA2-DDC3-CAB5-4DE9-B06D6C14937F}
Global\{3158EDA2-DDC3-CAB5-65E9-B06D4414937F}
Global\{3158EDA2-DDC3-CAB5-89E9-B06DA814937F}
Global\{3158EDA2-DDC3-CAB5-BDE9-B06D9C14937F}
Global\{3158EDA2-DDC3-CAB5-51E8-B06D7015937F}
Global\{3158EDA2-DDC3-CAB5-81E8-B06DA015937F}
Global\{3158EDA2-DDC3-CAB5-FDE8-B06DDC15937F}
Global\{3158EDA2-DDC3-CAB5-0DEF-B06D2C12937F}
Global\{3158EDA2-DDC3-CAB5-5DEF-B06D7C12937F}
Global\{3158EDA2-DDC3-CAB5-95EE-B06DB413937F}
Global\{3158EDA2-DDC3-CAB5-F1EE-B06DD013937F}
Global\{3158EDA2-DDC3-CAB5-89EB-B06DA816937F}
Global\{3158EDA2-DDC3-CAB5-F9EF-B06DD812937F}
Global\{3158EDA2-DDC3-CAB5-E5EF-B06DC412937F}
Global\{3158EDA2-DDC3-CAB5-0DEE-B06D2C13937F}
Global\{3158EDA2-DDC3-CAB5-09ED-B06D2810937F}
Global\{3158EDA2-DDC3-CAB5-51EF-B06D7012937F}
Global\{3158EDA2-DDC3-CAB5-35EC-B06D1411937F}
Global\{3158EDA2-DDC3-CAB5-D5EB-B06DF416937F}
Global\{DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A}
Global\{2E1C200D-106C-D5F1-DBC9-BE58FA349D4A}

It then phones back to the following C&C servers+downloads additional malware:
hxxp://62.76.187.113/inop/ge.php (62-76-187-113.clodo.ru, AS57010)
hxxp://62.76.187.113/par/2.exe
68.22.158.150
75.1.200.201
203.45.203.83
99.26.122.34
108.74.172.39
68.117.10.58
71.90.134.19
174.96.27.128
68.76.122.163
108.60.184.54
67.77.13.23
108.202.187.155
90.156.118.144
203.81.192.36
123.238.64.66
78.8.206.100
108.197.50.249
66.63.204.26
189.253.90.151
108.215.5.249
27.87.30.242
94.240.232.143
95.104.30.151
50.77.206.10
78.139.149.134
77.21.184.219
95.247.117.146
41.222.248.145
42.98.129.251
64.180.81.249
83.228.0.230
69.156.49.21
71.194.139.192
79.37.7.109

We’ve already seen some of the C&C IPs (108.74.172.39; 90.156.118.144; 66.63.204.26; 94.240.232.143) in the following previous profiled campaigns, launched by the same cybercriminal/gang of cybercriminals:

Detection rate for the additionally downloaded malware – 2.exe – MD5: 8c8d43c8cfacf6d5c04e6f6ac7d4ff54 – detected by 2 out of 46 antivirus scanners as UDS:DangerousObject.Multi.Generic.

Once executed it starts listening on port 5288.

Creates the following Mutexes:
Local\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Local\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Local\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Local\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Local\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Local\{911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A}
Global\{2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A}
Global\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Global\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Global\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Global\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Global\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Global\{BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A}
Global\{36C6EA7F-DA1E-CD2B-11EB-B06D3016937F}
Global\{36C6EA7F-DA1E-CD2B-75EA-B06D5417937F}
Global\{36C6EA7F-DA1E-CD2B-4DE9-B06D6C14937F}
Global\{36C6EA7F-DA1E-CD2B-65E9-B06D4414937F}
Global\{36C6EA7F-DA1E-CD2B-89E9-B06DA814937F}
Global\{36C6EA7F-DA1E-CD2B-BDE9-B06D9C14937F}
Global\{36C6EA7F-DA1E-CD2B-51E8-B06D7015937F}
Global\{36C6EA7F-DA1E-CD2B-81E8-B06DA015937F}
Global\{36C6EA7F-DA1E-CD2B-FDE8-B06DDC15937F}
Global\{36C6EA7F-DA1E-CD2B-0DEF-B06D2C12937F}
Global\{36C6EA7F-DA1E-CD2B-5DEF-B06D7C12937F}
Global\{36C6EA7F-DA1E-CD2B-95EE-B06DB413937F}
Global\{36C6EA7F-DA1E-CD2B-F1EE-B06DD013937F}
Global\{36C6EA7F-DA1E-CD2B-89EB-B06DA816937F}
Global\{36C6EA7F-DA1E-CD2B-F9EF-B06DD812937F}
Global\{36C6EA7F-DA1E-CD2B-E5EF-B06DC412937F}
Global\{36C6EA7F-DA1E-CD2B-0DEE-B06D2C13937F}
Global\{36C6EA7F-DA1E-CD2B-09ED-B06D2810937F}
Global\{36C6EA7F-DA1E-CD2B-51EF-B06D7012937F}
Global\{36C6EA7F-DA1E-CD2B-35EC-B06D1411937F}
Global\{36C6EA7F-DA1E-CD2B-55EF-B06D7412937F}
Global\{DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A}
Global\{2E1C200D-106C-D5F1-DBC9-BE58FA349D4A}

It then phones back to the following C&C servers:
68.22.158.150
75.1.200.201
203.45.203.83
99.26.122.34
108.74.172.39
68.117.10.58
71.90.134.19
174.96.27.128
68.76.122.163
108.60.184.54
67.77.13.23
108.202.187.155
90.156.118.144
203.81.192.36
123.238.64.66
78.8.206.100
108.197.50.249
66.63.204.26
189.253.90.151
108.215.5.249
27.87.30.242
50.77.206.10
94.240.232.143
95.104.30.151
78.139.149.134
77.21.184.219
95.247.117.146
41.222.248.145
42.98.129.251
64.180.81.249
83.228.0.230
69.156.49.21
71.194.139.192
79.37.7.109
95.224.106.243
96.10.227.54
157.157.224.14

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.

2 thoughts on “Fake ‘iPhone Picture Snapshot Message’ themed emails lead to malware

  1. Pingback: Spam Campaigners Target iPhone Users with Huge Discounts and Trojans | HOTforSecurity

  2. Pingback: Cybercriminals spamvertise fake ‘O2 U.K MMS’ themed emails, serve malware | Webroot Threat Blog - Internet Security Threat Updates from Around the World

Join the Conversation

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s