"We’ve intercepted a currently circulating malicious spam campaign,
tricking users into thinking that they’ve received a scanned document
sent from a Xerox WorkCentre Pro device.
In reality, once users execute the malicious attachment, the
cybercriminal(s) behind the campaign gain complete control over the now
infected host." Webroot
Sample screenshots of the spamvertised malicious email:
Detection rate for the malicious attachment: MD5: 1a339ecfac8d2446e2f9c7e7ff639c56 – detected by 17 out of 48 antivirus scanners as TROJ_UPATRE.AX; Heuristic.LooksLike.Win32.SuspiciousPE.J!89.
Once executed, the sample starts listening on ports 2544 and 7718.
It then creates the following Mutexes on the affected hosts:
Local\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Local\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Global\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Global\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Global\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Global\{DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A}
Global\{BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A}
Global\{5492A9EF-998E-AF7F-11EB-B06D3016937F}
Global\{5492A9EF-998E-AF7F-75EA-B06D5417937F}
Global\{5492A9EF-998E-AF7F-4DE9-B06D6C14937F}
Global\{5492A9EF-998E-AF7F-65E9-B06D4414937F}
Global\{5492A9EF-998E-AF7F-89E9-B06DA814937F}
Global\{5492A9EF-998E-AF7F-BDE9-B06D9C14937F}
Global\{5492A9EF-998E-AF7F-51E8-B06D7015937F}
Global\{5492A9EF-998E-AF7F-81E8-B06DA015937F}
Global\{5492A9EF-998E-AF7F-FDE8-B06DDC15937F}
Global\{5492A9EF-998E-AF7F-0DEF-B06D2C12937F}
Global\{5492A9EF-998E-AF7F-5DEF-B06D7C12937F}
Global\{5492A9EF-998E-AF7F-F1EE-B06DD013937F}
Global\{5492A9EF-998E-AF7F-89EB-B06DA816937F}
Global\{5492A9EF-998E-AF7F-F9EF-B06DD812937F}
Global\{5492A9EF-998E-AF7F-E5EF-B06DC412937F}
Global\{5492A9EF-998E-AF7F-0DEE-B06D2C13937F}
Global\{5492A9EF-998E-AF7F-09ED-B06D2810937F}
Global\{5492A9EF-998E-AF7F-51EF-B06D7012937F}
Global\{5492A9EF-998E-AF7F-35EC-B06D1411937F}
Global\{2E1C200D-106C-D5F1-DBC9-BE58FA349D4A}
Drops the following MD5s:
MD5: 1a339ecfac8d2446e2f9c7e7ff639c56
MD5: 17c78eb30d31161e9aed1ea25889e423
MD5: 09bbe8cd0cfe7770a62faa68723c8804
MD5: d1a55715c1360daab7882bf45e820b31
And phones back to:
smclan.com – 209.236.71.58
The following malicious domains are also currently responding to the same IP:
beebled.com
coffeeofgold.com
learnpkpd.com
smclan.com
wordpressonwindows.com
adgnow.com
eddietobey.com
kestrel.aero
And the following malicious domains are known to have responded to the same IP:
atrocitycomplex.com
getdailypaymentsnow.com
giltnetwork.com
heartlessbastardseo.com
juanherreraplaza.com
landings.romancesdiscretos.com
mydecay.com
revoluza-coupon.com
team4048.org
careerfortune.com
justsaylovemovie.com
kassysgroup.com
stagewrightfilms.com
zachary-scott.com
No comments:
Post a Comment