We’re seeing a significant “spam attached malware” campaign in the past 48 hours with different attachment MD5s.
3305f83abf31fc66fa8f588b35be8eb2
8e3331b64a5884e1ef4f4c8a3d09bc7a
The username portion of the email sender is random, using a classic mis-spelling that has been consistent.Usernames are a single word, followed by a “.”, “_”, or “-“, followed by a two or three digit number. The most popular words (by far) are “manager”, and “support” , but we’ve also seen admin, adminnistration, alerts, cunsumer, delivery, e-file, finance, frboard-webannouncements, govdelivery, information, inspector, news, news-alerts, no-reply, protection, public, report, service, stats, subscriber, subscriptions, usttb, and webannouncements.
The attached file is actually named as a “.com”, using a random-seeming filename in the format “id” followed by a 5-7 digit number (such as id918538.com).
When the file is launched, it attempts to make connections to a long list of domains that are probably made by a “DGA” or “Domain Generation Algorithm”. It’s likely that at different times or days this list would be different. The purpose of the malware? Seems to be just another Fake Anti-virus product. Here’s the scan that kicked off:
After the scan, I was of course constantly reminded of the grave danger I was in:
By using Quick Heal Total security, such fraudulent Mails get tagged as Spam and users get protected.
Quick Heal also detects the Malicious attachments and the installed Rougeware files.
Leave a reply