Sample subject: "Successfull Order 977132"
Sample message: "Thank you for ordering from Bobijou Inc.This message is to inform you that your order has been received and is currently being processed.
Your order reference is 901802. You will need this in all correspondence. This receipt is NOT proof of purchase. We will send a printed invoice by mail to your billing address.
You have chosen to pay by credit card. Your card will be charged for the amount of 262.00 USD and “Bobijou Inc.” will appear next to the charge on your statement.You will receive a separate email confirming your order has been despatched.Your purchase and delivery information appears below in attached file.
Thanks again for shopping at Bobijou Inc."
Sample attachments: Order_details.zip
Detection rates:
Order details.exe - Trojan.FakeAV - Result: 24/40 (60.0%)
MD5 : 7c810cbb47c9f937b5f663b51ab7ee50
SHA1 : b4faf8c724727381abb11c44b71605ff6e65cbbf
SHA256: 0bda3bdcffdda0fee31fe35cfea2fb644ff8e549a0a83632faa19cd43e02b904
Upon execution phones back to :
kkojjors.net/f/g.php - 95.64.9.15 - Email: admin@firtryt.biz
variantov.com/pusk.exe - 94.63.149.26 - Email: admin@variantov.com
Detection rate for the scareware variant pusk.exe
pusk.exe - Suspicious.Cloud.5 - Result: 4/41 (9.8%)
MD5 : bbd466a67586003776e295eaf3d2976c
SHA1 : 6a8e1d84157c76b4c9238fc23d28686244f6650f
SHA256: ee008f9039534f062bd277860060461064e760bdaa90a36595b9780be54a5a05
Upon execution phones back to:
jyluzovunevu.com - 209.160.45.33 - Email: gray@fxmail.net
sesokiqufikeg.com - 209.160.45.34 - Email: gray@fxmail.net
qyqinisope.com - 64.46.38.207 - Email: gray@fxmail.net
hijocyragap.com - 64.46.38.81 - Email: robin@cutemail.org
puhigygapyhi.com - 64.46.38.81 - Email: gray@fxmail.net
zavewuzykubo.com - 64.46.38.80 - Email: robin@cutemail.org
fepigixypo.com - 64.46.38.29 - Email: pyre@cutemail.org
tozibapah.com - 76.73.16.182 - Email: lays@fxmail.net
qebinehuh.com - 76.73.14.182 - Email: lays@fxmail.net
gygipikalyn.com - 76.73.17.242 - Email: ss@cutemail.org
xygorinazecit.com - 76.73.17.70 - Email: ss@cutemail.org
walireqoxyxyt.com - 64.46.39.185 - Email: orbit@fxmail.net
moririnejuf.com - 64.46.39.184 - Email: purse@mail13.com
jydosucin.com - 64.46.39.200 - Email: arm@fxmail.net
libynozegokido.com - 64.46.39.186 - Email: orbit@fxmail.net
zidacofodafur.com - 64.46.39.212 - Email: gown@cutemail.org
fequxukovo.com - 67.196.15.136 - Email: arm@fxmail.net
gyxyqimacik.com - 67.196.15.138 - Email: purse@mail13.com
wizyvopyla.com - 67.196.15.137 - Email: arm@fxmail.net
gyricehagupy.com - 67.196.15.139 - Email: purse@mail13.com
punemipaqatyc.com - 67.196.15.141 - Email: ulcer@mailae.com
gehotigyry.com - 67.196.15.140 - Email: hp@mail13.com
vufekihoto.com - 67.196.15.105 - Email: arm@fxmail.net
huzomohidid.com - 67.196.15.104 - Email: arm@fxmail.net
posufejez.com - 67.196.15.107 - Email: purse@mail13.com
gewexyvunokyk.com - 67.196.15.106 - Email: purse@mail13.com
fowyqypacytucy.com - 209.160.45.32 - Email: soup@fastermail.ru
koduzuwobow.com - 209.160.45.130 - Email: pyre@cutemail.org
ciluvekypomow.com - 78.46.105.205 - Email: hips@cutemail.org
7hitaxodupi.com - 64.46.38.30
Monitoring of the campaign is ongoing.
Related posts:
Spamvertised "Reqest Rejected" Campaign Serving Scareware
Spamvertised DHL Notifications Scareware Campaign
Spamvertised Post Office Express Mail (USPS) Emails Serving Malware
Spamvertised United Parcel Service notifications serve malware
Spamvertised FedEx Notifications Spread Malware
Spamvertised DHL Notification Malware Campaign
More Spamvertised DHL Notifications Spread Malware
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
No comments:
Post a Comment