We’re seeing a significant “spam attached malware” campaign in the past 48 hours with different attachment MD5s.
3305f83abf31fc66fa8f588b35be8eb2
8e3331b64a5884e1ef4f4c8a3d09bc7a
The username portion of the email sender is random, using a classic misspelling that has been consistent. Usernames are a single word, followed by a “.”, “_” or “-“, followed by a two or three digit number. The most popular words (by far) are “manager” and “support”, but we’ve also seen “admin”, “administration”, “alerts”, “cunsumer”, “delivery”, “e-file”, “finance”, “frboard-webannouncements”, “govdelivery”, “information”, “inspector”, “news”, “news-alerts”, “no-reply”, “protection”, “public”, “report”, “service”, “stats”, “subscriber”, “subscriptions”, “usttb” and “webannouncements”.
The attached file is actually named as a “.com” using a random seeming filename in the format “id” followed by a 5-7 digit number (such as id918538.com).
When the file is launched, it attempts to make a connection with any of a long list of domains that are probably made by a “DGA” or “Domain Generation Algorithm”. It’s likely that at different times or days this list would be different. The purpose of the malware seems to be just another fake anti-virus product. Here’s the scan that kicked off:
After the scan, as expected, I was constantly reminded of the grave danger I was in:
By using Quick Heal Total security, such fraudulent emails get tagged as spam and users stay protected.
Quick Heal also detects malicious attachments and the installed rogueware files.
