![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/archive\/new-jul23.mastercardSmallWinCE.PNG\")
<\/p>\nWe’re seeing a significant “spam attached malware” campaign in the past 48 hours with different attachment MD5s.<\/p>\n
3305f83abf31fc66fa8f588b35be8eb2
\n8e3331b64a5884e1ef4f4c8a3d09bc7a<\/p>\n
<\/p>\n
The username portion of the email sender is random, using a classic misspelling that has been consistent. Usernames are a single word, followed by a “.”, “_” or “-“, followed by a two or three digit number. The most popular words (by far) are “manager” and “support”, but we’ve also seen “admin”, “administration”, “alerts”, “cunsumer”, “delivery”, “e-file”, “finance”, “frboard-webannouncements”, “govdelivery”, “information”, “inspector”, “news”, “news-alerts”, “no-reply”, “protection”, “public”, “report”, “service”, “stats”, “subscriber”, “subscriptions”, “usttb” and “webannouncements”.<\/p>\n
The attached file is actually named as a “.com” using a random seeming filename in the format “id” followed by a 5-7 digit number (such as id918538.com).<\/p>\n
When the file is launched, it attempts to make a connection with any of a long list of domains that are probably made by a “DGA” or “Domain Generation Algorithm”. It’s likely that at different times or days this list would be different. The purpose of the malware seems to be just another fake anti-virus product. Here’s the scan that kicked off:<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/archive\/new-jul23.scanningSmallWinCE.PNG\")
<\/p>\n
After the scan, as expected, I was constantly reminded of the grave danger I was in:<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/archive\/newjul23.dangerSmallWinCE.PNG\")
<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/archive\/new-jul23.qhWinCE.PNG\")
<\/p>\n","protected":false},"excerpt":{"rendered":"