Attackers have sent out a huge number of email messages containing a malicious attachment, posing as Vodafone MMS picture. The alleged picture turns out to be an executable Trojan backdoor.
The email includes original links to Vodafone websites, which makes it a lot less suspicious for spam filters and explains why so many users have initially received the email.
The given telephone numbers in those mails vary, but the gist always remains the same: The recipient is asked to open the attached file, which is said to be a picture. Unzipping the archive reveals a file called Vodafone_MMS.jpg.exe – again, the attackers try to mask the executable file with the “.jpg” file extension and users who do not display the file extensions in their Windows system, might fall for this trick.
Interesting: This time, the attackers did not set a .jpg file icon to make this trick even more authentic. The file icon remains that of a normal application, matching the real file type: .exe! This is a hint for the attentive user, that there is something wrong with this MMS attachment.
The current file is detected as Trojan.Generic.KDV.780689 (Bitdefender) and Win32:Karagany-MX [Trj] (Avast). It is a kind of dropper/malware installer/loader.
It registers itself in
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SunJavaUpdateSched
and it also drops a copy of itself into the system: %Users%\All Users\svchost.exe
With this technique it can survive computer reboots. Obviously, the original Windows system file named svchost should be located in C:\Windows\System32, nowhere else!
The file is resident in the memory and this is where the dropping takes place: The Vodafone_MMS file has another PE file embedded in its code, which is encrypted twice. This PE file is decrypted, written into the memory and executed. Its function: The malware starts to listen to port 8000 and waits for incoming instructions. G Data scanners detect this second file as Trojan.Gamarue.E (Bitdefender) and Win32:Citadel-K [Trj] (Avast).
Our analysis did not show any other activity of this malware. It only listens to port 8000 but it does not attempt to send out any identifying information about the infected machine and therefore tell the attacker where to send the instructions to.
The initial file and the dropped file are both files you don’t want to have on your machine and you don’t want to have them running every time your computer is working – no doubt about that. But, we have to conclude, that the functionality alone is not yet harmful. But once the attacker manages to connect to the infected system, the problems start. Still, the question is: how will the attacker identify the ip(s) of the infected machine? The email spam campaign did not appear to be a targeted attack, in which the attacker might already know the target’s IP information.
Some users might have port 8000 open, because they are using e.g. SHOUTCast servers or make a port forward from port 80. But, the listening file we detected does not interact with the information, connects to any C&C server or downloads further malware, which would make sense.