Victims infected through malicious macro files found in spam emails
Instead of first targeting their victims, the cybercriminals send out bulk spam messages through spoofed Yahoo! Mail accounts with a generic subject like: “Any jobs?”, “Internships?”, “My Resume” and so on. This indiscriminate spam campaign began on Wednesday, May 20, 2015 with the obvious goal of infecting as many users as possible with the attached malware.
Each of the spam emails contained an attached document file named CV_[4 numbers].doc or My_Resume_[4 numbers].doc which were embedded with a malicious macro. In order to convince the user to allow the macro to run, the documents even proclaim to be “Protected”.
Once executed, the macro downloads one of many malicious files present in the included url: “80.242.123.155/exe/”. For example 80.242.123.155/exe/dro.exe. It turns our several of the malicious files are named “pos.exe” which suggests the intended target of the cybercriminals might be point of sale machines.
After infecting the system, the malware ensures its survival by creating a registry key that enables it to start-up automatically after reboot. The malware also sets up communications to one of three hardcoded C2 servers:
- systeminfou48[.]ru
- infofinaciale8h[.]ru
- helpdesk7r[.]ru
Then begins the memory scrapping. After searching for any data resembling the payment card format, the malware sends matching data back to its creators through a secure SSL channel, making detection at the network-level more difficult.
The cybercriminals may even have a control panel to help orchestrate their malicious operations. More and more variants of such POS malware emerge, as the existing ones are detected and blocked. It looks like the cybercriminals are not going to give up easily.
Emsisoft Enterprise Security + EDR
Robust and proven endpoint security solution for organizations of all sizes. Start free trialHave a nice (malware-free) day!