Adult-Themed Mimail Worm Campaign Steals Victim Information

Share On Facebook
Share On Twitter
Share On Linkedin

Author: Avinash Shende

TLP: WHITE

On 13 July, Infoblox observed a malicious email campaign that has been distributing the Mimail worm via weaponized executable files. Emails in this campaign try to lure victims into opening attachments that appear to be images of sexual nature.

Mimail emerged some 18 years ago (August 20031) and has spawned many variants. Here it continues to be used to steal financial and sensitive data.

When we analyzed the malware, we also found a warning against attempts to filter out the emails, and a threat that entities that did so would receive a future denial of service (DoS) attack. However, we did not find this variant of the malware to have the capability to do so.

Mimail variants contain payloads that can steal credit card information and credentials from web browsers and via a fake license expiry form.2 As a mass mailing worm, it propagates by distributing itself to victims’ email contacts.

While reverse engineering the executable, we found the warning below.

 *** GLOBAL WARNING: if any free email company or hosting company will close/filter my email/site accounts, it will be DDoS’ed in next version. WARNING: centrum.cz will be DDoS’ed in next versions, coz they have closed my mimail-email account. Who next? ***

We cannot confirm whether the DDoS threat is real because we found no evidence in the sample that it had the ability to carry out a DoS attack. However, according to F-Secure, there is a variant: Mimail.G, which does have a DoS capability.3

A typical email in this campaign urges users to open an adult-themed executable attachment that has a deceptive double extension: .gif.exe. The bodies of the emails in this campaign were blank.

The emails’ subject lines are similar to one of the following:

  • Re[4]: sexy pics
  • Re:sexy photos
  • cool pictures
  • smart pics
  • beautiful pics
  • sexy pics FOR YOU ONLY
  • very wonderful pictures PRIVATE

Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.

Endnotes

  1. https://malwiki.org/index.php?title=Mimail
  2. https://www.f-secure.com/v-descs/mimail.shtml
  3. https://www.f-secure.com/v-descs/mimail_g.shtml

 

Labels:

Infoblox Threat Intelligence Group

With over 50 years of combined experience, the Infoblox Threat Intelligence Group creates, aggregates and curates information on threats to provide actionable intelligence that is high-quality, timely and reliable. Threat information from Infoblox filters out false positives and gives you the information you need to block the newest threats and to maintain a unified security policy across the entire security infrastructure of your organization.

View All Posts

You might also be interested in

You might also be interested in

×