Author: Avinash Shende
On 13 July, Infoblox observed a malicious email campaign that has been distributing the Mimail worm via weaponized executable files. Emails in this campaign try to lure victims into opening attachments that appear to be images of sexual nature.
Mimail emerged some 18 years ago (August 20031) and has spawned many variants. Here it continues to be used to steal financial and sensitive data.
When we analyzed the malware, we also found a warning against attempts to filter out the emails, and a threat that entities that did so would receive a future denial of service (DoS) attack. However, we did not find this variant of the malware to have the capability to do so.
Mimail variants contain payloads that can steal credit card information and credentials from web browsers and via a fake license expiry form.2 As a mass mailing worm, it propagates by distributing itself to victims’ email contacts.
While reverse engineering the executable, we found the warning below.
*** GLOBAL WARNING: if any free email company or hosting company will close/filter my email/site accounts, it will be DDoS’ed in next version. WARNING: centrum.cz will be DDoS’ed in next versions, coz they have closed my mimail-email account. Who next? ***
We cannot confirm whether the DDoS threat is real because we found no evidence in the sample that it had the ability to carry out a DoS attack. However, according to F-Secure, there is a variant: Mimail.G, which does have a DoS capability.3
A typical email in this campaign urges users to open an adult-themed executable attachment that has a deceptive double extension: .gif.exe. The bodies of the emails in this campaign were blank.
The emails’ subject lines are similar to one of the following:
- Re: sexy pics
- Re:sexy photos
- cool pictures
- smart pics
- beautiful pics
- sexy pics FOR YOU ONLY
- very wonderful pictures PRIVATE
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.