Adult-Themed Mimail Worm Campaign Steals Victim Information

Share On Facebook
Share On Twitter
Share On Linkedin

Author: Avinash Shende

TLP: WHITE

On 13 July, Infoblox observed a malicious email campaign that has been distributing the Mimail worm via weaponized executable files. Emails in this campaign try to lure victims into opening attachments that appear to be images of sexual nature.

Mimail emerged some 18 years ago (August 20031) and has spawned many variants. Here it continues to be used to steal financial and sensitive data.

When we analyzed the malware, we also found a warning against attempts to filter out the emails, and a threat that entities that did so would receive a future denial of service (DoS) attack. However, we did not find this variant of the malware to have the capability to do so.

Mimail variants contain payloads that can steal credit card information and credentials from web browsers and via a fake license expiry form.2 As a mass mailing worm, it propagates by distributing itself to victims’ email contacts.

While reverse engineering the executable, we found the warning below.

 *** GLOBAL WARNING: if any free email company or hosting company will close/filter my email/site accounts, it will be DDoS’ed in next version. WARNING: centrum.cz will be DDoS’ed in next versions, coz they have closed my mimail-email account. Who next? ***

We cannot confirm whether the DDoS threat is real because we found no evidence in the sample that it had the ability to carry out a DoS attack. However, according to F-Secure, there is a variant: Mimail.G, which does have a DoS capability.3

A typical email in this campaign urges users to open an adult-themed executable attachment that has a deceptive double extension: .gif.exe. The bodies of the emails in this campaign were blank.

The emails’ subject lines are similar to one of the following:

  • Re[4]: sexy pics
  • Re:sexy photos
  • cool pictures
  • smart pics
  • beautiful pics
  • sexy pics FOR YOU ONLY
  • very wonderful pictures PRIVATE

Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.

Endnotes

  1. https://malwiki.org/index.php?title=Mimail
  2. https://www.f-secure.com/v-descs/mimail.shtml
  3. https://www.f-secure.com/v-descs/mimail_g.shtml

 

Labels:

Infoblox Threat Intel

Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access give us a backstage pass to the internet's inner workings. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox DNS Detection and Response solutions, so customers automatically get the benefits of it, along with ridiculously low false positive rates.

View All Posts

You might also be interested in

You might also be interested in

×