The letter forces a receiver to download the prescription by the link until April 13, 2017.
The domain 'fex.net' in the link has been actively used to distribute malware:
The downloaded file 'розпорядження Полторак.docx.exe' is an obfuscated .NET application (MD5: 01fb11b245a6a2525da77aebd2879dcf). It copies itself as:
- c:\Documents and Settings\<USER>\Templates\winlogon.exe
And drops the clean Word document:
- c:\Documents and Settings\<USER>\Local Settings\Temp\Docum.doc (MD5: b77f006667dd0a68de9c8ea30f2c80fe)
Then, it opens clean 'Docum.doc' to take a user's attention away.
The following message is shown on execution:
Then, it opens the embedded document:
The malicious process injects the backdoor's code into the system 'svchost.exe':
The backdoor is the Darktrack remote administration tool.
The client connects to the C&C's 1515 port.
The Darktrack client uses the proxy service 'hopto.org' to connect to the attacker's C&C.
gordon6.hopto.org has been resolved to the following IPs:
All of the IPs are located at one place in Russia.