{"id":6098,"date":"2021-03-08T12:11:05","date_gmt":"2021-03-08T20:11:05","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6098"},"modified":"2024-04-26T13:20:51","modified_gmt":"2024-04-26T20:20:51","slug":"warezov-worm-malspam-campaign","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/warezov-worm-malspam-campaign\/","title":{"rendered":"Warezov Worm Malspam Campaign"},"content":{"rendered":"

Author: Jeremy Ware<\/strong><\/h3>\n

TLP: WHITE<\/strong><\/h3>\n

 <\/p>\n

Overview<\/h3>\n

From 1 to 3 March, we observed a malspam campaign distributing the Warezov worm. Also known as Stration, Warezov is an email worm that was first seen in 2006 and is spread through EXE files sent via email.<\/p>\n

This malware was most prevalent between 2006 and 2008, with little public reporting on it since then. It is known for frequently downloading new variants of its code from remote servers.1<\/sup><\/p>\n

Infoblox last reported on a major Warezov campaign in 2019.2<\/sup> In this most recent campaign, both the body of the emails and the file names have changed but the subject line as well as the command and control (C&C) server remain the same as the campaign in 2019.<\/p>\n

Customer Impact<\/h3>\n

Warezov infects a victim\u2019s computer and incorporates it into a botnet. The malware then sends malicious emails to the victim\u2019s contacts to spread the Warezov worm. From there, the threat actor can use the infected machines to carry out additional malicious acts such as distributed denial of service (DDoS) attacks.<\/p>\n

Campaign Analysis<\/h3>\n

The campaign we observed delivered Warezov via email. The subject line and body of each message were identical (Mail server report<\/em>). The emails carried a malicious EXE attachment with a file name mimicking Microsoft Windows updates, in this case, Update-KB2840-x86.exe<\/em>.<\/p>\n

Attack Chain<\/h3>\n

Warezov presents itself to the victim as a simple mail server report. The attached EXE is labelled as an update and presents a pop-up window that says \u201cUpdate successfully installed\u201d once executed.<\/p>\n

The EXE drops an executable file named tserv.exe<\/em> and updates the AutoRun Registry to include itself. It then attempts to contact a series of valid domains as well as a C&C server.<\/p>\n

Vulnerabilities & Mitigation<\/h3>\n

Infoblox recommends the following precautions to reduce the possibility of infection by Warezov: <\/p>\n