Older malware can still pose a threat, as FortiGuard Labs documents a renewed MyDoom campaign that uses aged tools in new phishing lures and C2 techniques. The campaign deploys UPX-packed payloads, masquerades as legitimate Windows processes, and relies on rotating domain-based C2 over port 1042, with Fortinet providing detections and protections. #MyDoom #Novarg #Mimail #Windows #UPX #KazaaLite #golfasian
Keypoints
- The MyDoom worm (also known as Novarg and Mimail) remains active years after its 2004 discovery, reappearing in fresh infection campaigns.
- The typical phishing email references delivery errors or testing, with an attachment that may be the MyDoom executable (potentially zipped).
- Attachments are often disguised by Windows extensions and packed with UPX to compress and hinder analysis.
- On execution, the malware attempts to modify Windows firewall settings and copies itself to the Temp folder, renaming itself to lsass.exe to blend in.
- MyDoom rotates through multiple C2 domains and communicates over port 1042, using domain-based C2 approaches for command and control.
- It also drops multiple versions of itself in the Program FilesCommon FilesMicrosoft Shared folder and masquerades as obsolete apps (e.g., Kazaa Lite, Winamp variants).
- Fortinet protections (FortiGuard, FortiMail, FortiClient, FortiEDR) detect and block the campaign, and Fortinet provides a list of IOCs and detection signatures (e.g., W32/MyDoom.M@mm, W32/Mydoom.E!tr).
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – The typical MyDoom phishing e-mail contains subjects referencing a delivery error or testing. Email headers contain a rejection reason and a custom “Content-Type”. There is also an attachment that may or may not be zipped. This attachment (unless zipped) is the MyDoom executable.
- [T1027] Obfuscated/Compressed Files and Information – The MyDoom executables attached to its phishing e-mails have an extension hidden by default by most Windows deployments… packed using the UPX (Ultimate Packer for Executables) packer; UPX is used to compress and hinder analysis.
- [T1036] Masquerading – It renames itself as some now very old and obsolete applications (e.g., Kazaa Lite) with a random name or phrase attached, and places copies in the Program FilesCommon FilesMicrosoft Shared folder.
- [T1562.004] Impair Defenses: Modify System Firewall – An attempt to alter the Windows firewall settings is made to permit outbound communication.
- [T1071] Application Layer Protocol – MyDoom communicates over port 1042 to both send and receive and rotates through a number of possible C2 domains to locate an active one.
Indicators of Compromise
- [File] 5a6c1929f55baff2e786336c07f02c5d13194ff765073dcdfcae1b0cb53da5bc – Context: SHA256 corresponding to a MyDoom payload sample (attached in IOCs).
- [File] 1b1e2421dc3d96a8b9dd58d9cc74730c966250df7c33a1e0df50d983e674b7bc – Context: SHA256 for another sample in the IOCs.
- [File] [email protected], [email protected] – Context: Filenames listed in the IOCs associated with the campaign.
- [Domain] golfasian.com – Context: Domain appearing in the network IOCs.
- [Network] 15.244.197.9:1042, 141.240.203.6:1042 – Context: Sample C2 endpoints used by the campaign.