LinkedIn users, watch what you click on!
Over the past 24 hours, cybercriminals have launched yet another massive spam campaign, impersonating LinkedIn, in an attempt to trick its users into clicking on the malicious links found in the bogus “Invitation Notification” themed emails. Once they click on the links, users are automatically exposed to the client-side exploits served by the Black Hole Exploit Kit.
More details:
Sample screenshot of the spamvertised email:
Sample spamvertised URLs used in the campaign:
hxxp://vikasprint.ru/linkedrequest.html
hxxp://img.anibook.ru/linkedrequest.html
hxxp://spitnsawdust.co.uk/linkedrequest.html
hxxp://e-infoware.com/linkedrequest.html
hxxp://mouldingname.info/linkedrequest.html
hxxp://old.mlsit.ru/linkedrequest.html
hxxp://hytfgasses.com/linkedrequest.html
hxxp://dommotorov.ru/linkedrequest.html
hxxp://mislite.ru/linkedrequest.html
hxxp://img.anibook.ru/linkedrequest.html
hxxp://arabellatravel.ru/linkedrequest.html
hxxp://oldfinco.autolb.ru/linkedrequest.html
Sample client-side exploits serving URLs, all of them responding to 222.238.109.66:
hxxp://euronotedetector.net/detects/updated_led-concerns.php
hxxp://kendallvile.com/detects/exceptions_authority_distance_disturbing.php – Email: fxfoto@hotmail.com
hxxp://prepadav.com/detects/region_applied-depending.php – Email: bannerpick45@yahoo.com
hxxp://shininghill.net/detects/solved-surely-considerable.php – Email: fxfoto@hotmail.com
hxxp://teamrobotmusic.net/detects/bits_remember_confident.php
Responding to the same IP are also the following malicious domains, part of the campaign’s infrastructure:
seoseoonwe.com
alphabeticalwin.com
ehadnedrlop.com
bestwesttest.com
masterseoprodnew.com
cocolspottersqwery.com
africanbeat.net
Name servers used by these malicious domains:
Name server: ns1.http-page.net – 31.170.106.17 – Email: ezvalue@yahoo.com
Name server: ns2.http-page.net – 7.129.51.158 – Email: ezvalue@yahoo.com
Name Server: ns1.high-grades.com – 208.117.43.145
Name Server: ns2.high-grades.com – 92.121.9.25
Sample malicious payload dropping URL:
hxxp://shininghill.net/detects/solved-surely-considerable.php?vf=1o:31:1h:1l:2w&fe=33:1o:1g:1l:1m:1k:2v:1l:1o:32&n=1f&dw=w&qs=p
Upon successful client-side exploitation, the campaign drops MD5: fdc05614f56aca9421271887c1937f51 – detected by 30 out of 44 antivirus scanners as Trojan-Spy.Win32.Zbot.ihgm.
Upon execution, the same creates the following process on the affected hosts:
%AppData%Bytaayjdoly.exe
The following registry keys:
HKEY_CURRENT_USERSoftwareMicrosoftRekime
With the following values:
[HKEY_CURRENT_USERIdentities] -> Identity Login = 0x00098053
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] -> {3DFA1AE4-115C-AD7B-A6BA-A75086AF8442} = “”%AppData%Bytaayjdoly.exe
[HKEY_CURRENT_USERSoftwareMicrosoftRekime] -> 24e75bab = “la0ooHdmCjM=”; 28588825 = 0xA079AD85; 350g709 = 51 C5 79 A0 F5 4B 32 33 BC 54 E3 B8
As well as the following Mutexes:
Global{CB561546-E774-D5EA-8F92-61FCBA8C42EE}
Local{744F300D-C23F-6AF3-8F92-61FCBA8C42EE}
Global{5E9F7FDE-8DEC-4023-0508-B06D3016937F}
Global{5E9F7FDE-8DEC-4023-7109-B06D4417937F}
Global{5E9F7FDE-8DEC-4023-490A-B06D7C14937F}
Global{5E9F7FDE-8DEC-4023-610A-B06D5414937F}
Global{5E9F7FDE-8DEC-4023-8D0A-B06DB814937F}
Global{5E9F7FDE-8DEC-4023-990A-B06DAC14937F}
Global{5E9F7FDE-8DEC-4023-410B-B06D7415937F}
Global{5E9F7FDE-8DEC-4023-6D0B-B06D5815937F}
Global{5E9F7FDE-8DEC-4023-C50B-B06DF015937F}
Global{5E9F7FDE-8DEC-4023-210C-B06D1412937F}
Global{5E9F7FDE-8DEC-4023-610C-B06D5412937F}
Global{5E9F7FDE-8DEC-4023-790C-B06D4C12937F}
Global{5E9F7FDE-8DEC-4023-C90D-B06DFC13937F}
Global{5E9F7FDE-8DEC-4023-1D0E-B06D2810937F}
Global{5E9F7FDE-8DEC-4023-710E-B06D4410937F}
Global{5E9F7FDE-8DEC-4023-A108-B06D9416937F}
Global{5E9F7FDE-8DEC-4023-8D0B-B06DB815937F}
Global{5E9F7FDE-8DEC-4023-190C-B06D2C12937F}
Global{5E9F7FDE-8DEC-4023-090F-B06D3C11937F}
Global{5E9F7FDE-8DEC-4023-ED0F-B06DD811937F}
Global{5E370004-F236-408B-8F92-61FCBA8C42EE}
Global{5E9F7FDE-8DEC-4023-6D0C-B06D5812937F}
Global{EEE5022F-F01D-F059-8F92-61FCBA8C42EE}
Global{38E3341C-C62E-265F-8F92-61FCBA8C42EE}
Global{340FE32E-111C-2AB3-8F92-61FCBA8C42EE}
Global{340FE329-111B-2AB3-8F92-61FCBA8C42EE}
Local{55E9553D-A70F-4B55-8F92-61FCBA8C42EE}
Local{55E9553C-A70E-4B55-8F92-61FCBA8C42EE}
Once executed, the sample also attempts to establish multiple UDP connections with the following IPs:
177.1.100.2:11709
190.33.36.175:11404
213.109.254.122:29436
41.69.182.117:29817
64.219.114.114:13503
161.184.174.65:14545
93.177.174.72:10119
69.132.202.147:16149
Webroot SecureAnywhere users are proactively protected from these threats.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.