Over the past week, a cybercriminal/gang of cybercriminals whose activities we’ve been actively profiling over a significant period of time, launched two separate massive spam campaigns, this time impersonating the Better Business Bureau (BBB), in an attempt to trick users into thinking that their BBB accreditation has been terminated.
Once users click on any of the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit.
More details:
Sample screenshot of the first BBB themed spamvertised campaign:
Sample screenshot of the second BBB themed spamvertised campaign:
Sample spamvertised compromised URLs:
hxxp://paltashaco.com/templates/beez/bbb_termacr.html
hxxp://ogr.kuzstu.ru/templates/beez/bbb_termacr.html
hxxp://proba.ts6.ru/templates/beez/bbb_termacr.html
hxxp://bpconstructores.com/templates/beez/bbb_termacr.html
hxxp://mozyrproject.by/templates/beez/bbb_termacr.html
hxxp://bpconstructores.com/templates/beez/bbb_termacr.html
hxxp://bz-soft.com.ua/templates/beez/bbb_termacr.html
hxxp://www.texasspec.com/abortd_bbb.html
hxxp://www.thecrusaders.co.nz/abortd_bbb.html
Sample client-side exploits serving URLs: hxxp://bbb-complaint.org/kill/establishment-wide_causes-widest.php; hxxp://bbb-accredited.net/kill/enjoy-laws-partially-unwanted.php
Sample malicious payload dropping URL: hxxp://bbb-complaint.org/kill/establishment-wide_causes-widest.php?dkcj=1n:33:2v:1l:1h&abqiksds=3i&rfquxhnq=32:2v:1k:30:1n:1h:33:1o:2v:32&vkcakj=1n:1d:1f:1d:1f:1d:1j:1k:1l
Malicious domain names reconnaissance:
bbb-complaint.org – 63.141.224.171; 149.154.68.214; 155.239.247.247 – Email: gonumina1@dbzmail.com
Name Server: NS1.STREETCRY.NET – 93.186.171.133 – Email: webclipradio@aol.com
Name Server: NS2.STREETCRY.NET – 15.214.13.118 – Email: webclipradio@aol.com
bbb-accredited.net – not responding
Responding to 149.154.68.214 are also the following malicious domains:
fab73.ru
misharauto.ru
secureaction120.com – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: markovochn@yandex.ru
secureaction150.com – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: markovochn@yandex.ru
iberiti.com – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: biedermann@iberiti.com
notsk.com – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: jenifer@notsk.com
metalcrew.net – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: heffner@metalcrew.net
roadix.net – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: marunga@roadix.net
gatovskiedelishki.ru – 149.154.68.214; 155.239.247.247; 141.0.176.234
conbicormiks.ru
Name servers used in the campaign:
Name Server: NS1.STREETCRY.NET – 93.186.171.133 – Email: webclipradio@aol.com
Name Server: NS2.STREETCRY.NET – 15.214.13.118 – Email: webclipradio@aol.com
Name Server: NS1.E-ELEVES.NET – 173.208.88.196
Name Server: NS1.E-ELEVES.NET – 43.109.79.23
Name Server: NS1.LETSGOFIT.NET – 173.208.88.196 – Email: weryrebel@live.com
Name Server: NS1.LETSGOFIT.NET – 11.3.51.158 – Email: weryrebel@live.com
Name Server: NS1.BLACKRAGNAROK.NET – 209.140.18.37 – Email: onetoo@gmx.com
Name Server: NS2.BLACKRAGNAROK.NET – 6.20.13.25 – Email: onetoo@gmx.com
Name Server: NS1.OUTBOUNDUK.NET
Name Server: NS2.OUTBOUNDUK.NET
Not surprisingly, we’ve already seen the onetoo@gmx.com email in the following previously profiled malicious campaign – “Malicious ‘Data Processing Service’ ACH File ID themed emails serve client-side exploits and malware“.
Upon successful client-side exploitation, a sampled campaign drops: MD5: 126a104f260cb0059b901c6a23767d76 – detected by 19 out of 46 antivirus scanners as
Worm:Win32/Cridex.E
Once executed, the sample stores the following modified files:
C:Documents and SettingsAdministratorApplication DataKB00635017.exe
C:DOCUME~1ADMINI~1LOCALS~1Tempexp8.tmp.bat
C:Documents and SettingsAdministratorLocal SettingsTemporary Internet FilesContent.IE589OC5JKA2MB9vCAAAA[1].txt
C:DOCUME~1ADMINI~1LOCALS~1Tempexp9.tmp.exe
C:Documents and SettingsAdministratorApplication Data9CC207909CC20790
C:DOCUME~1ADMINI~1LOCALS~1TempexpA.tmp.exe
C:Documents and SettingsAdministratorApplication Data9CC207909CC20790
C:Documents and SettingsAdministratorLocal SettingsTemporary Internet FilesContent.IE589OC5JKA2MB9vCAAAA[1].txt
C:Documents and SettingsAdministratorLocal SettingsTemporary Internet FilesContent.IE589OC5JKA2MB9vCAAAA[2].txt
C:Documents and SettingsAdministratorApplication DataKB00635017.exe
C:DOCUME~1ADMINI~1LOCALS~1TempexpB.tmp.bat
It also creates the following Registry Keys:
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCFBDC89D4
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTS25BC2D7B
And the following Registry Value:
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] -> KB00121600.exe = “”%AppData%KB00121600.exe””
It then creates the following Mutexes:
LocalXMM000003F8
LocalXMI000003F8
LocalXMRFB119394
LocalXMM000005D4
LocalXMI000005D4
LocalXMM000005E8
LocalXMI000005E8
LocalXMM000000C8
LocalXMI000000C8
LocalXMM0000014C
LocalXMI0000014C
And phones back to the following command and control (C&C) servers:
213.214.74.5:8080/AJtw/UCyqrDAA/Ud+asDAA/
194.97.99.120/J9/vp//EGa+AAAAAA/2MB9vCAAAA/
109.168.106.162/J9/vp//EGa+AAAAAA/2MB9vCAAAA/
203.114.112.156/asp/intro.php
We’ve already seen 213.214.74.5 in the following previously profiled malicious campaign -‘Your Kindle e-book Amazon receipt’ themed emails lead to Black Hole Exploit Kit“. As well as 203.114.112.156, seen in the following assessment “Fake ‘You’ve blocked/disabled your Facebook account’ themed emails serve client-side exploits and malware“.
As for the pseudo-random characters used in the C&C communication (UCyqrDAA/Ud+asDAA/), we’ve also seen them in the following previously profiled campaigns, indicating that these campaigns have been launched by the same cybercriminal/gang of cybercriminals.
- ‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware
- Malicious ‘Sendspace File Delivery Notifications’ lead to Black Hole Exploit Kit
- ‘Please confirm your U.S Airways online registration’ themed emails lead to Black Hole Exploit Kit
- Fake ‘Citi Account Alert’ themed emails lead to Black Hole Exploit Kit
- Fake ‘You’ve blocked/disabled your Facebook account’ themed emails serve client-side exploits and malware
- Fake Intuit ‘Direct Deposit Service Informer’ themed emails lead to Black Hole Exploit Kit
- Multiple ‘Inter-company’ invoice themed campaigns serve malware and client-side exploits
Webroot SecureAnywhere users are proactively protected from this threat.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.
