By Dancho Danchev
Kindle users, watch what you click on!
Cybercriminals are currently mass mailing tens of thousands of fake Amazon “You Kindle E-Book Order” themed emails in an attempt to trick Kindle users into clicking on the malicious links found in these messages. Once they do so, they’ll be automatically exposed to the client-side exploits served by the Black Hole Exploit Kit, ultimately joining the botnet operated by the cybercriminal/cybercriminals that launched the campaign.
More details:
Sample screenshot of the spamvertised email:
Sample spamvertised URLs participating in the campaign:
hxxp://sombranomada.info/amazonzon.html
hxxp://minskcar.by/amazonzon.html
hxxp://mariamadredelaiglesia.cl/amazonzon.html
hxxp://myataworld.com/amazonzon.html
hxxp://apel-institut.org/amazonzon.html
hxxp://wordofmouthbali.com/amazonzon.html
MD5 for the Java exploit: MD5: c9bc87eef8db72f64bac0a72f82b04cf – detected by 5 out of 46 antivirus scanners as HEUR:Exploit.Java.CVE-2012-0507.gen
MD5 for the PDF exploit: MD5: 53c90140fde593713efe6298547ff205 – detected by 26 out of 46 antivirus scanners as Exploit:Win32/CVE-2010-0188
Upon successful client-side exploitation, the campaign drops MD5: 330ad00466bd44a5fb2786f0f5e2d0da – detected by 3 out of 45 antivirus scanners as Trojan.Win32.Reveton.a (v).
Once executed, the sample creates the following files on the affected hosts:
C:Documents and SettingsUserApplication DataKB00776902.exe
C:DOCUME~1UserLOCALS~1Tempexp3.tmp
C:DOCUME~1UserLOCALS~1Tempexp3.tmp.bat
Drops MD5: 6104fb43f2dbe10d254b395a05704428
It also creates the following Mutexes:
LocalXMM000001A4
LocalXMI000001A4
LocalXMM00000558
LocalXMI00000558
LocalXMM00000580
LocalXMI00000580
LocalXMM000004EC
LocalXMI000004EC
LocalXMM000004F0
LocalXMI000004F0
It then phones back to:
85.214.143.90
130.79.80.40
213.199.201.180
46.51.189.229
91.121.30.185
89.110.148.213
81.17.22.14
88.119.156.20
161.53.184.3
94.23.6.95
88.191.130.98/J9/vp/EGa+AAAAAA/2MB9vCAAAA
More malware samples are known to have phoned back to the same IPs. For instance:
MD5: a86d0929b7baf1839f8f6ef19a1a9ffa
MD5: df9d41114a2d54f2d0770392ab06dddc
MD5: d2d98755969029c47ed81a2a2efbc147
MD5: 22789f547eced1982aab80fb7549dfea
MD5: f9696cd9637cbc3d029ef63fa22b35a3
MD5: 77cdee1f4e57836b74ab827ad23d88b3
MD5: abe3a0bbed3abbd496b6b015509e0033
MD5: 617657758f30d7bd7e5db52f3133b6dc
MD5: 83d834514b498417097c3ae1d34cee6c
MD5: 4c362a47a0b72280c0b061588a50e1e1
MD5: 575434edfc538a62ac1fcde2a7250fac
MD5: a1e1242dac7cd5245b8ffa4125186ef5
MD5: 8899155ae4a7b4ffe9ebe2d89cea0ae4
MD5: 60fd9d820a01343182ac51b57f21d291
Webroot SecureAnywhere users are proactively protected from these threats.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.