We’ve just intercepted a currently circulating malicious spam campaign that’s attempting to trick potential botnet victims into thinking that they’ve received a legitimate Voice Message Notification from Skype. In reality though, once socially engineered users click on the malicious link found in the bogus emails, they’re automatically exposed to the client-side exploits served by the Angler exploit kit.
More details:
Sample screenshot of the spamvertised email:
Sample exploitation chain: hxxp://crestspahh.com:80/1.html -> hxxp://merdekapalace.com/1.txt -> hxxp://www.shivammehta.com/1.txt -> hxxp://nedapardaz.com/theme/it/browser/_lzf_.php?source_pid=38896815737B1F0316DB020740&swap_src=7D&theme-lid=1
Malicious domain names reconnaissance:
crestspahh.com – 184.106.55.74
merdekapalace.com – 202.71.103.21
shivammehta.com – 181.224.129.14
nedapardaz.com – 38.69.132.17
Known to have responded to the same IP (38.69.132.17) are also the following malicious domains:
atlasexperts.com
betagroupco.com
emdadimam.ir
farahost.com
mazmaz.org
messinan.com
nedapardaz.com
partonab.com
saragolmakani.com
tcdgroup.ir
tcdgroup.org
valafan.com
ballast.ir
ebara-iran.com
mazmaz.net
mooiran.com
tadarokacc.com
tcdgroup.ir
Detection rate for a sample client-side exploit:
MD5: 48af1ab43fe4ce38c32879bd276d4319 – detected by 2 out of 50 antivirus scanners as JS/Exploit-Blacole.aj
What’s particularly interesting about this campaign is that it shares the same malicious infrastructure (redirectors) as the recently profiled Evernote themed malicious campaign (merdekapalace.com and shivammehta.com in particular). Next to the direct connection between these campaigns, which appear to have been launched by the same gang, we were also able to establish interesting related connections between the malicious infrastructure operating behind the managed spam-ready SMTP servers for rent service which we profiled back in October, 2013, as well as the Rodecap botnet.
Known to have been downloaded from the same IP (38.69.132.17) is also the following malicious MD5: a09dd5c454693a0cc9d877dff371b9fc – Worm.Win32.Cridex.pox. Here comes the interesting part, known to have phoned back to the same IP (38.69.132.17) (on 2013-07-24) is also MD5: bc445781be2960d96b9bcf5d215b1405 – betagroupco.com in particular. The same MD5 is also known to have phoned back to the related C&C, newsleter.org (Rodecap botnet), which we’ve also once observed as a related phone back C&C server used by the related malicious MD5s known to have directly communicated with the same IP (92.53.125.90), back then the responding IP for the Web site of the managed spam-ready SMTPservers for rent service.
Webroot SecureAnywhere users are proactively protected from these threats.