Over the last couple of days, a cybercricriminal/gang of cybercriminals that we’ve been extensively profiling, resumed spamvertising tens of thousands of emails, in an attempt to trick users that they have a pending wire transfer. Once users click on any of the links found in the malicious emails, they’re exposed to the client-side exploits served by the Black Hole Exploit Kit.
More details:
Sample screenshot of the spamvertised email:
Sample compromised spamvertised URLs:
hxxp://afdoor.com/loading.htm
hxxp://directproducts.co.zw/loading.htm
hxxp://deto.es/loading.htm
hxxp://sulfilmmga.com.br/loading.htm
hxxp://redboxi.com/loading.htm
hxxp://sulfilmmga.com.br/loading.htm
hxxp://misann.es.kr/loading.htm
Sample client-side exploits serving URL: hxxp://gimikalno.ru:8080/forum/links/column.php
Sample malicious payload dropping URL: hxxp://gimikalno.ru:8080/forum/links/column.php?hf=2w:1l:1l:2v:1f&ye=2v:1k:1m:32:33:1k:1k:31:1j:1o&s=1k&td=r&xj=f
Upon successful client-side exploitation, the campaign drops MD5: 93a104caf7b01de69614498de5cf870a – detected by 2 out of 45 antivirus scanners as Trojan.FakeMS
Once executed, the sample creates the following files on the affected hosts:
C:Documents and SettingsAdministratorApplication DataKB00635017.exe
C:DOCUME~1ADMINI~1LOCALS~1Tempexp8.tmp.bat
C:Documents and SettingsAdministratorLocal SettingsTemporary Internet FilesContent.IE589OC5JKA2MB9vCAAAA[1].txt
C:Documents and SettingsAdministratorLocal SettingsTemporary Internet FilesContent.IE589OC5JKA2MB9vCAAAA[1].txt
C:DOCUME~1ADMINI~1LOCALS~1Tempexp9.tmp.exe
C:Documents and SettingsAdministratorApplication Data9CC207909CC20790
C:DOCUME~1ADMINI~1LOCALS~1TempexpA.tmp.exe
C:Documents and SettingsAdministratorApplication Data9CC207909CC20790
C:Documents and SettingsAdministratorApplication DataKB00635017.exe
C:DOCUME~1ADMINI~1LOCALS~1TempexpB.tmp.bat
It also creates the following Registry Keys:
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCFBDC89D4
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTS25BC2D7B
Sets the following Registry Values:
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] -> KB00121600.exe = “”%AppData%KB00121600.exe””
It then creates the following Mutexes:
LocalXMM00000418
LocalXMI00000418
LocalXMRFB119394
LocalXMM000005E4
LocalXMI000005E4
LocalXMM0000009C
LocalXMI0000009C
LocalXMM000000C8
LocalXMI000000C8
And phones back to:
149.156.96.9/J9/vp//EGa+AAAAAA/2MB9vCAAAA/
72.251.206.90/J9/vp//EGa+AAAAAA/2MB9vCAAAA/
202.29.5.195:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
213.214.74.5/AJtw/UCyqrDAA/Ud+asDAA/
We’ve already seen 213.214.74.5 in the following previously profiled campaigns, indicating that they’ve been launched by the same party:
- ‘Your Kindle e-book Amazon receipt’ themed emails lead to Black Hole Exploit Kit
- Spamvertised BBB ‘Your Accreditation Terminated” themed emails lead to Black Hole Exploit Kit
Malicious domain name reconnaissance:
gimikalno.ru – 66.249.23.64; 94.102.14.239; 5.9.40.136
Name Servers: ns1.gimikalno.ru 41.168.5.140
Name Servers: ns2.gimikalno.ru 110.164.58.250 (nangrong.ac.th)
Name Servers: ns3.gimikalno.ru 210.71.250.131 (tecom.com.tw)
Name Servers: ns4.gimikalno.ru 194.249.217.8 (gimnazija-tolmin1.si)
Name Servers: ns5.gimikalno.ru 72.251.206.90
Webroot SecureAnywhere users are proactively protected from this threat.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.
