Cybercriminals are currently spamvertising tens of thousands of malicious emails impersonating BBC News, in an attempt to trick users into thinking that someone has shared a Cyprus bailout themed news item with them. Once users click on any of the links found in the fake emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit.
More details:
Sample screenshot of the fake BBC News email:
Sample spamvertised compromised URLs:
hxxp://templarioscorp.net/cyprus_bail.html
hxxp://web-bsc.ru/cyprus_bail.html
http://www.photoshopbus.co.uk/cyprus_bail.html
http://woorifiction.com/cyprus_bail.html
Sample client-side exploits serving URL: hxxp://crackedserverz.com/kill/larger_emergency.php – 155.239.247.247; 109.74.61.59; 24.111.157.113; 58.26.233.175 – Email: tellecomvideo1@gmx.us
Sample malicious payload dropping URL: hxxp://crackedserverz.com/kill/larger_emergency.php?
pcxbri=1n:33:2v:1l:1h&cxqsgrdy=36&otxvafna=2v:1l:30:1n:1m:1m:30:1g:2v:1f&vtkwoiq=1n:1d:1f:1d:1f:1d:1j:1k:1l
Upon successful client-side exploitation the campaign drops MD5: 1d4aaaf4ae7bfdb0d9936cd71ea717b2 – 23 out of 45 antivirus scanners as Spyware/Win32.Zbot.
Once executed, the sample stores the following modified files on the affected hosts:
C:Documents and SettingsAdministratorApplication DataKB00635017.exe
C:DOCUME~1ADMINI~1LOCALS~1TempexpF.tmp.bat
C:Documents and SettingsAdministratorLocal SettingsTemporary Internet FilesContent.IE589OC5JKA2MB9vCAAAA[1].txt
C:DOCUME~1ADMINI~1LOCALS~1Tempexp10.tmp.exe
C:Documents and SettingsAdministratorApplication Data9CC207909CC20790
C:DOCUME~1ADMINI~1LOCALS~1Tempexp11.tmp.exe
C:Documents and SettingsAdministratorApplication Data9CC207909CC20790
C:Documents and SettingsAdministratorLocal SettingsTemporary Internet FilesContent.IE589OC5JKA2MB9vCAAAA[1].txt
C:Documents and SettingsAdministratorLocal SettingsTemporary Internet FilesContent.IE589OC5JKA2MB9vCAAAA[2].txt
C:Documents and SettingsAdministratorApplication DataKB00635017.exe
C:DOCUME~1ADMINI~1LOCALS~1Tempexp12.tmp.bat
Creates the following Mutexes:
LocalXMM000006D4
LocalXMM00000260
LocalXMQ426FB97F
LocalXMI0000027C
LocalXMM00000520
LocalXMM0000040C
LocalXMM00000360
The following Registry Keys:
REGISTRYUSERS-1-5-21-299502267-926492609-1801674531-500SoftwareMicrosoftWindows NTS9CC20790
REGISTRYUSERS-1-5-21-299502267-926492609-1801674531-500SoftwareMicrosoftWindows NTCBA6D3F36
REGISTRYUSERS-1-5-21-299502267-926492609-1801674531-500SoftwareWinRAR
It then phones back to the following C&C servers:
202.29.5.195/J9/vp//EGa+AAAAAA/2MB9vCAAAA/
188.93.208.130/J9/vp//EGa+AAAAAA/2MB9vCAAAA/
203.113.98.131/asp/intro.php
We’ve seen (202.29.5.195) in the following previously profiled malicious campaign “Cybercriminals resume spamvertising ‘Re: Fwd: Wire Transfer’ themed emails, serve client-side exploits and malware“. We’ve also seen (203.113.98.131) in the following assessment “Spamvertised ‘US Airways reservation confirmation’ themed emails serve exploits and malware“.
Webroot SecureAnywhere users are proactively protected from this threat.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.