In 2012, fake flight reservation confirmations and bogus E-ticket verifications were a popular social engineering theme for cybercriminals. On numerous occasions, we intercepted related campaigns attempting to trick customers into clicking on malicious links, which ultimately exposed them to the client-side exploits served by the latest version of the Black Hole Exploit Kit.
Apparently, the click-through rates for these campaigns were good enough for cybercriminals to resume spamvertising related campaigns. In this post, I’ll profile the most recently spamvertised campaign impersonating U.S Airways.
More details:
Sample screenshot of the spamvertised email:
Sample compromised URLs part of the campaign:
hxxp://sweetsw.com/templates/atomic/ticket_status.html
hxxp://toopz.com/templates/atomic/ticket_status.html
hxxp://sunshinecoasttackle.com/templates/beez/ticket_status.html
hxxp://tj-print.com/templates/atomic/ticket_status.html
hxxp://thai-tsam.com/templates/1/ticket_status.html
hxxp://thephoenixconsultingfirm.com/templates/beez/ticket_status.html
hxxp://thickdickdaddy.com/templates/atomic/ticket_status.html
hxxp://tianzhaotian2001.com/templates/atomic/ticket_status.html
hxxp://tiendatradiciones.com/templates/beez/ticket_status.html
Sample client-side exploits serving URL: hxxp://attachedsignup.pro/detects/links-neck.php
Sample malicious payload dropping URL: hxxp://attachedsignup.pro/detects/links-neck.php?rf=1l:2v:1m:32:1j&be=2w:32:2w:1i:1k:30:1g:33:31:1j&d=1f&lh=a&ri=j
Malicious domain name reconnaissance:
attachedsignup.pro – 41.215.225.202 – Email: kee_mckibben0869@macfreak.com
The same email (kee_mckibben0869@macfreak.com) was also seen in the following previously profiled malicious campaigns:
- Fake ‘You have made an Ebay purchase’ themed emails lead to client-side exploits and malware
- Cybercriminals spamvertise millions of FDIC ‘Your activity is discontinued’ themed emails, serve client-side exploits and malware
- Cybercriminals resume spamvertising ‘Payroll Account Cancelled by Intuit’ themed emails, serve client-side exploits and malware
Upon successful client-side exploitation, the campaign drops MD5: 6f51e309530f8900be935716c3015f58 – detected by 24 out of 46 antivirus scanners as Worm:Win32/Cridex.E
The executable creates the following registry entries:
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCFBDC89D4
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTS25BC2D7B
As well as the following mutexes:
LocalXMM000003F8
LocalXMI000003F8
LocalXMRFB119394
LocalXMM000005E4
LocalXMI000005E4
LocalXMM0000009C
LocalXMI0000009C
LocalXMM000000C8
LocalXMI000000C8
Once executed, the sample phones back to the following C&C servers:
180.235.150.72:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
174.143.174.136:8080/AJtw/UCyqrDAA/Ud+asDAA/
We’ve already seen the same pseudo-random C&C phone back characters used in the following previously profiled malicious campaigns:
- Malicious ‘Sendspace File Delivery Notifications’ lead to Black Hole Exploit Kit
- Cybercriminals spamvertise millions of FDIC ‘Your activity is discontinued’ themed emails, serve client-side exploits and malware
- Cybercriminals resume spamvertising ‘Payroll Account Cancelled by Intuit’ themed emails, serve client-side exploits and malware
- Spamvertised AICPA themed emails serve client-side exploits and malware
- Fake ‘Citi Account Alert’ themed emails lead to Black Hole Exploit Kit
- ‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware
- Multiple ‘Inter-company’ invoice themed campaigns serve malware and client-side exploits
Webroot SecureAnywhere users are proactively protected from these threats.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.
