Fake ‘Verizon Wireless Statement” themed emails lead to Black Hole Exploit Kit

On a periodic basis, cybercriminals are spamvertising malicious campaigns impersonating Verizon Wireless to tens of thousands of Verizon customers across the globe in an attempt to trick them into interacting with the fake emails. Throughout 2012, we intercepted two campaigns pretending to come from the company, followed by another campaign intercepted last month. This tactic largely relies on the life cycle of a particular campaign, intersecting with the publicly generated awareness of its maliciousness.

In this post, I’ll profile one of the most recently spamvertised campaigns impersonating Verizon Wireless. Not surprisingly, once users click on any of the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit.

More details:

Sample screenshot of the spamvertised email:

Sample spamvertised compromised URLs used in the campaign:
hxxp://www.hotstocks.ch/wp-content/themes/toolbox/vznbill.html
hxxp://www.howany.com/wp-content/uploads/vznbill.html
hxxp://www.erichpucher.at/templates/beez/vznbill.html
hxxp://www.govtjobsindia.org/wp-content/themes/skyfall/vznbill.html

Sample client-side exploits serving URL:
hxxp://participamoz.com/detects/holds_edge.php

Sample malicious payload-dropping URL:
hxxp://participamoz.com/detects/holds_edge.php?dvyy=1n:33:2v:1l:1h&coqy=3m&alr=30:33:1h:1h:1j:1j:1h:1m:1o:33&qds=1n:1d:1f:1d:1f:1d:1j:1k:1l

Sample client-side exploits served: CVE-2010-0188

Malicious domain name reconnaissance:
participamoz.com – 173.251.62.46; 161.200.156.200 – Email: dort.dort@live.com
Name Server: NS1.THEREGISTARS.COM – 31.170.106.17 – Email: lockwr@rocketmail.com
Name Server: NS2.THEREGISTARS.COM – 67.15.223.219 – Email: lockwr@rocketmail.com

We’ve already seen the same email address (lockwr@rocketmail.com) used in the following previously profiled campaign “Fake ‘You’ve blocked/disabled your Facebook account’ themed emails serve client-side exploits and malware“, indicating that they’ve been launched by the same malicious party.

The following malicious domains also respond to 161.200.156.200 and are part of the campaign’s infrastructure:
prosctermobile.com
aftandilosmacerati.com
pardontemabelos.com

Upon successful client-side exploitation, the campaign drops MD5: 4377dcc591f87cc24e75f8c69a2a7f8f – detected by 8 out of 46 antivirus scanners as UDS:DangerousObject.Multi.Generic.

Once executed, the sample creates the following process on the affected hosts:
C:Documents and Settings<USER>Application DataKeahatiomx.exe

It also creates the following Mutexes:
Global{CB561546-E774-D5EA-8F92-61FCBA8C42EE}
Local{744F300D-C23F-6AF3-8F92-61FCBA8C42EE}
Global{4F0B47EA-B5D8-51B7-0508-B06D3016937F}
Global{4F0B47EA-B5D8-51B7-7509-B06D4017937F}
Global{4F0B47EA-B5D8-51B7-490A-B06D7C14937F}
Global{4F0B47EA-B5D8-51B7-610A-B06D5414937F}
Global{4F0B47EA-B5D8-51B7-8D0A-B06DB814937F}
Global{4F0B47EA-B5D8-51B7-990A-B06DAC14937F}
Global{4F0B47EA-B5D8-51B7-390B-B06D0C15937F}
Global{4F0B47EA-B5D8-51B7-650B-B06D5015937F}
Global{4F0B47EA-B5D8-51B7-B90B-B06D8C15937F}
Global{4F0B47EA-B5D8-51B7-150C-B06D2012937F}
Global{4F0B47EA-B5D8-51B7-4D0C-B06D7812937F}
Global{4F0B47EA-B5D8-51B7-810C-B06DB412937F}
Global{4F0B47EA-B5D8-51B7-B90D-B06D8C13937F}
Global{4F0B47EA-B5D8-51B7-2D0E-B06D1810937F}
Global{4F0B47EA-B5D8-51B7-650E-B06D5010937F}
Global{4F0B47EA-B5D8-51B7-F508-B06DC016937F}
Global{4F0B47EA-B5D8-51B7-E90B-B06DDC15937F}
Global{4F0B47EA-B5D8-51B7-ED0C-B06DD812937F}
Global{4F0B47EA-B5D8-51B7-AD0E-B06D9810937F}
Global{4F0B47EA-B5D8-51B7-9D09-B06DA817937F}
Global{5E370004-F236-408B-8F92-61FCBA8C42EE}
Global{4F0B47EA-B5D8-51B7-990F-B06DAC11937F}
Global{EEE5022F-F01D-F059-8F92-61FCBA8C42EE}
Global{38E3341C-C62E-265F-8F92-61FCBA8C42EE}
Global{340FE32E-111C-2AB3-8F92-61FCBA8C42EE}
Global{340FE329-111B-2AB3-8F92-61FCBA8C42EE}
Local{55E9553D-A70F-4B55-8F92-61FCBA8C42EE}
Local{55E9553C-A70E-4B55-8F92-61FCBA8C42EE}

The following Registry Keys:
REGISTRYUSERS-1-5-21-299502267-926492609-1801674531-500SoftwareMicrosoftUveku
REGISTRYUSERS-1-5-21-299502267-926492609-1801674531-500SoftwareMicrosoftWABWAB4Wab File Name
REGISTRYUSERS-1-5-21-299502267-926492609-1801674531-500SoftwareMicrosoftWAB
REGISTRYUSERS-1-5-21-299502267-926492609-1801674531-500SoftwareMicrosoftWABWAB4
REGISTRYUSERS-1-5-21-299502267-926492609-1801674531-500SoftwareMicrosoftWABWAB4Wab File Name
REGISTRYMACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileGloballyOpenPortsList
REGISTRYMACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfile
REGISTRYMACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileGloballyOpenPorts

It then attempts to phone back to the following IPs:
110.143.183.104
24.120.165.58
110.143.183.104
75.80.49.248
71.42.56.253
94.65.0.48
98.16.107.213
190.198.30.168
76.193.173.205
71.43.217.3
66.229.110.89
101.162.73.132
94.68.49.208
64.219.121.189
99.122.152.158
80.252.59.142
108.211.64.46
69.39.74.6
91.99.146.167
187.131.70.221
76.202.211.184
168.93.99.82
122.60.136.168
213.105.24.171
122.60.136.168
84.72.243.231
79.56.80.211

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.