Cybercriminals target Twitter, spread thousands of exploits and malware serving tweets

by


Twitter users, beware!

Over the past several days, cybercriminals have been persistently spamvertising thousands of exploits and malware serving links across the most popular micro blogging service. Upon clicking on the clicks, users are exposed to the exploits served by the Black Hole web malware exploitation kit.

What’s so special about this campaign? What’s the detection rate of the malware it drops? Where does it phone back once it’s executed? Have we seen additional malware phone back to the same command and control servers, indication a connection between these campaigns? Let’s find out.

More details:

Screenshot of a sample automatically registered account spamvertising malicious links to thousands of Twitter users:

Next to English-speaking users, the campaign is also targeting Russian users since July, 23th, 2012:

The cybercriminals behind the campaign are also using a publicly available counter to measure the success of the campaign:

The campaign is currently propagating in the following way – an automatically generated subdomain is spamvertised with an .html link consisting of the name of the prospective victim. The cybercriminals behind the campaign are harvesting Twitter user names, then automatically generating the username.html files.  For the time being, they’re only relying on two static propagation messages, namely, “It’s about уou?” and “It’s уou оn photo?“.

Sample malicious URLs spamvertised across Twitter using multiple automatically registered accounts:
hxxp://avril0014.narod.ru/#dancing_4_1D.html
hxxp://vladim-vasiliev.narod2.ru/#dancingSULKIN.html
hxxp://467777.ru/media/#dancingKiin.html
hxxp://school13spb.ru/cli/#dancinemms.html
hxxp://daykiri91.narod2.ru/#dancinela.html
hxxp://delfina-200.narod2.ru/#dancineasy.html
hxxp://bumer574.narod.ru/#dancindung.html
hxxp://dfk-kazan.narod2.ru/#dancinbranson.html
hxxp://zaits-oleg.narod.ru/#dancinbranflake.html
hxxp://dimdj.narod.ru/#dancinbraceface.html
hxxp://ohgospodi.narod2.ru/#dancin_nancy.html
hxxp://cazakow-j.narod2.ru/#dancin_gurrl22.html
hxxp://wlad-07.narod2.ru/#dancin_bearette.html
hxxp://v1279610.narod2.ru/#dancin_4STACKS.html
hxxp://school13spb.ru/cli/#dancidaT.html
hxxp://467777.ru/media/#danciareading.html
hxxp://school13spb.ru/cli/#danchy_xoxo.html
hxxp://orlov-tema150894.narod2.ru/#danchovy.html
hxxp://cabfare.narod.ru/#borkborkpanda.html
hxxp://mechta24.narod2.ru/#borkatochter.html
hxxp://dema-zyab.narod.ru/#borka_ns.html
hxxp://denrzn.narod2.ru/#borka26.html
hxxp://arfina2003.narod2.ru/#bork90.html
hxxp://school13spb.ru/cli/#borjius55.html
hxxp://zyyyz92.narod2.ru/#borjitamr7.html
hxxp://bayun87.narod2.ru/#borjita30.html
hxxp://dimaspodpor.narod.ru/#borjiabar.html
hxxp://denis1898.narod.ru/#borjavdv.html
hxxp://dodge2106.narod.ru/#borjateran.html
hxxp://yashka-tut.narod.ru/#borjarevo.html
hxxp://dima230368.narod2.ru/#YHAOfficial.html
hxxp://autkaee.narod.ru/#YHALondonHostel.html
hxxp://CracknelMan.narod.ru/#YHAAAAAAN.html
hxxp://northe.narod2.ru/#YH.html
hxxp://blagiyv.narod2.ru/#YGwirfoddolwyr.html
hxxp://dashunya-19.narod2.ru/#YGunna.html
hxxp://school13spb.ru/cli/#YGrissa.html
hxxp://467777.ru/media/#YGreddrumm.html
hxxp://microlab2.narod.ru/#YGjerde.html
hxxp://spicccka.narod2.ru/#YGiardina.html
hxxp://bam75.narod.ru/#YGharby.html
hxxp://valov1994.narod2.ru/#YGharbi.html
hxxp://den-inferno.narod2.ru/#YGfanboy.html
hxxp://awn55.narod2.ru/#YG_Wood.html
hxxp://blacksacap.narod2.ru/#YG_SWAG.html
hxxp://e9308.narod.ru/#Silvm85.html
hxxp://armat30.narod2.ru/#SilviusPotter.html
hxxp://ass-351.narod2.ru/#Silviu_I.html
hxxp://dantistnt18.narod2.ru/#SilviuStelian.html
hxxp://ninapu.narod2.ru/#Silvitrii.html
hxxp://dedun2006.narod.ru/#Silviptr.html
hxxp://olezhko-polmin.narod2.ru/#PaoloSpampinat1.html
hxxp://maxulya.narod2.ru/#OliviaMehaffey.html
hxxp://dawmenkor.narod2.ru/#OliviaMcIntire.html
hxxp://kolya-turkin.narod.ru/#OliviaMcGuckin.html
hxxp://vffmeztginhwcpu.narod2.ru/#OliviaMayT.html
hxxp://foxy-zone.narod.ru/#OliviaMatokee.html
hxxp://balzam201.narod2.ru/#OliviaMasey1.html
hxxp://reginavip.narod2.ru/#OliviaMarshman.html
hxxp://jony666.narod.ru/#OliviaMarr7.html
hxxp://dr-patap.narod.ru/#JagzMahal.html
hxxp://apostols13.narod2.ru/#JagyJose.html

What do all of these domains have in common? Next to the identical malware served on the affected hosts, the redirection also takes place through the following domains

hxxp://traffichouse.ru/?2 – 176.57.209.69
hxxp://traffichouse.ru/?5 – 176.57.209.69

Responding to the same 176.57.209.69 IP are also the following domains:
forex-shop.com
abolyn.twmail.info
pclive.ru
ecoinstrument.ru

Client-side exploits serving domain: hxxp://oomatsu.veta.su/main.php?page=afaf1d234c788e63

Upon successful client-side exploitation, the campaign drops MD5: 5d1e7ea86bee432ec1e5b3ad9ac43cfa on the affected hosts.

Upon execution, the sample phones back to the following URLs, where it downloads additional malware on the affected hosts:

hxxp://112.121.178.189/api/urls/?ts=1f737428&affid=35000
hxxp://thanosactpetitioned.cu.cc/f/notepad.exe?ts=1f737428&affid=35000

We’ve already seen malware phoning back to the command and control server in the recently profiled “Spamvertised ‘Download your USPS Label’ themed emails serve malware” campaign. Clearly, both campaigns are launched by the same cybercriminal/gang of cybercriminals that are basically rotating the distribution and infection vectors of their campaign.

Webroot SecureAnywere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Trackbacks

  1. [...] Webroot says that in addition to this English-based attack, a Russian spam campaign, which started on July 23, appears to be the origin of this attack. This makes sense given that many of the domains appear to be .ru (and the redirection seems to take place through traffichouse.ru). [...]

  2. [...] Webroot says that in addition to this English-based attack, a Russian spam campaign, which started on July 23, appears to be the origin of this attack. This makes sense given that many of the domains appear to be .ru (and the redirection seems to take place through traffichouse.ru). [...]

  3. [...] Webroot says that in addition to this English-based attack, a Russian spam campaign, which started on July 23, appears to be the origin of this attack. This makes sense given that many of the domains appear to be .ru (and the redirection seems to take place through traffichouse.ru). [...]