Malicious ‘Security Update for Banking Accounts’ emails lead to Black Hole Exploit Kit

by

Share this news now.

Cybercriminals have recently launched yet another massive spam campaign attempting to trick e-banking users into thinking that their ability to process ACH transactions has been temporarily disabled. Upon clicking on the link found in the malicious email, users are exposed to the client-side exploits served by the Black Hole Exploit Kit.

More details

Sample screenshot of the spamvertised email:

Security_Update_Banking_Email_Spam_Exploits_Malware

Sample spamvertised compromised URLs:
hxxp://promic.pl/page4.htm
hxxp://promic.pl/rating.htm

Sample client-side exploits serving URLs:
hxxp://bamanaco.ru:8080/forum/links/column.php
hxxp://lentuiax.ru:8080/forum/links/column.php

Malicious domains reconnaissance:
bamanaco.ru – 82.165.193.26 (AS8560); 203.80.16.81 (AS24514); 216.24.196.66 (AS40676)

Name servers:
ns1.bamanaco.ru -62.76.178.233
ns2.bamanaco.ru – 41.168.5.140
ns3.bamanaco.ru – 132.248.49.112
ns4.bamanaco.ru – 209.51.221.247

lentuiax.ru – 203.80.16.81 (AS24514)

Name servers:
ns1.lentuiax.ru – 62.76.178.233
ns2.lentuiax.ru – 41.168.5.140
ns3.lentuiax.ru – 132.248.49.112
ns4.lentuiax.ru – 209.51.221.247

Sample detection rate for the redirection script: MD5: 35e6ddb6ce4229d36c43d9d3ccd182f3 – detected by 21 out of 44 antivirus scanners as Trojan-Downloader.JS.Iframe.dby.

Although we couldn’t reproduce the malicious exploitation taking place through bamanaco.ru and lentuiax.ru, we found out that, during the time of the attack, similar client-side exploit serving URls were also responding to the same IPs, leading us to the actual malicious payload found on two of these domains.

Responding to same IPs at the time of the attack were also the following malicious domains:
hxxp://ganiopatia.ru:8080/forum/links/column.php
hxxp://dimarikanko.ru/forum/links/column.php

Upon successful client-side exploitation, both domains serve MD5: 3a1d644172308dc358121bd2984a57a4 – detected by 30 out of 46 antivirus scanners as Trojan:Win32/Tobfy.I.

Upon execution, it creates the following process in the system:
%AppData%kb00121600.exe

It also creates the following Registry Keys:
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCFBDC89D4
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTS25BC2D7B

Next it also creates the following mutexes on the system:
LocalXMM000004B8
LocalXMI000004B8
LocalXMRFB119394
LocalXMM000000C8
LocalXMI000000C8
LocalXMM000000D4
LocalXMI000000D4
LocalXMM000000F0
LocalXMI000000F0
LocalXMM00000148
LocalXMI00000148

It then phones back to 173.224.215.130/AJtw/UCygrDAA/Ud+asDAA (AS40676). The IP responds to beast.unixbsd.info – Email: abuse@psychz.net

Another MD5 is known to have phoned back to the same IP: MD5: 3bf5c62fe6e18bc93073ecf79e079020 – detected by 15 out of 45 antivirus scanners as Trojan-Ransom.Win32.PornoAsset.biiy.

We’ve already seen the same static command and control server characters used in the following previously profiled campaigns:

Security_Update_Banking_Graph

Responding to the IPs of the client-side exploits serving domains – 82.165.193.26 (AS8560); 203.80.16.81 (AS24514); 216.24.196.66 (AS40676) – are also the following malicious/fraudulent domains:
investinindia.ru
feronialopam.ru
lemonadiom.ru
monacofrm.ru
bamanaco.ru
investomanio.ru
veneziolo.ru
fanatiaono.ru
lentuiax.ru
limonadiksec.ru
fionadix.ru
forumibiza.ru
investomanio.ru
geforceexlusive.ru
finitolaco.ru
monacofrm.ru
lemonadiom.ru
panasonicviva.ru
sonatanamore.ru
veneziolo.ru
linkrdin.ru
neighborhoodappraiser.com
jpjay.co.uk
findlocalappraiser.com
4egos.com
neighborhoodappraisers.com
musthavecentral.com
findaneighborhoodappraiser.com
reputationangels.com
findneighborhoodappraiser.com

Security_Update_Banking_Graph_01

A huge percentage of these domains have been previously profiled in a series of malicious campaigns, indicating that these campaigns continue getting launched by the same cybercriminal/gang of cybercriminals.

Name servers part of the campaign’s infrastructure:
ns1.investinindia.ru – 62.76.178.233
ns2.investinindia.ru – 41.168.5.140
ns3.investinindia.ru – 132.248.49.112
ns4.investinindia.ru – 209.51.221.247
ns1.feronialopam.ru – 62.76.178.233
ns2.feronialopam.ru – 41.168.5.140
ns3.feronialopam.ru – 132.248.49.112
ns4.feronialopam.ru – 209.51.221.247
ns1.lemonadiom.ru – 85.143.166.170
ns2.lemonadiom.ru – 132.248.49.112
ns3.lemonadiom.ru – 84.22.100.108
ns4.lemonadiom.ru – 213.251.171.30
ns1.monacofrm.ru – 62.76.178.233
ns2.monacofrm.ru – 41.168.5.140
ns3.monacofrm.ru – 132.248.49.112
ns4.monacofrm.ru – 209.51.221.247
ns1.bamanaco.ru – 62.76.178.233
ns2.bamanaco.ru – 41.168.5.140
ns3.bamanaco.ru – 132.248.49.112
ns4.bamanaco.ru – 209.51.221.247
ns1.investomanio.ru – 62.76.178.233
ns2.investomanio.ru – 41.168.5.140
ns3.investomanio.ru – 132.248.49.112
ns4.investomanio.ru – 209.51.221.247
ns1.veneziolo.ru – 62.76.178.233
ns2.veneziolo.ru – 41.168.5.140
ns3.veneziolo.ru – 132.248.49.112
ns4.veneziolo.ru – 209.51.221.247
ns1.fanatiaono.ru – 62.76.178.233
ns2.fanatiaono.ru – 41.168.5.140
ns3.fanatiaono.ru – 132.248.49.112
ns4.fanatiaono.ru – 209.51.221.247
ns1.lentuiax.ru – 62.76.178.233
ns2.lentuiax.ru – 41.168.5.140
ns3.lentuiax.ru – 132.248.49.112
ns4.lentuiax.ru – 209.51.221.247

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Share this news now.
Malicious 'Security Update for Banking Accounts' emails lead to Black Hole Exploit Kit by