In 2012, fake flight reservation confirmations and bogus E-ticket verifications were a popular social engineering theme for cybercriminals. On numerous occasions, we intercepted related campaigns attempting to trick customers into clicking on malicious links, which ultimately exposed them to the client-side exploits served by the latest version of the Black Hole Exploit Kit.

Apparently, the click-through rates for these campaigns were good enough for cybercriminals to resume spamvertising related campaigns. In this post, I’ll profile the most recently spamvertised campaign impersonating U.S Airways.

More details:

Sample screenshot of the spamvertised email:

US_Airways_Email_Spam_Exploits_Malware_Black_Hole_Expoit_Kit

Sample compromised URLs part of the campaign:
hxxp://sweetsw.com/templates/atomic/ticket_status.html
hxxp://toopz.com/templates/atomic/ticket_status.html
hxxp://sunshinecoasttackle.com/templates/beez/ticket_status.html
hxxp://tj-print.com/templates/atomic/ticket_status.html
hxxp://thai-tsam.com/templates/1/ticket_status.html
hxxp://thephoenixconsultingfirm.com/templates/beez/ticket_status.html
hxxp://thickdickdaddy.com/templates/atomic/ticket_status.html
hxxp://tianzhaotian2001.com/templates/atomic/ticket_status.html
hxxp://tiendatradiciones.com/templates/beez/ticket_status.html

Sample client-side exploits serving URL: hxxp://attachedsignup.pro/detects/links-neck.php

Sample malicious payload dropping URL: hxxp://attachedsignup.pro/detects/links-neck.php?rf=1l:2v:1m:32:1j&be=2w:32:2w:1i:1k:30:1g:33:31:1j&d=1f&lh=a&ri=j

Malicious domain name reconnaissance:
attachedsignup.pro – 41.215.225.202 – Email: kee_mckibben0869@macfreak.com

The same email (kee_mckibben0869@macfreak.com) was also seen in the following previously profiled malicious campaigns:

Upon successful client-side exploitation, the campaign drops MD5: 6f51e309530f8900be935716c3015f58 – detected by 24 out of 46 antivirus scanners as Worm:Win32/Cridex.E

The executable creates the following registry entries:
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCFBDC89D4
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTS25BC2D7B

As well as the following mutexes:
LocalXMM000003F8
LocalXMI000003F8
LocalXMRFB119394
LocalXMM000005E4
LocalXMI000005E4
LocalXMM0000009C
LocalXMI0000009C
LocalXMM000000C8
LocalXMI000000C8

Once executed, the sample phones back to the following C&C servers:
180.235.150.72:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
174.143.174.136:8080/AJtw/UCyqrDAA/Ud+asDAA/

We’ve already seen the same pseudo-random C&C phone back characters used in the following previously profiled malicious campaigns:

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This