‘Please confirm your U.S Airways online registration’ themed emails lead to Black Hole Exploit Kit

by


In 2012, fake flight reservation confirmations and bogus E-ticket verifications were a popular social engineering theme for cybercriminals. On numerous occasions, we intercepted related campaigns attempting to trick customers into clicking on malicious links, which ultimately exposed them to the client-side exploits served by the latest version of the Black Hole Exploit Kit.

Apparently, the click-through rates for these campaigns were good enough for cybercriminals to resume spamvertising related campaigns. In this post, I’ll profile the most recently spamvertised campaign impersonating U.S Airways.

More details:

Sample screenshot of the spamvertised email:

US_Airways_Email_Spam_Exploits_Malware_Black_Hole_Expoit_Kit

Sample compromised URLs part of the campaign:
hxxp://sweetsw.com/templates/atomic/ticket_status.html
hxxp://toopz.com/templates/atomic/ticket_status.html
hxxp://sunshinecoasttackle.com/templates/beez/ticket_status.html
hxxp://tj-print.com/templates/atomic/ticket_status.html
hxxp://thai-tsam.com/templates/1/ticket_status.html
hxxp://thephoenixconsultingfirm.com/templates/beez/ticket_status.html
hxxp://thickdickdaddy.com/templates/atomic/ticket_status.html
hxxp://tianzhaotian2001.com/templates/atomic/ticket_status.html
hxxp://tiendatradiciones.com/templates/beez/ticket_status.html

Sample client-side exploits serving URL: hxxp://attachedsignup.pro/detects/links-neck.php

Sample malicious payload dropping URL: hxxp://attachedsignup.pro/detects/links-neck.php?rf=1l:2v:1m:32:1j&be=2w:32:2w:1i:1k:30:1g:33:31:1j&d=1f&lh=a&ri=j

Malicious domain name reconnaissance:
attachedsignup.pro – 41.215.225.202 – Email: kee_mckibben0869@macfreak.com

The same email (kee_mckibben0869@macfreak.com) was also seen in the following previously profiled malicious campaigns:

Upon successful client-side exploitation, the campaign drops MD5: 6f51e309530f8900be935716c3015f58 – detected by 24 out of 46 antivirus scanners as Worm:Win32/Cridex.E

The executable creates the following registry entries:
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCFBDC89D4
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTS25BC2D7B

As well as the following mutexes:
LocalXMM000003F8
LocalXMI000003F8
LocalXMRFB119394
LocalXMM000005E4
LocalXMI000005E4
LocalXMM0000009C
LocalXMI0000009C
LocalXMM000000C8
LocalXMI000000C8

Once executed, the sample phones back to the following C&C servers:
180.235.150.72:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
174.143.174.136:8080/AJtw/UCyqrDAA/Ud+asDAA/

We’ve already seen the same pseudo-random C&C phone back characters used in the following previously profiled malicious campaigns:

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Trackbacks

  1. [...] new email spam campaign impersonating U.S. Airways is hitting inboxes, warns Webroot, and the airline’s customers would do well to be on the lookout for the following [...]