‘Your Kindle e-book Amazon receipt’ themed emails lead to Black Hole Exploit Kit

by


Kindle owners, watch what you click on!

Cybercriminals are currently attempting to trick Kindle owners into thinking that they’ve received a receipt from an E-book purchase from Amazon.com. In reality, when users click on any of the links found in the malicious emails, they’re automatically exposed to the  client-side exploits served by the Black Hole Exploit Kit.

More details:

Sample screenshot of the spamvertised email:

Email_Spam_Exploits_Malware_Amazon_Kindle_Ebook_Receipt_Black_Hole_Exploit_Kit

Sample compromised URLs used in the campaign:
hxxp://fatlossfactorscams.com/wp-content/plugins/tell-a-friend/orderedlistamazon.html
hxxp://v-mishchenko.com/wp-content/plugins/tell-a-friend/orderedlistamazon.html
hxxp://pasadenacaregiver.com/wp-content/plugins/tell-a-friend/orderedlistamazon.html

Sample client-side exploits serving URL:
hxxp://starsoftgroup.net/detects/weeks_movie_whether.php

Sample malicious payload dropping URLs:
hxxp://starsoftgroup.net/detects/weeks_movie_whether.php?jf=31:2v:33:1o:1m&le=2w:2v:1o:1g:1m:31:1l:1k:30:1k&s=1f&tf=s&kv=r
hxxp://starsoftgroup.net/detects/weeks_movie_whether.php?uf=2v:1i:1h:31:1o&he=2w:2v:1o:1g:1m:31:1l:1k:30:1k&f=1f&kr=t&bp=y

Malicious domain name reconnaissance:
starsoftgroup.net – 175.121.229.209; 198.144.191.50 – Email: wondermitch@hotmail.com
Name Server: NS1.HTTP-PAGE.NET
Name Server: NS2.HTTP-PAGE.NET

We’ve already seen the same name servers used in the following previously profiled campaigns, indicating that they’ve been launched by the same cybercriminals:

Upon successful client-side exploitation, the campaign drops MD5: 13d23f4c1eb1d4d3841e2de50b1948cc – detected by 7 out of 46 antivirus scanners as UDS:DangerousObject.Multi.Generic.

Once executed, the sample creates the following processes on the affected hosts:
C:WINDOWSsystem32cmd.exe” /c “C:DOCUME~1<USER>~1LOCALS~1Tempexp1.tmp.bat
C:Documents and Settings<USER>Application DataKB00927107.exe

The following Registry Keys:
REGISTRYUSERS-1-5-21-299502267-926492609-1801674531-500SoftwareMicrosoftWindows NTS9CC20790
REGISTRYUSERS-1-5-21-299502267-926492609-1801674531-500SoftwareMicrosoftWindows NTCBA6D3F36

As well as the following Mutexes:
LocalXMM000001C4
LocalXMI000001C4
LocalXMM00000380
LocalXMI00000380

Upon execution, the sample also phones back to the following C&C servers:
hxxp://195.191.22.90:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
hxxp://37.122.209.102:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
hxxp://217.65.100.41:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
hxxp://173.201.177.77/J9/vp//EGa+AAAAAA/2MB9vCAAAA/
hxxp://210.56.23.100/J9/vp//EGa+AAAAAA/2MB9vCAAAA/
hxxp://213.214.74.5/J9/vp//EGa+AAAAAA/2MB9vCAAAA/
hxxp://180.235.150.72/J9/vp//EGa+AAAAAA/2MB9vCAAAA/

We’ve already seen the same pseudo-random C&C communication characters (DPNilBA) used in the following campaigns:

As well as the same C&C server IPs (173.201.177.77; 210.56.23.100; 180.235.150.72) in the following campaigns, indicating that they’ve been launched by the same malicious party:

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Trackbacks

  1. [...] devices should be careful with emails that seemingly containing receipts for their purchases, warns Webroot, as malware peddlers have once again started a spam campaign impersonating the e-commerce [...]

  2. [...] devices must be careful with emails that seemingly containing receipts for his or her purchases, warns Webroot, as malware peddlers have another time started a spam campaign impersonating the e-commerce [...]

  3. [...] seen the same email (wondermitch@hotmail.com) in the following malicious campaign – “‘Your Kindle e-book Amazon receipt’ themed emails lead to Black Hole Exploit Kit“, as well as in a recent money mule recruitment [...]

  4. [...] already seen 213.214.74.5 in the following previously profiled malicious campaign -‘Your Kindle e-book Amazon receipt’ themed emails lead to Black Hole Exploit Kit“. As well as 203.114.112.156, seen in the following assessment “Fake ‘You’ve [...]