March 15, 2013 By Dancho Danchev

Cybercriminals resume spamvertising ‘Re: Fwd: Wire Transfer’ themed emails, serve client-side exploits and malware

Over the last couple of days, a cybercricriminal/gang of cybercriminals that we’ve been extensively profiling, resumed spamvertising tens of thousands of emails, in an attempt to trick users that they have a pending wire transfer. Once users click on any of the links found in the malicious emails, they’re exposed to the client-side exploits served by the Black Hole Exploit Kit.

More details:

Sample screenshot of the spamvertised email:

Email_Spam_Exploits_Malware_Black_Hole_Exploit_Kit_Wire_Transfer

Sample compromised spamvertised URLs:
hxxp://afdoor.com/loading.htm
hxxp://directproducts.co.zw/loading.htm
hxxp://deto.es/loading.htm
hxxp://sulfilmmga.com.br/loading.htm
hxxp://redboxi.com/loading.htm
hxxp://sulfilmmga.com.br/loading.htm
hxxp://misann.es.kr/loading.htm

Sample client-side exploits serving URL: hxxp://gimikalno.ru:8080/forum/links/column.php

Sample malicious payload dropping URL: hxxp://gimikalno.ru:8080/forum/links/column.php?hf=2w:1l:1l:2v:1f&ye=2v:1k:1m:32:33:1k:1k:31:1j:1o&s=1k&td=r&xj=f

Upon successful client-side exploitation, the campaign drops MD5: 93a104caf7b01de69614498de5cf870a – detected by 2 out of 45 antivirus scanners as Trojan.FakeMS

Once executed, the sample creates the following files on the affected hosts:
C:Documents and SettingsAdministratorApplication DataKB00635017.exe
C:DOCUME~1ADMINI~1LOCALS~1Tempexp8.tmp.bat
C:Documents and SettingsAdministratorLocal SettingsTemporary Internet FilesContent.IE589OC5JKA2MB9vCAAAA[1].txt
C:Documents and SettingsAdministratorLocal SettingsTemporary Internet FilesContent.IE589OC5JKA2MB9vCAAAA[1].txt
C:DOCUME~1ADMINI~1LOCALS~1Tempexp9.tmp.exe
C:Documents and SettingsAdministratorApplication Data9CC207909CC20790
C:DOCUME~1ADMINI~1LOCALS~1TempexpA.tmp.exe
C:Documents and SettingsAdministratorApplication Data9CC207909CC20790
C:Documents and SettingsAdministratorApplication DataKB00635017.exe
C:DOCUME~1ADMINI~1LOCALS~1TempexpB.tmp.bat

It also creates the following Registry Keys:
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCFBDC89D4
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTS25BC2D7B

Sets the following Registry Values:
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] -> KB00121600.exe = “”%AppData%KB00121600.exe””

It then creates the following Mutexes:
LocalXMM00000418
LocalXMI00000418
LocalXMRFB119394
LocalXMM000005E4
LocalXMI000005E4
LocalXMM0000009C
LocalXMI0000009C
LocalXMM000000C8
LocalXMI000000C8

And phones back to:
149.156.96.9/J9/vp//EGa+AAAAAA/2MB9vCAAAA/
72.251.206.90/J9/vp//EGa+AAAAAA/2MB9vCAAAA/
202.29.5.195:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
213.214.74.5/AJtw/UCyqrDAA/Ud+asDAA/

We’ve already seen 213.214.74.5 in the following previously profiled campaigns, indicating that they’ve been launched by the same party:

Malicious domain name reconnaissance:
gimikalno.ru – 66.249.23.64; 94.102.14.239; 5.9.40.136
Name Servers: ns1.gimikalno.ru 41.168.5.140
Name Servers: ns2.gimikalno.ru 110.164.58.250 (nangrong.ac.th)
Name Servers: ns3.gimikalno.ru 210.71.250.131 (tecom.com.tw)
Name Servers: ns4.gimikalno.ru 194.249.217.8 (gimnazija-tolmin1.si)
Name Servers: ns5.gimikalno.ru 72.251.206.90

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button
0 comments

Trackbacks

  1. […] seen (202.29.5.195) in the following previously profiled malicious campaign “Cybercriminals resume spamvertising ‘Re: Fwd: Wire Transfer’ themed emails, serve client-side e…“. We’ve also seen (203.113.98.131) in the following assessment “Spamvertised […]

true