Over the last couple of days, a cybercricriminal/gang of cybercriminals that we’ve been extensively profiling, resumed spamvertising tens of thousands of emails, in an attempt to trick users that they have a pending wire transfer. Once users click on any of the links found in the malicious emails, they’re exposed to the client-side exploits served by the Black Hole Exploit Kit.

More details:

Sample screenshot of the spamvertised email:

Email_Spam_Exploits_Malware_Black_Hole_Exploit_Kit_Wire_Transfer

Sample compromised spamvertised URLs:
hxxp://afdoor.com/loading.htm
hxxp://directproducts.co.zw/loading.htm
hxxp://deto.es/loading.htm
hxxp://sulfilmmga.com.br/loading.htm
hxxp://redboxi.com/loading.htm
hxxp://sulfilmmga.com.br/loading.htm
hxxp://misann.es.kr/loading.htm

Sample client-side exploits serving URL: hxxp://gimikalno.ru:8080/forum/links/column.php

Sample malicious payload dropping URL: hxxp://gimikalno.ru:8080/forum/links/column.php?hf=2w:1l:1l:2v:1f&ye=2v:1k:1m:32:33:1k:1k:31:1j:1o&s=1k&td=r&xj=f

Upon successful client-side exploitation, the campaign drops MD5: 93a104caf7b01de69614498de5cf870a – detected by 2 out of 45 antivirus scanners as Trojan.FakeMS

Once executed, the sample creates the following files on the affected hosts:
C:Documents and SettingsAdministratorApplication DataKB00635017.exe
C:DOCUME~1ADMINI~1LOCALS~1Tempexp8.tmp.bat
C:Documents and SettingsAdministratorLocal SettingsTemporary Internet FilesContent.IE589OC5JKA2MB9vCAAAA[1].txt
C:Documents and SettingsAdministratorLocal SettingsTemporary Internet FilesContent.IE589OC5JKA2MB9vCAAAA[1].txt
C:DOCUME~1ADMINI~1LOCALS~1Tempexp9.tmp.exe
C:Documents and SettingsAdministratorApplication Data9CC207909CC20790
C:DOCUME~1ADMINI~1LOCALS~1TempexpA.tmp.exe
C:Documents and SettingsAdministratorApplication Data9CC207909CC20790
C:Documents and SettingsAdministratorApplication DataKB00635017.exe
C:DOCUME~1ADMINI~1LOCALS~1TempexpB.tmp.bat

It also creates the following Registry Keys:
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCFBDC89D4
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTS25BC2D7B

Sets the following Registry Values:
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] -> KB00121600.exe = “”%AppData%KB00121600.exe””

It then creates the following Mutexes:
LocalXMM00000418
LocalXMI00000418
LocalXMRFB119394
LocalXMM000005E4
LocalXMI000005E4
LocalXMM0000009C
LocalXMI0000009C
LocalXMM000000C8
LocalXMI000000C8

And phones back to:
149.156.96.9/J9/vp//EGa+AAAAAA/2MB9vCAAAA/
72.251.206.90/J9/vp//EGa+AAAAAA/2MB9vCAAAA/
202.29.5.195:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
213.214.74.5/AJtw/UCyqrDAA/Ud+asDAA/

We’ve already seen 213.214.74.5 in the following previously profiled campaigns, indicating that they’ve been launched by the same party:

Malicious domain name reconnaissance:
gimikalno.ru – 66.249.23.64; 94.102.14.239; 5.9.40.136
Name Servers: ns1.gimikalno.ru 41.168.5.140
Name Servers: ns2.gimikalno.ru 110.164.58.250 (nangrong.ac.th)
Name Servers: ns3.gimikalno.ru 210.71.250.131 (tecom.com.tw)
Name Servers: ns4.gimikalno.ru 194.249.217.8 (gimnazija-tolmin1.si)
Name Servers: ns5.gimikalno.ru 72.251.206.90

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This