Malicious ‘BBC Daily Email’ Cyprus bailout themed emails lead to Black Hole Exploit Kit

by

Share this news now.

Cybercriminals are currently spamvertising tens of thousands of malicious emails impersonating BBC News, in an attempt to trick users into thinking that someone has shared a Cyprus bailout themed news item with them. Once users click on any of the links found in the fake emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit.

More details:

Sample screenshot of the fake BBC News email:

Fake_Malicious_BBC_News_Email_Malware_Exploits_Spam_Black_Hole_Exploit_Kit_Cyprus

Sample spamvertised compromised URLs:
hxxp://templarioscorp.net/cyprus_bail.html
hxxp://web-bsc.ru/cyprus_bail.html
http://www.photoshopbus.co.uk/cyprus_bail.html
http://woorifiction.com/cyprus_bail.html

Sample client-side exploits serving URL: hxxp://crackedserverz.com/kill/larger_emergency.php – 155.239.247.247; 109.74.61.59; 24.111.157.113; 58.26.233.175 – Email: tellecomvideo1@gmx.us

Sample malicious payload dropping URL: hxxp://crackedserverz.com/kill/larger_emergency.php?
pcxbri=1n:33:2v:1l:1h&cxqsgrdy=36&otxvafna=2v:1l:30:1n:1m:1m:30:1g:2v:1f&vtkwoiq=1n:1d:1f:1d:1f:1d:1j:1k:1l

Upon successful client-side exploitation the campaign drops MD5: 1d4aaaf4ae7bfdb0d9936cd71ea717b2 – 23 out of 45 antivirus scanners as Spyware/Win32.Zbot.

Once executed, the sample stores the following modified files on the affected hosts:
C:Documents and SettingsAdministratorApplication DataKB00635017.exe
C:DOCUME~1ADMINI~1LOCALS~1TempexpF.tmp.bat
C:Documents and SettingsAdministratorLocal SettingsTemporary Internet FilesContent.IE589OC5JKA2MB9vCAAAA[1].txt
C:DOCUME~1ADMINI~1LOCALS~1Tempexp10.tmp.exe
C:Documents and SettingsAdministratorApplication Data9CC207909CC20790
C:DOCUME~1ADMINI~1LOCALS~1Tempexp11.tmp.exe
C:Documents and SettingsAdministratorApplication Data9CC207909CC20790
C:Documents and SettingsAdministratorLocal SettingsTemporary Internet FilesContent.IE589OC5JKA2MB9vCAAAA[1].txt
C:Documents and SettingsAdministratorLocal SettingsTemporary Internet FilesContent.IE589OC5JKA2MB9vCAAAA[2].txt
C:Documents and SettingsAdministratorApplication DataKB00635017.exe
C:DOCUME~1ADMINI~1LOCALS~1Tempexp12.tmp.bat

Creates the following Mutexes:
LocalXMM000006D4
LocalXMM00000260
LocalXMQ426FB97F
LocalXMI0000027C
LocalXMM00000520
LocalXMM0000040C
LocalXMM00000360

The following Registry Keys:
REGISTRYUSERS-1-5-21-299502267-926492609-1801674531-500SoftwareMicrosoftWindows NTS9CC20790
REGISTRYUSERS-1-5-21-299502267-926492609-1801674531-500SoftwareMicrosoftWindows NTCBA6D3F36
REGISTRYUSERS-1-5-21-299502267-926492609-1801674531-500SoftwareWinRAR

It then phones back to the following C&C servers:
202.29.5.195/J9/vp//EGa+AAAAAA/2MB9vCAAAA/
188.93.208.130/J9/vp//EGa+AAAAAA/2MB9vCAAAA/
203.113.98.131/asp/intro.php

We’ve seen (202.29.5.195) in the following previously profiled malicious campaign “Cybercriminals resume spamvertising ‘Re: Fwd: Wire Transfer’ themed emails, serve client-side exploits and malware“. We’ve also seen (203.113.98.131) in the following assessment “Spamvertised ‘US Airways reservation confirmation’ themed emails serve exploits and malware“.

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Share this news now.

Trackbacks

  1. [...] to Webroot, the final malicious payload is a variant of the Zeus banking [...]