Historical OSINT – The ‘Boston Marathon explosion’ and ‘Fertilizer plant explosion in Texas’ themed malware campaigns

by

Share this news now.

Following the recent events, opportunistic cybercriminals have been spamvertising tens of thousands of malicious emails in an attempt to capitalize on on the latest breaking news.

We’re currently aware of two “Boston marathon explosion” themed campaigns that took place last week, one of which is impersonating CNN, and another is using the “fertilizer plant exposion in Texas” theme, both of which redirect to either the RedKit or the market leading Black Hole Exploit Kit.

Let’s profile the campaigns that took place last week, with the idea to assist in the ongoing attack attribution process.

More details:

Sample screenshot of the displayed video mix of videos hosted on YouTube:

Texas_Fertilizer_Explosion

Excluding the CNN themed emails, the rest contain a link to a malicious IP with the following typical for the campaign, filenames – news.html; boston.html; texas.html; cnn_boston.html.

Sample spamvertised URLs observed in all of the campaigns:
hxxp://190.245.177.248/boston.html
hxxp://78.90.133.133/boston.html
hxxp://176.241.148.169/boston.html
hxxp://95.87.6.156/boston.html
hxxp://46.233.4.113/boston.html
hxxp://213.34.205.27/boston.html
hxxp://37.229.92.116/boston.html
hxxp://95.69.141.121/boston.html
hxxp://110.92.80.47/boston.html
hxxp://62.45.148.76/boston.html
hxxp://118.141.37.122/boston.html
hxxp://94.153.15.249/boston.html
hxxp://178.137.100.12/boston.html
hxxp://24.180.60.184/boston.html
hxxp://110.92.80.47/boston.html
hxxp://46.233.4.113/boston.html
hxxp://85.217.234.98/boston.html
hxxp://213.34.205.27/news.html
hxxp://94.28.49.130/boston.html
hxxp://78.90.133.133/news.html
hxxp://95.87.6.156/news.html
hxxp://176.241.148.169/news.html
hxxp://95.87.6.156/news.html
hxxp://182.235.147.164/news.html
hxxp://sistasplace.org/news.html
hxxp://95.87.6.156/news.html
hxxp://95.87.6.156/news.html
hxxp://94.153.15.249/news.html
hxxp://182.235.147.164/news.html
hxxp://219.198.196.116/news.html
hxxp://94.28.49.130/news.html
hxxp://94.153.15.249/news.html
hxxp://78.90.213.244/news.html
hxxp://85.217.234.98/news.html
hxxp://37.229.215.183/news.html
hxxp://85.217.234.98/news.html
hxxp://83.170.192.154/news.html
hxxp://182.235.147.164/news.html
hxxp://85.217.234.98/news.html
hxxp://china-ptjc.com/cnn_boston.html
hxxp://kuzenergo.ru/cnn_boston.html
hxxp://alltomforsakringar.nu/cnn_boston.html
hxxp://smslanens.se/cnn_boston.html
hxxp://www.smslanens.se/cnn_boston.html
hxxp://numeralarmowy-112.pl/cnn_boston.html
hxxp://ochronaprawkonsumenta.pl/cnn_boston.html
hxxp://www.vdnh.kiev.ua/cnn_boston.html
hxxp://ochronaprawkonsumenta.pl/cnn_boston.html
hxxp://alltomforsakringar.nu/cnn_boston.html
hxxp://higherthanab.com/cnn_boston.html
hxxp://business-link.net/cnn_boston.html
hxxp://www.peaceofchristparish.org/cnn_boston.html
hxxp://ochronaprawkonsumenta.pl/cnn_boston.html
hxxp://smslanens.se/cnn_boston.html
hxxp://mezdustrok.com.ua/cnn_boston.html
hxxp://skinnee.net/cnn_boston.html
hxxp://ochronaprawkonsumenta.pl/cnn_boston.html
hxxp://smslanens.se/cnn_boston.html
hxxp://numeralarmowy-112.pl/cnn_boston.html
hxxp://higherthanab.com/cnn_boston.html
hxxp://host321.ru/cnn_boston.html
hxxp://econ-group.com/cnn_boston.html
hxxp://peaceofchristparish.org/cnn_boston.html
hxxp://vdnh.kiev.ua/cnn_boston.html
hxxp://mannesmann.cz/cnn_boston.html
hxxp://ochronaprawkonsumenta.pl/cnn_boston.html
hxxp://46.40.33.20/texas.html
hxxp://94.28.49.130/texas.html
hxxp://219.198.196.116/texas.html
hxxp://178.150.115.38/texas.html
hxxp://94.153.15.249/texas.html
hxxp://85.198.81.26/texas.html
hxxp://37.229.215.183/texas.html
hxxp://95.87.6.156/texas.html
hxxp://182.235.147.164/texas.html
hxxp://94.153.15.249/texas.html
hxxp://37.229.215.183/texas.html
hxxp://110.92.80.47/texas.html
hxxp://83.170.192.154/texas.html
hxxp://78.90.133.133/texas.html
hxxp://83.170.192.154/texas.html
hxxp://118.141.37.122/texas.html
hxxp://176.241.148.169/texas.html
hxxp://46.40.33.20/texas.html
hxxp://213.34.205.27/texas.html
hxxp://159.148.43.126/texas.html
hxxp://78.90.133.133/texas.html
hxxp://213.231.13.137/texas.html
hxxp://219.198.196.116/texas.html
hxxp://182.235.147.164/texas.html
hxxp://178.137.120.224/texas.html
hxxp://85.217.234.98/texas.html
hxxp://85.217.234.98/texas.html
hxxp://213.34.205.27/texas.html
hxxp://85.217.234.98/texas.html

The first campaign is directly exposing users to the malicious executable (boston.avi_______.exe), with multiple YouTube hosted videos loading in the background of the page.

We’ve observed the following MD5s that were in circulation last week:
MD5: 5ea646ffdc1e9bc7759fdfc926de7660
MD5: 959e2dcad471c86b4fdcf824a6a502dc
MD5: 6ad5c11fb0e0c7c5e1cbc736b4b66676

Once executed, MD5: 5ea646ffdc1e9bc7759fdfc926de7660 phones back to 77.123.40.41:80; 37.229.97.11:80; 190.18.237.20:80; 176.103.0.22:80. Once executed, MD5: 959e2dcad471c86b4fdcf824a6a502dc phones back to hxxp://5.105.102.232/home.htm.

Some of the applets in the RedKit redirecting variation of the campaign contain the following static strings “sdioolg sh ispod“.

Sample RedKit redirectors found on the malicious and spamvertised URLs:
hxxp://bestdoghouseplans.com/azsq.html
hxxp://compfixer.net/ecsr.html
hxxp://chartspmsasia.com/weir.html
hxxp://mcfamiliesinneed.org/czsq.html
hxxp://techpourri.com/hhsr.html
hxxp://pcdesires.com/hoiq.html
hxxp://cedarpointchurch.org/azsr.html
hxxp://kentuckyautoexchange.com/czir.html

Sample redirection chain:
hxxp://212.75.18.190:80/texas.html -> hxxp://www.rkconnect.com:80/cjc.jar – > hxxp://www.rkconnect.com:80/83.html -> hxxp://ewhynwox.ru:80/newbos3.exe -> hxxp://jacobslpc.netne.net:80/n.htm_PSEUDO_RANDOM_CHARACTERS

Java exploit MD5: 590adc78f8965c881efcb0328924f40b – detected by 15 out of 46 antivirus scanners as HEUR:Exploit.Java.CVE-2012-1723.gen
Drops MD5: 502537a985e21eb8ceccd246d1bb4289 – detected by 29 out of 45 antivirus scanners as Backdoor:Win32/Kelihos.F
Second dropped MD5: 86f197e0353a97b630d9b1838520ade1 – detected by 23 out of 46 antivirus scanners as Trojan-PSW.Win32.Tepfer.iojc

Once executed, MD5: 86f197e0353a97b630d9b1838520ade1 phones back to 62.84.60.29:80 and to hxxp://31.128.186.162/login.htm. Once executed, MD5: 502537a985e21eb8ceccd246d1bb4289 phones back to hxxp://159.224.2.196/index.htm and hxxp://109.86.195.130/index.htm.

Now let’s sample the Black Hole Exploit Kit redirecting campaigns using the same theme, and also launched during the events from last week.

Sample redirection chain:
hxxp://alltomforsakringar.nu/cnn_boston.html -> hxxp://thesecondincomee.com/news/agency_row_fixed.php -> hxxp://thesecondincomee.com/news/agency_row_fixed.php?uf=1l:30:1l:1g:1j&ye=1n:1g:2v:1f:1l:32:1h:1f:31:30&t=1f&dh=v&cu=m&jopa=

Java exploit MD5: 26fbf13938b42848a5f4fdb4c0507303 – detected by 8 out of 46 antivirus scanners as HEUR:Exploit.Java.CVE-2012-0507.gen
PDF exploit MD5: 6d254436947947d6ff37dd8f62ec50e6 – detected by 26 out of 46 antivirus scanners as PDF:Exploit.PDF-JS.ZB
Drops MD5: 59ef50a8bca626f0e2b1d86c43e810fc – detected by 1 out of 46 antivirus scanners as Troj/EncProc-K
MD5: f1dd872dbb87d019ecc82bfe7169cb21 – detected by 1 out of 46 antivirus scanners as Troj/EncProc-K
And MD5: c385ad235959c66a4a76eec41aa36fed – detected by 1 out of 46 antivirus scanners as Troj/EncProc-K

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.


Share this news now.