Fake ‘Apple Store Gift Card’ themed emails serve client-side exploits and malware

by


Apple Store users, beware!

A currently ongoing malicious spam campaign is attempting to trick users into thinking that they’ve successfully received a legitimate ‘Gift Card’ worth $200. What’s particularly interesting about this campaign is that the cybercriminal(s) behind it are mixing the infection vectors by relying on both a malicious attachment and a link to the same malware found in the malicious emails. Users can become infected by either executing the attachment or by clicking on the client-side exploits serving link found in the emails.

More details:

Sample screenshot of the spamvertised email:

Apple_Store_Fake_Email_Spam_Malicious_Gift_Card_Malware_Exploits_Malicious_Software_Social_Engineering

Detection rate for the malicious attachment – MD5: 74cff87704aec030d7ad1171366aff87 – detected by 8 out of 46 antivirus scanners as UDS:DangerousObject.Multi.Generic; PWSZbot-FBX!74CFF87704AE.

Once executed, the sample starts listening on port 7499.

It the creates the following Mutexes:
Local{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Local{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Local{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Local{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Local{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Local{911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A}
Global{2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A}
Global{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Global{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Global{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Global{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Global{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Global{BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A}
Global{5971F053-C032-A29C-11EB-B06D3016937F}
Global{5971F053-C032-A29C-75EA-B06D5417937F}
Global{5971F053-C032-A29C-4DE9-B06D6C14937F}
Global{5971F053-C032-A29C-65E9-B06D4414937F}
Global{5971F053-C032-A29C-89E9-B06DA814937F}
Global{5971F053-C032-A29C-BDE9-B06D9C14937F}
Global{5971F053-C032-A29C-51E8-B06D7015937F}
Global{5971F053-C032-A29C-81E8-B06DA015937F}
Global{5971F053-C032-A29C-FDE8-B06DDC15937F}
Global{5971F053-C032-A29C-0DEF-B06D2C12937F}
Global{5971F053-C032-A29C-5DEF-B06D7C12937F}
Global{5971F053-C032-A29C-95EE-B06DB413937F}
Global{5971F053-C032-A29C-F1EE-B06DD013937F}
Global{5971F053-C032-A29C-89EB-B06DA816937F}
Global{5971F053-C032-A29C-F9EF-B06DD812937F}
Global{5971F053-C032-A29C-E5EF-B06DC412937F}
Global{5971F053-C032-A29C-0DEE-B06D2C13937F}
Global{5971F053-C032-A29C-09ED-B06D2810937F}
Global{5971F053-C032-A29C-51EF-B06D7012937F}
Global{5971F053-C032-A29C-35EC-B06D1411937F}
Global{5971F053-C032-A29C-55EF-B06D7412937F}
Global{DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A}
Global{2E1C200D-106C-D5F1-DBC9-BE58FA349D4A}
MPSWabDataAccessMutex
MPSWABOlkStoreNotifyMutex

And phones back to the following C&C servers:
50.65.158.6
216.56.52.130
70.169.168.37
99.146.98.160
189.242.35.122
157.100.168.252
184.39.153.172
178.238.233.29
68.22.158.150
108.210.219.218
108.74.172.39
99.0.126.100
90.156.118.144
217.114.113.148
66.63.204.26
130.251.186.103
75.1.200.201
188.129.147.67
69.115.119.227
94.240.232.143
95.104.0.54
76.226.134.206
86.135.15.147
211.33.132.158
121.160.84.54
76.189.224.55
67.78.107.130
110.169.227.239
46.121.59.30
66.101.206.254

Client-side exploitation chain: hxxp://www.smartadvmedia.com/h8qn42r.html -> hxxp://nutnet.ir/dl/nnnew.txt -> hxxp://www.emotiontag.net/cp/nnnew.txt -> hxxp://aurummulier.pl/nnnew.txt -> hxxp://stevecozz.com/topic/sessions-folk-binds.php – 173.246.104.52 – Email: frankieags@hotmail.com

Related client-side exploits serving domains known to have phoned back to the same IP/have been registered with the same email:
gottaghost.com
gottagirl.net
gottagirl.com
gottaguy1.com
gottagirl.info
gottagirl.us

Detection rate for a sampled client-side exploit: MD5: 91cb051d427bd7b679e1abc99983338e – detected by 2 out of 45 antivirus scanners as Mal/ExpJava-F.

Upon successful client-side exploitation, the campaign once again drops MD5: 74cff87704aec030d7ad1171366aff87.

We’re also aware of the following malicious MD5s that phoned back to same C&C servers over the past 24 hours:
MD5: 938a74b82f205c90606861d4ea37d48f
MD5: 24f98624699be0fdc74ce2f02340f67d
MD5: 3309b71b91851af8a2590a5f57649fd7
MD5: 2bade056325fcfec7b24618a5ee374bd
MD5: fcdfbc0604056f5a188431ef1d15549b
MD5: 074192e7f3b35725b9e14cbdc5189f6c
MD5: fcdfbc0604056f5a188431ef1d15549b
MD5: 074192e7f3b35725b9e14cbdc5189f6c
MD5: 139fe84beff22ffeb1ceef46fb243cbb
MD5: ed867f2eeb75aeb0392914022e62f9e2
MD5: 0be1b7f16091833da78f2a584ff4ecec
MD5: afc568ef98c67654ee89fe3ea1610408
MD5: 3ab0d85967e52ac246c4d52244f3dfc9
MD5: bf999b907ab611cb89aacd6304d87a68
MD5: b91a6e25625c724960990bdca9030bf4
MD5: 3af3b678570b3e30184db786b611d437
MD5: cb58ff571df8ba9c7960bcd03e35466b
MD5: c3b1884cda34740b38f4a273e3091e9e
MD5: d8cc4e1c491164f671a9a2e7f81178f0
MD5: 7d165513e1377213f231e7d89dcf3eee
MD5: b10d073b345f77426bac871d8a11498d
MD5: 38f247a3dec68004469bf4c745ee3617
MD5: f4ac698edd91803fbec358edcec1e09c
MD5: 27092120073d9ec572f0a83329eaa46d
MD5: 65e83c141307e3df6783c31b75204cbe
MD5: a0fe0824255b5f46b03bf33579ff9706
MD5: a5f399fa0f31d2d7695e6ce406ae434d
MD5: 80c86f34f2ae4062a7ec6918d4cd8e69
MD5: 1900dcd0c3a94f46a2b939b370d2d93f
MD5: e7569ff62e94952e03026d431ff7ad95
MD5: 092adf8366c7ccc584f590892225100b
MD5: 48cc5708ebe76f3908d3140ee9d05ece

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.


Trackbacks

  1. […] researchers from Webroot have revealed a malicious email campaign attempting to trick users into thinking they’ve […]

  2. […] un nou atac de tip informatic in care posesorii de Apple ID-uri sunt tintele. Practic vorbim despre o combinatie dintre un atac de tip phishing si un atac de tip malware, utilizatorii care acceseaza link-urile […]

  3. […] researchers from Webroot have revealed a malicious email campaign attempting to trick users into thinking they’ve received […]

  4. […] researchers from Webroot have revealed a malicious email campaign attempting to trick users into thinking they’ve received […]

  5. […] fans beware! A new email phishing campaign dangling a bogus $200 Apple Store gift card as bait to snag unsuspecting victims is making the rounds, according to security firm […]

  6. […] fans beware! A new email phishing campaign dangling a bogus $200 Apple Store gift card as bait to snag unsuspecting victims is making the rounds, according to security firm […]

  7. […] fans beware! A new email phishing campaign dangling a bogus $200 Apple Store gift card as bait to snag unsuspecting victims is making the rounds, according to security firm […]

  8. […] fans beware! A new email phishing campaign dangling a bogus $200 Apple Store gift card as bait to snag unsuspecting victims is making the rounds, according to security firm […]

  9. […] fans beware! A new email phishing campaign dangling a bogus $200 Apple Store gift card as bait to snag unsuspecting victims is making the rounds, according to security firm […]

  10. […] fans beware! A new email phishing campaign dangling a bogus $ 200 Apple Store gift card as bait to snag unsuspecting victims is making the rounds, according to security firm […]

  11. […] fans beware! A new email phishing campaign dangling a bogus $200 Apple Store gift card as bait to snag unsuspecting victims is making the rounds, according to security firm […]

  12. […] fans beware! A new email phishing campaign dangling a bogus US$200 Apple Store gift card as bait to snag unsuspecting victims is making the rounds, according to security firm […]

  13. […] researchers from Webroot have revealed a malicious email campaign attempting to trick users into thinking they’ve received […]

  14. […] fans beware! A new email phishing campaign dangling a bogus US$200 Apple Store gift card as bait to snag unsuspecting victims is making the rounds, according to security firm […]

  15. […] researchers from Webroot have revealed a malicious email campaign attempting to trick users into thinking they’ve received […]

  16. […] debes tener cuidado cuando alguien afirma entregarte dinero gratis, los expertos de seguridad de Webroot han decidido advertir sobre una peligrosa estafa que circula en […]

  17. […] email state:“ Dear client! You got our $200 Apple Store Gift Card. Apple Store Gift Cards can be used to buy […]

  18. […] researchers from Webroot have revealed a malicious email campaign attempting to trick users of Apple products into thinking […]

  19. […] recently unveiled their findings on a nasty phishing email that lures you in with the promise of a $200 Apple Store […]