Spamvertised “FDIC: Your business account” themed emails serve client-side exploits and malware

by


Cybercriminals are mass mailing tens of thousands of malicious Federal Deposit Insurance Corporation (FDIC) themed emails, in an attempt to trick users into clicking on the client-side exploits serving and malware dropping URLs found in the bogus emails. Let’s dissect the campaign, expose the portfolio of malicious domains using it, provide MD5s for a sample exploit and the dropped malware, as well as connect the campaign with previously launched already profiled malicious campaigns.

Sample screenshot of the spamvertised email:

FDIC_Email_Spam_Spam_Campaign_Spamvertised_Malware_Malicious_Software_Exploits_Social_Engineering

Sample redirection chain:
hxxp://stranniki-music.ru/insurance.problem.html (62.173.142.30) -> hxxp://www.fdic.gov.horse-mails.net/news/fdic-insurance.php (174.142.186.89; 216.218.208.55; 109.71.136.140; 37.221.163.174; 95.111.32.249) Email: comicmotors@writeme.com

Known to have responded to the same IP (174.142.186.89) are also the following fraudulent/malicious domains:
airfare-ticketscheap.com
cernanrigndnisne55.net
demuronline.net
fiscdp.com.airfare-ticketscheap.com
gormonigraetnapovalahule26.net
irs.gov.successsaturday.net
nacha.org.demuronline.net
pidrillospeeder.com
samsung-galaxy-games.net
facebook.com.achrezervations.com
fdic.gov.horse-mails.net
fiscdp.com.airfare-ticketscheap.com
irs.gov.successsaturday.net
nacha.org.demuronline.net
nacha.org.multiachprocessor.com
nacha.org.samsung-galaxy-games.net

The following malicious MD5s are also known to have phoned back to the same IP in the past:
MD5: d672db2c3f398f1bb55ed0030467277d
MD5: 5cb9893095f6087fe741853213f244e8

Known to have responded to 62.173.142.30 are also the following malicious domains:
megapolis-cars.ru
poleznoeda.ru
rutexim.ru
stranniki-music.ru
xn--80ahcajwqeee.xn--p1ai

Known to have responded to 216.218.208.55 are also the followig malicious domains:
demuronline.net
samsung-galaxy-games.net

Known to have responded to 95.111.32.249 are also the following malicious domains:
stjamesang.net

Name servers part of the campaign’s infrastructure:
Name Server: NS1.NAMASTELEARNING.NET – 86.64.152.26 – Email: minelapse2001@outlook.com – Deja vu! We’ve already seen the same email used in a related Facebook themed malicious campaign.
Name Server: NS2.NAMASTELEARNING.NET – 205.28.29.52

The following name servers are also providing DNS services to the following malicious domains:
achrezervations.com
airfare-ticketscheap.com
children-bicycle.net
demuronline.net
fairfieldpoa.net
fdic-payalert.com
gagcenter.net
horse-mails.net
judicialcrisis.net
lacave-enlignes.com
lindoliveryct.net
multiachprocessor.com
nacha-ach-processor.com
namastelearning.net
oleannyinsurance.net
onsayoga.net
pidrillospeeder.com
protektest.net
samsung-galaxy-games.net
smscente.net
stjamesang.net
successsaturday.net
taltondark.net
thefastor.com
ulsmart.net

MD5 for a sample served client-side exploit: MD5: 92897ad0aff69dee36dc22140bf3d8a9. Sample MD5 for the dropped malware: MD5: 7b6332de90e25a5b26f7c75910a22e0c.

Once executed, the sample phones back to the following C&C servers:
217.34.53.163
213.219.135.107
46.223.150.132
108.218.11.143
75.44.92.13
72.81.0.118
217.35.75.232
81.138.21.57
200.84.149.84
84.59.151.27
86.179.220.43
88.247.80.140
99.114.220.224
99.21.49.32
81.130.51.125
108.210.102.165
108.234.133.110
108.240.232.212
86.142.201.20
71.10.54.162
92.4.217.3
188.129.147.67
68.4.133.127
82.211.142.218
81.133.100.39
173.14.178.233
151.97.100.116
86.11.143.176
68.179.19.29
69.70.121.162
173.63.220.65
79.135.34.53
74.7.151.25
71.48.23.198
85.18.21.33

Webroot SecureAnywhere users are proactively protected from these threats.