{"id":10169,"date":"2013-03-21T00:00:05","date_gmt":"2013-03-21T07:00:05","guid":{"rendered":"http:\/\/blog.webroot.com\/?p=10169"},"modified":"2018-10-05T12:23:30","modified_gmt":"2018-10-05T18:23:30","slug":"fake-cnn-breaking-news-alerts-themed-emails-lead-to-black-hole-exploit-kit","status":"publish","type":"post","link":"https://www.webroot.com/blog/2013\/03\/21\/fake-cnn-breaking-news-alerts-themed-emails-lead-to-black-hole-exploit-kit\/","title":{"rendered":"Fake &#8216;CNN Breaking News Alerts&#8217; themed emails lead to Black Hole Exploit Kit"},"content":{"rendered":"<p><strong>By Dancho\u00a0Danchev<\/strong><\/p>\n<p>Cybercriminals are currently mass mailing tens of thousands malicious &#8216;CNN Breaking News&#8217; themed emails, in an attempt to trick users into clicking on the exploit-serving and malware-dropping links found within. Once users click on any of the links found in the bogus emails, they&#8217;re automatically exposed to the client-side exploits served by the <a href=\"http:\/\/blog.webroot.com\/tag\/black-hole-exploit-kit\/\"><strong>Black Hole Exploit Kit<\/strong><\/a>.<\/p>\n<p>More details:<\/p>\n<p><!--more--><\/p>\n<p><strong>Sample screenshot of the spamvertised email:<\/strong><\/p>\n<p style=\"text-align: center;\"><a href=\"http:\/\/webrootblog.files.wordpress.com\/2013\/03\/fake_email_spam_cnn_breaking_news_alerts_exploits_malware_social_engineering_black_hole_exploit_kit.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-10175\" src=\"http:\/\/webrootblog.files.wordpress.com\/2013\/03\/fake_email_spam_cnn_breaking_news_alerts_exploits_malware_social_engineering_black_hole_exploit_kit.png\" alt=\"Fake_Email_Spam_CNN_Breaking_News_Alerts_Exploits_Malware_Social_Engineering_Black_Hole_Exploit_Kit\" width=\"291\" height=\"314\" \/><\/a><\/p>\n<p><strong>Sample compromised URLs used in the campaign:<\/strong><br \/>\n<em>hxxp:\/\/320315.ru\/popeabuse.html<\/em><br \/>\n<em>hxxp:\/\/bigznakomstva.ru\/popeabuse.html<\/em><br \/>\n<em>hxxp:\/\/cescasworld.com\/popeabuse.html<\/em><br \/>\n<em>hxxp:\/\/c-s-x.ru\/popeabuse.html<\/em><br \/>\n<em>hxxp:\/\/create-serv.ru\/popeabuse.html<\/em><br \/>\n<em>hxxp:\/\/adobeart.ru\/popeabuse.html<\/em><br \/>\n<em>hxxp:\/\/cescasworld.com\/popeabuse.html<\/em><br \/>\n<em>hxxp:\/\/bloodygames.ru\/popeabuse.html<\/em><br \/>\n<em>hxxp:\/\/blackstyle.l2uc.ru\/popeabuse.html<\/em><br \/>\n<em>hxxp:\/\/bksxnations.com\/popeabuse.html<\/em><br \/>\n<em>hxxp:\/\/bidlo.lv\/popeabuse.html<\/em><br \/>\n<em>hxxp:\/\/create-serv.ru\/popeabuse.html<\/em><br \/>\n<em>hxxp:\/\/c-s-x.ru\/popeabuse.html<\/em><br \/>\n<em>hxxp:\/\/barrygloria.com\/popeabuse.html<\/em><\/p>\n<p><strong>Sample client-side exploits serving URL:<\/strong> <em>hxxp:\/\/webpageparking.net\/kill\/borrowing_feeding_gather-interesting.php<\/em><\/p>\n<p><strong>Sample malicious payload dropping URL:<\/strong> <em>hxxp:\/\/webpageparking.net\/kill\/borrowing_feeding_gather-interesting.php?<\/em><br \/>\n<em>\u00a0vxbzcc=1n:33:2v:1l:1h&amp;tvwogqxl=3i&amp;hkrjvnuc=1l:2v:1i:1i:2v:31:1n:1l:1o:1m&amp;levo=1n:1d:1f:1d:1f:1d:1j:1k:1l<\/em><\/p>\n<p><strong>Malicious domain name reconnaissance:<\/strong><br \/>\n<strong>webpageparking.net<\/strong> &#8211; 109.74.61.59; 24.111.157.113; 58.26.233.175; 155.239.247.247 &#8211; Email: mtviclub@yahoo.com<br \/>\nName Server: <strong>NS1.STREETCRY.NET<\/strong><br \/>\nName Server: <strong>NS2.STREETCRY.NET<\/strong><\/p>\n<p>We&#8217;ve already profiled the same Name Servers in the following malicious campaigns:<\/p>\n<ul>\n<li><span style=\"line-height: 16px;\"><a href=\"http:\/\/blog.webroot.com\/2013\/03\/13\/spamvertised-bbb-your-accreditation-terminated-themed-emails-lead-to-black-hole-exploit-kit\/\"><strong>Spamvertised BBB \u2018Your Accreditation Terminated\u201d themed emails lead to Black Hole Exploit Kit<\/strong><\/a><br \/>\n<\/span><\/li>\n<li><strong><a href=\"http:\/\/blog.webroot.com\/2013\/03\/18\/adp-package-delivery-notification-themed-emails-lead-to-black-hole-exploit-kit\/\">\u2018ADP Package Delivery Notification\u2019 themed emails lead to Black Hole Exploit Kit<\/a><\/strong><\/li>\n<\/ul>\n<p><strong>Responding to 24.111.157.113 are also the following malicious domains part of related campaigns:<\/strong><br \/>\n<em>secureaction120.com<\/em><br \/>\n<em> secureaction150.com<\/em><br \/>\n<em> fenvid.com<\/em><br \/>\n<em> heavygear.net<\/em><br \/>\n<em> cyberage-poker.net<\/em><br \/>\n<em> hotels-guru.net<\/em><br \/>\n<em> porftechasgorupd.ru<\/em><br \/>\n<em> gatovskiedelishki.ru<\/em><br \/>\n<em> sawlexmicroupdates.ru<\/em><br \/>\n<em> buxarsurf.net<\/em><br \/>\n<em> buyersusaremote.net<\/em><br \/>\n<em> cyberage-poker.net<\/em><br \/>\n<em> hotels-guru.net<\/em><br \/>\n<em> openhouseexpert.net<\/em><br \/>\n<em> picturesofdeath.net<\/em><br \/>\n<em> plussestotally.biz<\/em><br \/>\n<em> teenlocal.net<\/em><\/p>\n<p>Upon successful clienet-side exploitation, the campaign drops <a href=\"https:\/\/www.virustotal.com\/en\/file\/3e40e6903716e0a59a898242161c55c2ca100e539a665a8634e101346ce289be\/analysis\/\"><strong>MD5:\u00a024d406ef41e9a4bc558e22bde0917cc5<\/strong><\/a> &#8211; detected by 15 out of 45 antivirus scanners as\u00a0Worm:Win32\/Cridex.E<\/p>\n<p><strong>Once executed, the sample writes the following files on the affected hosts:<\/strong><br \/>\n<em>C:DOCUME~1&lt;USER&gt;~1LOCALS~1Tempexp1.tmp.bat<\/em><br \/>\n<em> C:DOCUME~1&lt;USER&gt;~1LOCALS~1Tempexp2.tmp.exe<\/em><br \/>\n<em> C:Documents and Settings&lt;USER&gt;Application DataB2CB1881B2CB1881<\/em><br \/>\n<em> C:DOCUME~1&lt;USER&gt;~1LOCALS~1Tempexp3.tmp.bat<\/em><\/p>\n<p><strong>Copies the following files:<\/strong><br \/>\n<em>Source: C:3e40e6903716e0a59a898242161c55c2ca100e539a665a8634e101346ce289be<\/em><br \/>\n<em> Destination: C:Documents and Settings&lt;USER&gt;Application DataKB00927107.exe<\/em><br \/>\n<em> Source: C:DOCUME~1&lt;USER&gt;~1LOCALS~1Tempexp2.tmp.exe<\/em><br \/>\n<em> Destination: C:Documents and Settings&lt;USER&gt;Application DataKB00927107.exe<\/em><\/p>\n<p><strong>Creates the following processes:<\/strong><br \/>\n<em>C:WINDOWSsystem32cmd.exe&#8221; \/c &#8220;C:DOCUME~1&lt;USER&gt;~1LOCALS~1Tempexp1.tmp.bat&#8221;&#8221;<\/em><br \/>\n<em> C:Documents and Settings&lt;USER&gt;Application DataKB00927107.exe<\/em><br \/>\n<em> C:DOCUME~1&lt;USER&gt;~1LOCALS~1Tempexp2.tmp.exe<\/em><br \/>\n<em> C:WINDOWSsystem32cmd.exe&#8221; \/c &#8220;C:DOCUME~1&lt;USER&gt;~1LOCALS~1Tempexp3.tmp.bat&#8221;&#8221;<\/em><\/p>\n<p><strong>The following Mutexes:<\/strong><br \/>\n<em>LocalXMM000007B4<\/em><br \/>\n<em> LocalXMI000007B4<\/em><br \/>\n<em> LocalXMM00000308<\/em><br \/>\n<em> LocalXMI00000308<\/em><br \/>\n<em> LocalXMS6C66A66E<\/em><br \/>\n<em> LocalXMM00000630<\/em><br \/>\n<em> LocalXMI00000630<\/em><br \/>\n<em> LocalXMQ6C66A66E<\/em><br \/>\n<em> LocalXMR6C66A66E<\/em><br \/>\n<em> LocalXMM000004E4<\/em><br \/>\n<em> LocalXMI000004E4<\/em><br \/>\n<em> LocalXMM00000660<\/em><br \/>\n<em> LocalXMI00000660<\/em><br \/>\n<em> LocalXMM000000CC<\/em><br \/>\n<em> LocalXMI000000CC<\/em><\/p>\n<p style=\"text-align: center;\"><a href=\"http:\/\/webrootblog.files.wordpress.com\/2013\/03\/fake_email_spam_cnn_breaking_news_alerts_exploits_malware_social_engineering_black_hole_exploit_kit_01.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-10176\" src=\"http:\/\/webrootblog.files.wordpress.com\/2013\/03\/fake_email_spam_cnn_breaking_news_alerts_exploits_malware_social_engineering_black_hole_exploit_kit_01.png\" alt=\"Fake_Email_Spam_CNN_Breaking_News_Alerts_Exploits_Malware_Social_Engineering_Black_Hole_Exploit_Kit_01\" width=\"506\" height=\"212\" \/><\/a><\/p>\n<p>It then phones back to <strong>hxxp:\/\/203.171.234.53:8080\/DPNilBA\/ue1elBAAAA\/tlSHAAAAA\/<\/strong>. The IP resolves to <strong>lrdf.org.cn<\/strong> (Email: 956250032@qq.com); <strong>zgxjz.com<\/strong> (Email:\u00a0gmc@sohumail.net<em id=\"__mceDel\">)<\/em><\/p>\n<p>The command and control IP (203.171.234.53) use to respond to a Name Server in a previosly profiled malicious campaign &#8211; &#8220;<a href=\"http:\/\/blog.webroot.com\/2013\/02\/19\/malicious-re-your-wire-transfer-themed-emails-serve-client-side-exploits-and-malware\/\"><strong>Malicious \u2018RE: Your Wire Transfer\u2019 themed\u00a0emails serve client-side exploits and malware<\/strong><\/a>&#8220;.<\/p>\n<p><strong>The following malicious Name Servers are known to have responded to the same IP (203.171.234.53):<\/strong><br \/>\n<em>ns4.forumilllionois.ru<\/em><br \/>\n<em> ns4.forumla.ru<\/em><br \/>\n<em> ns4.forum-la.ru<\/em><br \/>\n<em> ns4.forumny.ru<\/em><br \/>\n<em> ns4.forum-ny.ru<\/em><br \/>\n<em> ns4.faneroomk.ru<\/em><br \/>\n<em> ns4.familanar.ru<\/em><br \/>\n<em> ns4.filialkas.ru<\/em><br \/>\n<em> ns4.forummoskowciti.ru<\/em><br \/>\n<em> ns4.forumrogario.ru<\/em><br \/>\n<em> ns4.forumkinza.ru<\/em><br \/>\n<em> ns4.fuigadosi.ru<\/em><br \/>\n<em> ns4.forumbmwr.ru<\/em><br \/>\n<em> ns4.forummersedec.ru<\/em><br \/>\n<em> ns4.forumvvz.ru<\/em><br \/>\n<em> ns4.famagatra.ru<\/em><br \/>\n<em> ns4.fzukungda.ru<\/em><br \/>\n<em> ns4.ejjiipprr.ru<\/em><br \/>\n<em> ns4.finalions.ru<\/em><br \/>\n<em> ns4.eiiiioovvv.ru<\/em><br \/>\n<em> ns5.efjjdopkam.ru<\/em><br \/>\n<em> ns5.eipuonam.ru<\/em><br \/>\n<em> ns5.eminakotpr.ru<\/em><br \/>\n<em> ns4.emmmhhh.ru<\/em><br \/>\n<em> ns5.epionkalom.ru<\/em><br \/>\n<em> ns4.errriiiijjjj.ru<\/em><br \/>\n<em> ns5.ewinhdutik.ru<\/em><br \/>\n<em> ns5.ejiposhhgio.ru<\/em><br \/>\n<em> ns5.esigbsoahd.ru<\/em><\/p>\n<p style=\"text-align: center;\"><a href=\"http:\/\/webrootblog.files.wordpress.com\/2013\/03\/fake_email_spam_cnn_breaking_news_alerts_exploits_malware_social_engineering_black_hole_exploit_kit_02.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-10177\" src=\"http:\/\/webrootblog.files.wordpress.com\/2013\/03\/fake_email_spam_cnn_breaking_news_alerts_exploits_malware_social_engineering_black_hole_exploit_kit_02.png\" alt=\"Fake_Email_Spam_CNN_Breaking_News_Alerts_Exploits_Malware_Social_Engineering_Black_Hole_Exploit_Kit_02\" width=\"548\" height=\"317\" \/><\/a><\/p>\n<p>We believe that the C&amp;C server is a compromised host based in China, as well as the actual emails, as the QQ ID appears to be a legitimate one.<\/p>\n<p><strong><a href=\"https:\/\/www.webroot.com\/us\/en\/home\/products\/complete\">Webroot\u00a0SecureAnywhere<\/a><\/strong>\u00a0users are proactively protected from this threat.<\/p>\n<p><em>You can find more about Dancho\u00a0Danchev at his\u00a0<a href=\"http:\/\/linkedin.com\/in\/danchodanchev\"><strong>LinkedIn Profile<\/strong><\/a>. You can also\u00a0<a href=\"http:\/\/www.twitter.com\/danchodanchev\"><strong>follow him on \u00a0Twitter<\/strong><\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>By Dancho\u00a0Danchev Cybercriminals are currently mass mailing tens of thousands malicious &#8216;CNN Breaking News&#8217; themed emails, in an attempt to trick users into clicking on the exploit-serving and malware-dropping links found within. Once users click on any of the links found in the bogus emails, they&#8217;re automatically exposed to the client-side exploits served by the [&hellip;]<\/p>\n","protected":false},"author":65,"featured_media":17048,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[13787,6187,6177,22339,5837,5835,22331,5839,22337,22333,11733,11729,6189,11735,11731,5841,22335,3869,11747,11745],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/10169"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=10169"}],"version-history":[{"count":3,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/10169\/revisions"}],"predecessor-version":[{"id":25635,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/10169\/revisions\/25635"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17048"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=10169"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=10169"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=10169"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=10169"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}