{"id":7738,"date":"2012-07-27T09:41:17","date_gmt":"2012-07-27T16:41:17","guid":{"rendered":"http:\/\/blog.webroot.com\/?p=7738"},"modified":"2018-10-05T11:13:41","modified_gmt":"2018-10-05T17:13:41","slug":"cybercriminals-target-twitter-spread-thousands-of-exploits-and-malware-serving-tweets","status":"publish","type":"post","link":"https://www.webroot.com/blog/2012\/07\/27\/cybercriminals-target-twitter-spread-thousands-of-exploits-and-malware-serving-tweets\/","title":{"rendered":"Cybercriminals target Twitter, spread thousands of exploits and malware serving tweets"},"content":{"rendered":"

Twitter users, beware!<\/p>\n

Over the past several days, cybercriminals have been persistently spamvertising thousands of exploits and malware serving links across the most popular micro blogging service. Upon clicking on the clicks, users are exposed to the exploits served by the Black Hole web malware exploitation kit.<\/p>\n

What’s so special about this campaign? What’s the detection rate of the malware it drops? Where does it phone back once it’s executed? Have we seen additional malware phone back to the same command and control servers, indication a connection between these campaigns? Let’s find out.<\/p>\n

More details:<\/p>\n

<\/p>\n

Screenshot of a sample automatically registered account spamvertising malicious links to thousands of Twitter users:<\/strong><\/p>\n

\"\"<\/a><\/p>\n

Next to English-speaking users, the campaign is also targeting Russian users since July, 23th, 2012:<\/strong><\/p>\n

\"\"<\/a><\/p>\n

The cybercriminals behind the campaign are also using a publicly available counter to measure the success of the campaign:<\/p>\n

\"\"<\/a><\/p>\n

The campaign is currently propagating in the following way – an automatically generated subdomain is spamvertised with an .html link consisting of the name of the prospective victim. The cybercriminals behind the campaign are harvesting Twitter user names, then automatically generating the username.html files. \u00a0For the time being, they’re only relying on two static propagation messages, namely, “It’s about \u0443ou?<\/em>” and “It’s \u0443ou \u043en photo?<\/em>“.<\/p>\n

Sample malicious URLs spamvertised across Twitter using multiple automatically registered accounts:<\/strong>
\nhxxp:\/\/avril0014.narod.ru\/#dancing_4_1D.html<\/em>
\nhxxp:\/\/vladim-vasiliev.narod2.ru\/#dancingSULKIN.html<\/em>
\nhxxp:\/\/467777.ru\/media\/#dancingKiin.html<\/em>
\nhxxp:\/\/school13spb.ru\/cli\/#dancinemms.html<\/em>
\nhxxp:\/\/daykiri91.narod2.ru\/#dancinela.html<\/em>
\nhxxp:\/\/delfina-200.narod2.ru\/#dancineasy.html<\/em>
\nhxxp:\/\/bumer574.narod.ru\/#dancindung.html<\/em>
\nhxxp:\/\/dfk-kazan.narod2.ru\/#dancinbranson.html<\/em>
\nhxxp:\/\/zaits-oleg.narod.ru\/#dancinbranflake.html<\/em>
\nhxxp:\/\/dimdj.narod.ru\/#dancinbraceface.html<\/em>
\nhxxp:\/\/ohgospodi.narod2.ru\/#dancin_nancy.html<\/em>
\nhxxp:\/\/cazakow-j.narod2.ru\/#dancin_gurrl22.html<\/em>
\nhxxp:\/\/wlad-07.narod2.ru\/#dancin_bearette.html<\/em>
\nhxxp:\/\/v1279610.narod2.ru\/#dancin_4STACKS.html<\/em>
\nhxxp:\/\/school13spb.ru\/cli\/#dancidaT.html<\/em>
\nhxxp:\/\/467777.ru\/media\/#danciareading.html<\/em>
\nhxxp:\/\/school13spb.ru\/cli\/#danchy_xoxo.html<\/em>
\nhxxp:\/\/orlov-tema150894.narod2.ru\/#danchovy.html<\/em>
\nhxxp:\/\/cabfare.narod.ru\/#borkborkpanda.html<\/em>
\nhxxp:\/\/mechta24.narod2.ru\/#borkatochter.html<\/em>
\nhxxp:\/\/dema-zyab.narod.ru\/#borka_ns.html<\/em>
\nhxxp:\/\/denrzn.narod2.ru\/#borka26.html<\/em>
\nhxxp:\/\/arfina2003.narod2.ru\/#bork90.html<\/em>
\nhxxp:\/\/school13spb.ru\/cli\/#borjius55.html<\/em>
\nhxxp:\/\/zyyyz92.narod2.ru\/#borjitamr7.html<\/em>
\nhxxp:\/\/bayun87.narod2.ru\/#borjita30.html<\/em>
\nhxxp:\/\/dimaspodpor.narod.ru\/#borjiabar.html<\/em>
\nhxxp:\/\/denis1898.narod.ru\/#borjavdv.html<\/em>
\nhxxp:\/\/dodge2106.narod.ru\/#borjateran.html<\/em>
\nhxxp:\/\/yashka-tut.narod.ru\/#borjarevo.html<\/em>
\nhxxp:\/\/dima230368.narod2.ru\/#YHAOfficial.html<\/em>
\nhxxp:\/\/autkaee.narod.ru\/#YHALondonHostel.html<\/em>
\nhxxp:\/\/CracknelMan.narod.ru\/#YHAAAAAAN.html<\/em>
\nhxxp:\/\/northe.narod2.ru\/#YH.html<\/em>
\nhxxp:\/\/blagiyv.narod2.ru\/#YGwirfoddolwyr.html<\/em>
\nhxxp:\/\/dashunya-19.narod2.ru\/#YGunna.html<\/em>
\nhxxp:\/\/school13spb.ru\/cli\/#YGrissa.html<\/em>
\nhxxp:\/\/467777.ru\/media\/#YGreddrumm.html<\/em>
\nhxxp:\/\/microlab2.narod.ru\/#YGjerde.html<\/em>
\nhxxp:\/\/spicccka.narod2.ru\/#YGiardina.html<\/em>
\nhxxp:\/\/bam75.narod.ru\/#YGharby.html<\/em>
\nhxxp:\/\/valov1994.narod2.ru\/#YGharbi.html<\/em>
\nhxxp:\/\/den-inferno.narod2.ru\/#YGfanboy.html<\/em>
\nhxxp:\/\/awn55.narod2.ru\/#YG_Wood.html<\/em>
\nhxxp:\/\/blacksacap.narod2.ru\/#YG_SWAG.html<\/em>
\nhxxp:\/\/e9308.narod.ru\/#Silvm85.html<\/em>
\nhxxp:\/\/armat30.narod2.ru\/#SilviusPotter.html<\/em>
\nhxxp:\/\/ass-351.narod2.ru\/#Silviu_I.html<\/em>
\nhxxp:\/\/dantistnt18.narod2.ru\/#SilviuStelian.html<\/em>
\nhxxp:\/\/ninapu.narod2.ru\/#Silvitrii.html<\/em>
\nhxxp:\/\/dedun2006.narod.ru\/#Silviptr.html<\/em>
\nhxxp:\/\/olezhko-polmin.narod2.ru\/#PaoloSpampinat1.html<\/em>
\nhxxp:\/\/maxulya.narod2.ru\/#OliviaMehaffey.html<\/em>
\nhxxp:\/\/dawmenkor.narod2.ru\/#OliviaMcIntire.html<\/em>
\nhxxp:\/\/kolya-turkin.narod.ru\/#OliviaMcGuckin.html<\/em>
\nhxxp:\/\/vffmeztginhwcpu.narod2.ru\/#OliviaMayT.html<\/em>
\nhxxp:\/\/foxy-zone.narod.ru\/#OliviaMatokee.html<\/em>
\nhxxp:\/\/balzam201.narod2.ru\/#OliviaMasey1.html<\/em>
\nhxxp:\/\/reginavip.narod2.ru\/#OliviaMarshman.html<\/em>
\nhxxp:\/\/jony666.narod.ru\/#OliviaMarr7.html<\/em>
\nhxxp:\/\/dr-patap.narod.ru\/#JagzMahal.html<\/em>
\nhxxp:\/\/apostols13.narod2.ru\/#JagyJose.html<\/em><\/p>\n

What do all of these domains have in common? Next to the identical malware served on the affected hosts, the redirection also takes place through the following domains<\/p>\n

hxxp:\/\/traffichouse.ru\/?2 – 176.57.209.69<\/em>
\nhxxp:\/\/traffichouse.ru\/?5 – 176.57.209.69<\/em><\/p>\n

Responding to the same 176.57.209.69 IP are also the following domains:<\/strong>
\nforex-shop.com<\/em>
\nabolyn.twmail.info<\/em>
\npclive.ru<\/em>
\necoinstrument.ru<\/em><\/p>\n

Client-side exploits serving domain:<\/strong>\u00a0hxxp:\/\/oomatsu.veta.su\/main.php?page=afaf1d234c788e63<\/em><\/p>\n

Upon successful client-side exploitation, the campaign\u00a0drops MD5: 5d1e7ea86bee432ec1e5b3ad9ac43cfa<\/strong><\/a> on the affected hosts.<\/p>\n

Upon execution, the sample phones back to the following URLs, where it downloads additional malware on the affected hosts:<\/p>\n

hxxp:\/\/112.121.178.189\/api\/urls\/?ts=1f737428&affid=35000<\/em>
\nhxxp:\/\/thanosactpetitioned.cu.cc\/f\/notepad.exe?ts=1f737428&affid=35000<\/em><\/p>\n

We’ve already seen malware phoning back to the command and control server in the recently profiled “Spamvertised \u2018Download your USPS Label\u2019 themed emails serve malware<\/strong><\/a>” campaign.\u00a0Clearly, both campaigns are launched by the same cybercriminal\/gang of cybercriminals that are basically rotating the distribution and infection vectors of their\u00a0campaign.<\/p>\n

Webroot SecureAnywere<\/strong><\/a>\u00a0users are proactively protected from this threat.<\/p>\n

You can find more about Dancho Danchev at his\u00a0LinkedIn Profile<\/strong><\/a>. You can also\u00a0follow him on \u00a0Twitter<\/strong><\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

Twitter users, beware! Over the past several days, cybercriminals have been persistently spamvertising thousands of exploits and malware serving links across the most popular micro blogging service. Upon clicking on the clicks, users are exposed to the exploits served by the Black Hole web malware exploitation kit. What’s so special about this campaign? What’s the […]<\/p>\n","protected":false},"author":65,"featured_media":17048,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[4263,5583,3863,3617,11519,3881,4863,5411,10335,5135,10109,11077,4197,3477,11153,10741,4721,10047,3529,3471],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/7738"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=7738"}],"version-history":[{"count":2,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/7738\/revisions"}],"predecessor-version":[{"id":25385,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/7738\/revisions\/25385"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17048"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=7738"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=7738"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=7738"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=7738"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}