{"id":8980,"date":"2012-12-05T00:00:25","date_gmt":"2012-12-05T07:00:25","guid":{"rendered":"http:\/\/blog.webroot.com\/?p=8980"},"modified":"2018-10-05T11:57:59","modified_gmt":"2018-10-05T17:57:59","slug":"bogus-facebook-account-cancellation-request-themed-emails-serve-client-side-exploits-and-malware","status":"publish","type":"post","link":"https://www.webroot.com/blog/2012\/12\/05\/bogus-facebook-account-cancellation-request-themed-emails-serve-client-side-exploits-and-malware\/","title":{"rendered":"Bogus &#8216;Facebook Account Cancellation Request&#8217; themed emails serve client-side exploits and malware"},"content":{"rendered":"<p><a href=\"http:\/\/blog.webroot.com\/tag\/facebook\/\"><strong>Facebook<\/strong><\/a> users, watch what you click on!<\/p>\n<p>Cybercriminals are currently mass mailing bogus &#8220;<em>Facebook Account Cancellation Requests<\/em>&#8220;, in an attempt to trick Facebook&#8217;s users into clicking on the malicious link found in the email. Upon clicking on the link, users are exposed to client-side exploits which ultimately drop malware on the affected host.<\/p>\n<p>More details:<\/p>\n<p><!--more--><\/p>\n<p><strong>Sample screenshot of the spamvertised email:<\/strong><\/p>\n<p style=\"text-align: center;\"><a href=\"http:\/\/blog.webroot.com\/2012\/12\/05\/bogus-facebook-account-cancellation-request-themed-emails-serve-client-side-exploits-and-malware\/fake_facebook_account_cancellation_email_spam_exploits_malware\/\" rel=\"attachment wp-att-8981\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-8981\" src=\"http:\/\/webrootblog.files.wordpress.com\/2012\/12\/fake_facebook_account_cancellation_email_spam_exploits_malware.png\" alt=\"Fake_Facebook_Account_Cancellation_Email_Spam_Exploits_Malware\" width=\"377\" height=\"190\" \/><\/a><\/p>\n<p><strong>Sample client-side exploitation chain:<\/strong>\u00a0<em>hxxp:\/\/adlinkservhost.strangled.net<\/em> -&gt; <em>hxxp:\/\/lakkumigdc.com\/media\/clients\/index.php?showtopic=397065<\/em> -&gt; <em>hxxp:\/\/lakkumigdc.com\/media\/clients\/rhin.jar<\/em> -&gt; <em>hxxp:\/\/lakkumigdc.com\/media\/clients\/Goo.jar<\/em> -&gt; <em>hxxp:\/\/lakkumigdc.com\/media\/clients\/lib.php<\/em> -&gt; <em>hxxp:\/\/lakkumigdc.com\/media\/clients\/load.php?showforum=lib<\/em><\/p>\n<p><strong>Sample client-side exploits served:<\/strong>\u00a0<a href=\"http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2010-0188\"><em>CVE-2010-0188<\/em><\/a>;\u00a0<a href=\"http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2011-3544\"><em>CVE-2011-3544<\/em><\/a>;\u00a0<a href=\"http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2010-0840\"><em>CVE-2010-0840<\/em><\/a><\/p>\n<p><strong>Malicious domain name reconnaissance:<\/strong><br \/>\n<strong>lakkumigdc.com<\/strong> &#8211; 68.168.100.135 &#8211; Email: dolphinkarthi@gmail.com<br \/>\nName Server: <strong>NS1.MACROVIEWTECH.COM<\/strong> &#8211; 68.168.100.136<br \/>\nName Server: <strong>NS2.MACROVIEWTECH.COM<\/strong> &#8211; 68.168.100.137<\/p>\n<p>Domains responding to the same IP, including domains also registered with the same GMail account:<br \/>\n<strong>drganesanneurospine.com<\/strong><br \/>\n<strong>dryathishoncologist.com<\/strong><br \/>\n<strong>hematologistcoimbatore.com<\/strong><br \/>\n<strong>lakkumigdc.com<\/strong><br \/>\n<strong>ciska.org<\/strong><br \/>\n<strong>texsonpumps.com<\/strong><br \/>\n<strong>icreu2012.com<\/strong><br \/>\n<strong>lakkumigdc.com<\/strong><br \/>\n<strong>paypal.com.tradelinee.com<\/strong><br \/>\n<strong>pianoforall.theseopark.com<\/strong><br \/>\n<strong>update-paypall.32165453423154623166352.indianmjp.com<\/strong><br \/>\n<strong>paypal.com.usa.ssion.secure.acess.update.reg.ideators.co<\/strong><br \/>\n<strong>paypal.com.us.cgi-bin.session.secure.update-info.ideators.co<\/strong><br \/>\n<strong>paypal.com.vtigp.org<\/strong><br \/>\n<strong>zakcreations.com<\/strong><br \/>\n<strong>techhoot.com<\/strong><br \/>\n<strong>ideators.co<\/strong><\/p>\n<p>Upon successsful client-side exploitation, the campaign drops <a href=\"https:\/\/www.virustotal.com\/file\/cef26c9643aa8fd5e73ccbd2d626279e704a44f352c6de6079ee27fd2f136f00\/analysis\/\"><strong>MD5: 8b3979c1a9c85a7fd5f8ff3caf83fc56<\/strong><\/a> &#8211; detected by 3 out of 46 antivirus scanners as PWS-Zbot.gen.aru<\/p>\n<p><strong>Upon execution, the sample creates the following file on the affected hosts:<\/strong><br \/>\n<em>%AppData%Ixriyvemarosa.exe &#8211; MD5: A33684FD2D1FA669FF6573921F608FBB<\/em><\/p>\n<p><strong>It also creates the following directories:<\/strong><br \/>\n<em>%AppData%Ixriyv<\/em><br \/>\n<em>%AppData%Uxwonyl<\/em><\/p>\n<p><strong>As well as the following Mutex:<\/strong><br \/>\n<em>Local{7A4AAF46-5391-8FF9-A32F-78A34C8B50D7}<\/em><\/p>\n<p>It then phones back to <strong>shallowave.jumpingcrab.com<\/strong> (93.174.95.78) on port 8012.\u00a0Another similar subdomain on this host (<strong>takemeout.jumpingcrab.com<\/strong>), was also seen in a <a href=\"https:\/\/isc.sans.edu\/diary.html?storyid=5638\"><strong>crowdsourced DDoS campaign<\/strong><\/a> in 2009.<\/p>\n<p>Historically,\u00a0more malware is known to have been hosted at another subdomain (<strong>hxxp:\/\/dady.jumpingcrab.com:881\/js\/js\/<\/strong>) in 2011. List of associated MD5s:<br \/>\n<a href=\"https:\/\/www.virustotal.com\/file\/e60ee107dd301de376b081552a287deb122a6e3b504acb2d9bf925e4b1f2dcf7\/analysis\/\"><strong>MD5: e58fe6d04e8d9fce1020f532d3f0bd49<\/strong><\/a> &#8211; detected by 40 out of 44 antivirus scanners as Backdoor.Win32.Delf.yqo<br \/>\n<a href=\"https:\/\/www.virustotal.com\/file\/838f4bb263849042f34d748262b0cd365649f8c528e786c5daadfc536619386f\/analysis\/\"><strong>MD5: 60fde61eea4da0601a294d8cac18fb85<\/strong><\/a> &#8211; detected by 37 out of 42 antivirus scanners as Backdoor:Win32\/Hupigon.EA<br \/>\n<a href=\"https:\/\/www.virustotal.com\/file\/59bf46f711142ae144570b01844dad0788cffa78b2f9b0648b3c3696c156d58c\/analysis\/\"><strong>MD5: ac95c84a99edd65b00fbc845f8e167f0<\/strong><\/a> &#8211; detected by 38 out of 42 antivirus scanners as TrojanDropper:Win32\/Delfsnif.A<br \/>\n<a href=\"https:\/\/www.virustotal.com\/file\/76e3126ddc11909250b1bcf4f7dcd53d2fa4c37f490e202d31326a94131a4932\/analysis\/\"><strong>MD5: 7487bbfadde66edddf131b879382a9ef<\/strong><\/a> &#8211; detected by 38 out of 43 antivirus scanners as Trojan-PSW.Win32.Bjlog.vge<br \/>\n<a href=\"https:\/\/www.virustotal.com\/file\/3bd7282d525af813975140af98481fdf8db5073dac03b57cafa537f7f3643476\/analysis\/\"><strong>MD5: 6cf58ce47e4a9163ecf2e5e0498d3fa8<\/strong><\/a> &#8211; detected by 38 out of 43 antivirus scanners as Worm.Win32.AutoRun.davw<br \/>\n<a href=\"https:\/\/www.virustotal.com\/file\/e360a71b769197441735d9185ee79aaa2afd0196032731b7f3a66f511cfe0990\/analysis\/\"><strong>MD5: a694f0c6a0b64cc3601d946f63330a23<\/strong><\/a> &#8211; detected by 34 out of 44 antivirus scanners as Trojan.RAR.Qhost.c<\/p>\n<p><a href=\"https:\/\/www.webroot.com\/us\/en\/home\/products\/complete\"><strong>Webroot SecureAnywhere<\/strong><\/a>\u00a0users are proactively protected from these threats.<\/p>\n<p><em>You can find more about Dancho Danchev at his\u00a0<a href=\"http:\/\/linkedin.com\/in\/danchodanchev\"><strong>LinkedIn Profile<\/strong><\/a>. You can also\u00a0<a href=\"http:\/\/www.twitter.com\/danchodanchev\"><strong>follow him on \u00a0Twitter<\/strong><\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Facebook users, watch what you click on! Cybercriminals are currently mass mailing bogus &#8220;Facebook Account Cancellation Requests&#8220;, in an attempt to trick Facebook&#8217;s users into clicking on the malicious link found in the email. Upon clicking on the link, users are exposed to client-side exploits which ultimately drop malware on the affected host. More details:<\/p>\n","protected":false},"author":65,"featured_media":17048,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[12709,12703,10907,10897,12307,12263,6183,5811,12711,3871,11081,9563,4033,5257,12705,7643,12707,5717,12443,11837],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/8980"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=8980"}],"version-history":[{"count":2,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/8980\/revisions"}],"predecessor-version":[{"id":25555,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/8980\/revisions\/25555"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17048"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=8980"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=8980"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=8980"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=8980"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}