{"id":9017,"date":"2012-12-12T00:00:40","date_gmt":"2012-12-12T07:00:40","guid":{"rendered":"http:\/\/blog.webroot.com\/?p=9017"},"modified":"2018-10-05T11:59:58","modified_gmt":"2018-10-05T17:59:58","slug":"malicious-sendspace-file-delivery-notifications-lead-to-black-hole-exploit-kit","status":"publish","type":"post","link":"https://www.webroot.com/blog/2012\/12\/12\/malicious-sendspace-file-delivery-notifications-lead-to-black-hole-exploit-kit\/","title":{"rendered":"Malicious ‘Sendspace File Delivery Notifications’ lead to Black Hole Exploit Kit"},"content":{"rendered":"

Cybercriminals are currently attempting to trick hundreds of thousands of users into clicking on the malicious links found in the currently spamvertised bogus ‘Sendspace File Delivery Notifications<\/em>‘.<\/p>\n

Upon clicking on any of the links found in the email, users are exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit<\/strong><\/a>.<\/p>\n

More details:<\/p>\n

<\/p>\n

Sample screenshot of the spamvertised email:<\/strong><\/p>\n

\"Email_Spam_Exploits_Malware_Social_Engineering_Black_Hole_Exploit_Kit\"<\/a><\/p>\n

Sample spamvertised malicious URls:<\/strong> hxxp:\/\/mininet.nl\/forwarding.htm<\/em>; hxxp:\/\/hd-group.cn\/redirect.htm<\/em>; hxxp:\/\/cztiyu.com\/upload.htm<\/em><\/p>\n

Sample client-side exploits serving URL:<\/strong> hxxp:\/\/canadianpanakota.ru:8080\/forum\/links\/column.php<\/em>; hxxp:\/\/anifkailood.ru:8080\/forum\/links\/column.php<\/em>; hxxp:\/\/pelamutrika.ru:8080\/forum\/links\/public_version.php<\/em><\/p>\n

Sample malicious payloa dropping URL:<\/strong> hxxp:\/\/canadianpanakota.ru:8080\/forum\/links\/column.php? <\/em>
\nbwi=1i:2w:1h:1n:1l&oaera=3l&zmbxivwt=2v:1k:1m:32:33:1k:1k:31:1j:1o&evgiw=1n:1d:1g:1d:1h:1d:1f<\/em><\/p>\n

Sample client-side exploits served:<\/strong> CVE-2010-0188<\/strong><\/a><\/p>\n

Upon successful client-side exploitation, the campaign drops MD5: 532bdd2565cae7b84cb26e4cf02f42a0<\/strong><\/a> – detected by 33 out of 44 antivirus scanners as Worm:Win32\/Cridex.E<\/p>\n

Once executed it creates %AppData%kb00121600.exe<\/em> on the affected system.<\/p>\n

The sample also creates the following registry entries:<\/strong>
\nHKEY_CURRENT_USERSoftwareMicrosoftWindows NTCFBDC89D4<\/em>
\nHKEY_CURRENT_USERSoftwareMicrosoftWindows NTS25BC2D7B<\/em><\/p>\n

As well as the following Mutexes:<\/strong>
\nLocalXMM00000418<\/em>
\nLocalXMI00000418<\/em>
\nLocalXMRFB119394<\/em>
\nLocalXMM000005E4<\/em>
\nLocalXMI000005E4<\/em>
\nLocalXMM0000009C<\/em>
\nLocalXMI0000009C<\/em>
\nLocalXMM000000C8<\/em>
\nLocalXMI000000C8<\/em><\/p>\n

It then phones back to hxxp:\/\/210.253.102.95:8080\/DPNilBA\/ue1elBAAAA\/tlSHAAAAA\/<\/strong> and to hxxp:\/\/123.49.61.59:8080\/AJtw\/UCyqrDAA\/Ud+asDAA\/<\/strong><\/p>\n

We’ve already seen the same pseudo-randomly generated C&C characters used in the first ‘phone back request’ (DPNilBA\/ue1elBAAAA\/tlSHAAAAA\/<\/strong>) used in the following\u00a0previously profiled malicious campaigns:<\/p>\n