Saturday, September 28, 2013

Spamvertised Facebook 'You have friend suggestions, friend requests and photo tags' Themed Emails Lead to Client-side Exploits and Malware


A currently circulating malicious 'Facebook notifications" themed spam campaign, attempts to trick Facebook's users into thinking that they've received a notifications digest for the activity that (presumably) took place while they were logged out of Facebook. In reality though, once users click on any of the links found in the malicious email, they're automatically exposed to client-side exploits ultimately dropping malware on their hosts.

Let's dissect the campaign, provide actionable intelligence on the campaign's structure, the involved portfolio of malicious domains, actual/related MD5s, and as always, connect the currently ongoing campaign with two other previously profiled malicious campaigns.

Spamvertised URL:
hxxp://user4634.vs.easily.co.uk/darkened/PSEUDO_RANDOM_CHARACTERS

Attempts to load the following malicious scripts:
hxxp://3dbrandscapes.com/starker/manipulator.js
hxxp://distrigold.eu/compounding/melisa.js
hxxp://ly-ra.com/shallot/mandalay.js

Client-side exploits serving URL:
hxxp://directgrid.org/topic/lairtg-nilles-slliks.php

Malicious domain name reconnaissance:
directgrid.org - 50.116.10.71 - Email: ringfields@islandresearch.net

Responding to the following IP (50.116.10.71) are also the following malicious domains participating in the campaign:
directgrid.biz
directgrid.com
directgrid.info
directgrid.net
directgrid.org
directgrid.us
gilkjones.com
integra-inspection.ca
integra-inspection.co
integra-inspection.info
taxipunjab.com
taxisamritsar.com
watttrack.com

The following malicious MD5s are known to have been downloaded -- related campaigns -- from the same IP (50.116.10.71):
MD5: 7eb6740ed6935da49614d95a43146dea
MD5: 7768f7039988236165cdd5879934cc5d

The following malicious MD5s are known to have 'phoned back' to the same IP (50.116.10.71) over the past 24 hours:
MD5: a0065f7649db9a885acd34301ae863b0
MD5: 5503573f4fe15b211956f67c66e18d02
MD5: 01d757b672673df8032abbaa8acf3e22
MD5: 7ad68895e5ec9d4f53fc9958c70df01a
MD5: fd99250ecb845a455499db8df1780807
MD5: fd99250ecb845a455499db8df1780807
MD5: 3983170d46a130f23471340a47888c93
MD5: c86c79d9fee925a690a4b0307d7f2329
MD5: 25f498f7823f12294c685e9bc79376d2
MD5: 470f4aa3f76ea3b465741a73ce6c22fe
MD5: 43b78852a7363d8a4cf7538d4e68c887
MD5: e3aae430ed4036b19f26fa2ed9bbe2bf
MD5: e782619301a0a0a843cedc5d02c563b5
MD5: fc16335d0e1827b271b031309634dc0f
MD5: a55e21b0231d0508cb638892b6ee8ec5
MD5: 053c84c12900b81506eb884ec9f930c9
MD5: e03d0dd786b038c570dc53690db0673b
MD5: 086b16af34857cb5dfb0163cc1c92569
MD5: e066b50bae491587574603bdfd60826e
MD5: eb22137880f8c5a03c73135f288afb8a
MD5: b88392fb63747668c982b6321e5ce712
MD5: 6254d901b1566bef94e673f833adff8c
MD5: 258d640b802a0bbe08471f4f064cb94a
MD5: c1cefb742107516c3a73489eae176745
MD5: a19f1d5c98c2d7f036f2693ad6c14626
MD5: 3f02f35bc73ad9ef14ab4f960926fd45

Sample detection rate for the client-side exploits serving malicious script:
MD5: 00f5d150ff1b50c0bbc1d038eb676c29 - detected by 2 out of 48 antivirus scanners as Script.Exploit.Kit.C; Troj/ObfJS-EO


Sample detection rate for the served exploit:
MD5: d49275523cae83a5e7639bb22604dd86 - detected by 5 out of 48 antivirus scanners as HEUR:Exploit.Java.Generic; HEUR_JAVA.EXEC; TROJ_GEN.F47V0927

Upon successful client-side exploitation the campaign drops the following malicious sample on the affected hosts:
MD5: 6ef9476e6227ef631b231b66d7a2a08b - detected by 7 out of 48 antivirus scanners as Win32/Spy.Zbot.AAU; Trojan-Spy.Win32.Zbot.qckm; TROJ_GEN.F47V0927

Once executed, the sample starts listening on ports 3185 and 7101.

It also creates the following Mutexes on the system:
Local\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Local\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Local\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Local\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Local\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Local\{911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A}
Global\{2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A}
Global\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Global\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Global\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Global\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Global\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Global\{BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A}
Global\{3DC7903B-A05A-C62A-11EB-B06D3016937F}
Global\{3DC7903B-A05A-C62A-75EA-B06D5417937F}
Global\{3DC7903B-A05A-C62A-4DE9-B06D6C14937F}
Global\{3DC7903B-A05A-C62A-65E9-B06D4414937F}
Global\{3DC7903B-A05A-C62A-89E9-B06DA814937F}
Global\{3DC7903B-A05A-C62A-BDE9-B06D9C14937F}
Global\{3DC7903B-A05A-C62A-51E8-B06D7015937F}
Global\{3DC7903B-A05A-C62A-81E8-B06DA015937F}
Global\{3DC7903B-A05A-C62A-FDE8-B06DDC15937F}
Global\{3DC7903B-A05A-C62A-0DEF-B06D2C12937F}
Global\{3DC7903B-A05A-C62A-5DEF-B06D7C12937F}
Global\{3DC7903B-A05A-C62A-95EE-B06DB413937F}
Global\{3DC7903B-A05A-C62A-F1EE-B06DD013937F}
Global\{3DC7903B-A05A-C62A-89EB-B06DA816937F}
Global\{3DC7903B-A05A-C62A-F9EF-B06DD812937F}
Global\{3DC7903B-A05A-C62A-E5EF-B06DC412937F}
Global\{3DC7903B-A05A-C62A-0DEE-B06D2C13937F}
Global\{3DC7903B-A05A-C62A-09ED-B06D2810937F}
Global\{3DC7903B-A05A-C62A-51EF-B06D7012937F}
Global\{3DC7903B-A05A-C62A-35EC-B06D1411937F}
Global\{3DC7903B-A05A-C62A-55EF-B06D7412937F}
Global\{DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A}
Global\{2E1C200D-106C-D5F1-DBC9-BE58FA349D4A}
MPSWabDataAccessMutex
MPSWABOlkStoreNotifyMutex


The following Registry Keys:
HKEY_CURRENT_USER\Software\Microsoft\Waosumag

And changes the following Registry Values:

[HKEY_CURRENT_USER\Identities] -> Identity Login = 0x00098053
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] -> Keby = ""%AppData%\Ortuet\keby.exe""
[HKEY_CURRENT_USER\Software\Microsoft\Waosumag] -> 2df3e6ig = 23 CD 87 C3 1E D1 FA C6 28 2E DF 4D 12 21; 2icbbj3a = 0xC3E6CD13; 185cafc2 = CB D5 E6 C3 F6 D8 CD C6 05 2E EF 4D


It then phones back to the following C&C (command and control) servers:
99.157.164.179
174.76.94.24
99.60.68.114
217.35.75.232
184.145.205.63
99.60.111.51
207.47.212.146
108.240.232.212
107.193.222.108
173.202.183.58
201.170.83.92
81.136.188.57
71.186.174.184


We've already seen the same IPs (217.35.75.232; 108.240.232.212) in the following previously profiled malicious campaign - Spamvertised “FDIC: Your business account” themed emails serve client-side exploits and malware.

We've also seen (107.193.222.108) in the following malicious campaign - Spamvertised ‘Export License/Invoice Copy’ themed emails lead to malware, indicating that all of these campaigns are controlled using the same malicious botnet infrastructure.

The following malicious MD5s are also known to have phoned back to the same C&C servers used in this campaign, over the past 24 hours:
MD5: 9f550edbb505e22b0203e766bd1b9982
MD5: 46cdaead83d9e3de803125e45ca88894
MD5: ffe07e0997d8ec82feb81bac53838d6d
MD5: 28c0bc772aec891a08b06a4029230626
MD5: c8055c6668d1c4c9cb9d68c2c09c14d4
MD5: 0bbabb722e1327cbe903ab477716ae2e
MD5: c4c5db70e7c971e3e556eb9d65f87c84
MD5: 0ff4d450ce9b1eaaef5ed9a5a1fa392d
MD5: e01f435a8c5ed93f6800971505a2cdd2
MD5: 042508083351b79f01a4d7b7e8e35826
MD5: 1f5f75ae82d6aa7099315bf19d0ae4e0
MD5: 35c4d4c2031157645bb3a1e4e709edeb
MD5: a0065f7649db9a885acd34301ae863b0
MD5: 5503573f4fe15b211956f67c66e18d02
MD5: 01d757b672673df8032abbaa8acf3e22
MD5: fd99250ecb845a455499db8df1780807
MD5: 1fab971283479b017dfb79857ecd343b
MD5: a130cddd61dad9188b9b89451a58af28
MD5: 2af94e79f9b9ee26032ca863a86843be
MD5: 8b03a5cf4f149ac7696d108bff586cc5
MD5: 802a522405076d7f8b944b781e4fe133
MD5: b9c7d2466a689365ebb8f6f607cd3368
MD5: 43b78852a7363d8a4cf7538d4e68c887
MD5: c62b6206e9eefe75ba1804788dc552f7
MD5: 385b5358f6a1f15706b536a9dc5b1590
MD5: e3aae430ed4036b19f26fa2ed9bbe2bf
MD5: e782619301a0a0a843cedc5d02c563b5
MD5: fc16335d0e1827b271b031309634dc0f
MD5: 4850969b7febc82c8b82296fa129e818
MD5: 203e0acced8a76560312b452d70ff1e7
MD5: a55e21b0231d0508cb638892b6ee8ec5
MD5: edb1a26ebb8ab5df780b643ad1f0d50f
MD5: 053c84c12900b81506eb884ec9f930c9
MD5: e03d0dd786b038c570dc53690db0673b
MD5: 47d4804fda31b6f88b0d33b86fc681ae
MD5: 086b16af34857cb5dfb0163cc1c92569

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.