Tuesday, October 01, 2013

Fake Pinterest 'Don't forget to confirm your email!' Themed Emails Serve Client-side Exploits and Malware

Cybercriminals have just launched yet another massive spam campaign, this time attempting to trick Pinterest users into thinking that they've received an email confirmation request. In reality though, once users click on the links found in the malicious emails, they're automatically exposed to client-side exploits, with the campaign dropping two malware samples on the affected hosts once a successful client-side exploitation takes place.

Let's dissect the campaign, expose the malicious portfolio of domains involved in it, provide MD5s of the served malware as well as a sample exploit, and provide actionable (historical) intelligence regarding related malicious activities that have been taking place using same infrastructure that's involved in the Pinterest campaign.

Spamvertised malicious URL: 
boxenteam.com/hathaway/index.html?emailmpss/PSEUDO_RANDOM_CHARACTERS

Attempts to load the following malicious scripts:
theodoxos.gr/hairstyles/defiling.js
web29.webbox11.server-home.org/volleyballs/cloture.js
knopflos-combo.de/subdued/opposition.js


Sample client-side exploits serving URL:
pizzapluswindsor.ca/topic/latest-blog-news.php

Malicious domain name reconnaissance:
pizzapluswindsor.ca - 50.116.6.57; 174.140.169.145

Responding to the same IP (50.116.6.57) are also the following malicious domains part of the campaing's infrastructure:
pizzapluswindsor.ca
plainidea.com
procreature.com
poindextersonpatrol.com
pixieglitztutus.com

Known to have responded to the second IP (174.140.169.145) are also the following malicious domains:
lesperancerenovations.com
louievozza.com
louvozza.com
lv-contracting.com
lvconcordecontracting.com
mcbelectrical.ca
oliviagurun.com
onecable.ca
onlyidea.com
originalpizzaplus.ca
originalpizzaplus.com
papak.ca
pccreature.com
pixieglitztutus.com
pizzapluswindsor.ca
saltlakecityutahcommercialrealestate.com

The following malicious MD5s are known to have phoned back to the same IP on the 22nd of September, 2013:
MD5: 5d14ee5800fc3c73e4d40567044c4149
MD5: bdc2ac48921914f25d1a3a164266cebc
MD5: a0b2ba75ba7ad7ad5a5b87a966fddb07
MD5: 31c3eae608247c2901d64643d5626b1f
MD5: 3cff9bba085254f2a524207a1388b015
MD5: b59743a3b128c9676548510627db4ac5
MD5: 53004bb63d32792c9bc1b8b26db0f197
MD5: b59743a3b128c9676548510627db4ac5
MD5: 53004bb63d32792c9bc1b8b26db0f197
MD5: 94e7cf26589baac1d47d6834e6375a62
MD5: 38461b4537fb269b2142e7fbac16375b
MD5: 041e9ccce8809371b07f0ac1c4d02b33
MD5: 868cf2c7af8863aebbaeb42c1b404b36
MD5: 7ec71f392dfc98336808ca6e31f25969
MD5: 6792b758ea961f58ad5b2f1eb96a648a
MD5: 33550cef428cad48ba776ea109fe1936
MD5: af84138bc55192ce722582def2f05200
MD5: 170524f3457d1fa681cc5dafbcc86199
MD5: e3af059e42b82b8658f3d05043a5a213
MD5: 4724783ae2c928b40dd2c0ac6d85cbc4
MD5: 9b8d87230ee7f553e8a9011a37ca699e
MD5: e4d63169ddac5e34fe000dc21c88682f
MD5: 5f777af07c79369310dff97d04c026cd
MD5: 200badc2e35ce57f1e511aea7322e207
MD5: 93fe170f26d99aea52b30b74afdf96bc
MD5: d06a0cc046e99496ada5591d9f457fc1
MD5: 6f857be5377a7543858aacefea6f1a30
MD5: 92ed463b3c38f2c951c3acd78e7a2df3
MD5: 8f01cd5ddd6e599e79ddcefbff9c0891

Detection rate for a sample served exploit from the Pinterest themed campaign: 
MD5: d49275523cae83a5e7639bb22604dd86 - detected by 5 out of 48 antivirus scanners as HEUR:Exploit.Java.CVE-2012-1723.gen

Upon successful client-side exploitation, the campaign drops two malware samples on the affected hosts.

Detection rate for the first dropped sample: 
MD5: ae840d6ac2f02b4bff85182d2c72a053 - detected by 6 out of 48 antivirus scanners as UDS:DangerousObject.Multi.Generic

Once executed, it phones back to the following C&C:
78.140.131.151/uploading/id=REDACTED&u=PSEUDO_RANDOM_CHARACTERS

The following malicious MD5s are also known to have phoned back to the following C&C IP (78.140.131.151) in the past:
MD5: ca783e0964e7dcb91fcc2a2ff4b8058f
MD5: d02b0e60f94d718fca19893f13dbd93e
MD5: 3618032d05c12e6d25aa4b7bc9086e06
MD5: 20777b8e6362f8775060fc4fdb191978
MD5: 5a1fb639f5dd97b62b5cf79c84d479f6
MD5: 30f8d972566930c103f9edb7f9bd699e
MD5: 7011abeefd5c9e7c21e3cbe28cc5e71a
MD5: bbb57f1a5004b6adc016c0c9e92add19
MD5: cca6b7fae6678c4b17f21b2ed4580404
MD5: 0decc3f58519c587949dff871fccba5e
MD5: 1b18f9138adbd6b4bf7125c7e6a97aae
MD5: 1e4451c19f07ef6bde87ffbcecc5afb3
MD5: e92297e402fcd03f06c94fe52985a3e9
MD5: 818e329757630bccc9536151f533fad2
MD5: 79e8677f857531118e61fa9238287acb
MD5: de8ef966e7e5251b642540e715d673a6
MD5: 9be83dc4b829ffba26029b173b36237d
MD5: c9b3f7888faa393ee14815494a311684
MD5: d90058b75b8730f9d6bf94a845b3dfda
MD5: e14b4290eec92ce6cd3e0349c17bc062
MD5: 6d5f5419f6a116f4283ae58516ff90a1
MD5: d0587b6e83a70798077e2938af66c50c
MD5: 12449febf7efed7bceade5720c8f635d
MD5: 992fc7370b39553ebcb3c03c23c15517
MD5: 1c198a6b80b1dcf280db30133c26d479
MD5: 7bb85f458b6b8a0bc98d47447b44c5b6
MD5: 1a3679c0c7c42781d9ee5b6987efa726
MD5: 7d21915fc425b3545c8e156116f91e00

Detection rate for the second dropped sample:
MD5: 83bbe52c8584a5dab07a11ecc5aaf090 - detected by 3 out of 48 antivirus scanners as Trojan-Spy.Win32.Zbot.qgje; Trojan.Backdoor.RV

Once executed it starts listening on ports 7867 and 1653.

The sample then creates the following Mutexes on the affected hosts:
Local\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Local\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Local\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Local\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Local\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Local\{911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A}
Global\{2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A}
Global\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Global\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Global\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Global\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Global\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Global\{BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A}
Global\{EFF344E9-7488-141E-11EB-B06D3016937F}
Global\{EFF344E9-7488-141E-75EA-B06D5417937F}
Global\{EFF344E9-7488-141E-4DE9-B06D6C14937F}
Global\{EFF344E9-7488-141E-65E9-B06D4414937F}
Global\{EFF344E9-7488-141E-89E9-B06DA814937F}
Global\{EFF344E9-7488-141E-BDE9-B06D9C14937F}
Global\{EFF344E9-7488-141E-51E8-B06D7015937F}
Global\{EFF344E9-7488-141E-81E8-B06DA015937F}
Global\{EFF344E9-7488-141E-FDE8-B06DDC15937F}
Global\{EFF344E9-7488-141E-0DEF-B06D2C12937F}
Global\{EFF344E9-7488-141E-5DEF-B06D7C12937F}
Global\{EFF344E9-7488-141E-95EE-B06DB413937F}
Global\{EFF344E9-7488-141E-F1EE-B06DD013937F}
Global\{EFF344E9-7488-141E-89EB-B06DA816937F}
Global\{EFF344E9-7488-141E-F9EF-B06DD812937F}
Global\{EFF344E9-7488-141E-E5EF-B06DC412937F}
Global\{EFF344E9-7488-141E-0DEE-B06D2C13937F}
Global\{EFF344E9-7488-141E-09ED-B06D2810937F}
Global\{EFF344E9-7488-141E-51EF-B06D7012937F}
Global\{EFF344E9-7488-141E-35EC-B06D1411937F}
Global\{EFF344E9-7488-141E-55EF-B06D7412937F}
Global\{DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A}
Global\{2E1C200D-106C-D5F1-DBC9-BE58FA349D4A}
MPSWabDataAccessMutex
MPSWABOlkStoreNotifyMutex

Once executed, it also drops MD5: 2da7bbc5677313c2876b571b39edc7cf and MD5: 83bbe52c8584a5dab07a11ecc5aaf090 on the affected hosts.

It then phones back to the following C&C (command and control servers):
99.157.164.179
174.76.94.24
99.60.68.114
217.35.75.232
184.145.205.63
99.60.111.51
207.47.212.146
108.240.232.212
107.193.222.108

We've already seen (some of) these C&C IPs in the following profiled malicious campaign "Spamvertised Facebook 'You have friend suggestions, friend requests and photo tags' Themed Emails Lead to Client-side Exploits and Malware".

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.