Fake Yahoo Greetings Malware Campaign Circulating

The persistence of certain botnet masters cannot remain unnoticed even if you're used to going through over a dozen active malware campaigns per day, in this case it's their persistence that makes them worth assessing and profiling. The botnet which I assesed in February, the one that was crunching out phishing emails and using the infected hosts for hosting the pages, and parking the phishing domains, is still operational this time starting a fake Yahoo Greetings malware campaign by spamming the cybersquatted domains and enticing the user into updating their flash player with a copy of Backdoor.Agent.AJU.

Upon visiting www4.yahoo.american-greeting.com.tag38.com/ecards/view.pd.htm it redirects to www3.yahoo.americangreetings.com.id759.com/ecards/view.pd.htm

id759.com is currently responding to 24.161.232.218; 24.192.140.204; 68.36.236.67; 76.230.108.105; 83.5.203.163; 85.109.42.164; 216.170.109.206 and also to set45.net; service28.biz; setup36.com and serves the Backdoor.Agent :

www3.yahoo.americangreetings.com.id759.com/ecards/get_new_flashplayer .exe

Scanners Result : 12/31 (38.71%)
Suspicious:W32/Malware!Gemini; W32/Agent.Q.gen!Eldorado
File size: 44544 bytes
MD5...: fe97eb8c0518005075fd638b33d5b165
SHA1..: d7a4258e37ce0dab0f7d770d1a9d979e921be07b
SHA256: 138d31ae1bbdec215d980c7b57be6e624c2f2e1cacd3934b77f50be8adabfb97

"Backdoor.Agent.AJU is a malicious backdoor trojan that is capable to run and open random TCP port in a multiple instances attempting to connect to its predefined public SMTP servers. It then spams itself in email with a file attached in zip and password protected format. Furthermore, the password is included in the body of the email."

tag38.com is responding to 211.142.23.21, and is a part of a scammy ecosystem of other phishing and malware related domains responding to the same IP. And these are the related subdomains impersonating Yahoo Greetings within :

american-greeting.ca.xml52.com
www5.yahoo.american-greeting.ca.xml52.com
www9.yahoo.americangreeting.ca.www05.net
yahoo.americangreetings.com.droeang.net
yahoo.americangreetings.com.s8a1.psmtp.com
yahoo.americangreetings.com.s8a2.psmtp.com
yahoo.americangreetings.com.s8b1.psmtp.com
yahoo.americangreetings.com.s8b2.psmtp.com
yahoo.americangreetings.droeang.net
yahoo.americangreeting.ca.www05.net
www6.yahoo.american-greetings.com.www05.net

What you see when in a hurry is not what you get when you got time to look at it twice. This and the previous campaign launched by the same party is a great example of risk and responsibility forwarding, in this case to the infected party, so what used to be a situation where an infected host was sending spamming and phishing emails only, is today's malicious hosting infrastructure on demand.

Web Email Exploitation Kit in the Wild

XSS exploitation within the most popular Russian, and definitely international in the long-term, web email service providers is also embracing the efficiency mindset as a process. This web based exploitation kit is great example of customization applied to publicly known XSS vulnerabilities within a segmented set of web sites, email providers in this case.

The kit's pitch automatically translated :

"Ie script contains vulnerability to 15 - not the most popular Russian postal services (except
buy), and one of the largest foreign mail servers that provide free mail - mail.com. Three of the vulnerabilities work only under Internet Explorer, all the rest - under Internet Explorer and Opera.

The system also includes a 16 ready-to-use pages feykovyh authorization to enter the mail. Thus the use of the script is that you choose a template-XSS (code obhodyaschy security filters for your desired mail server) on which the attack would take place, complete field for a minimum of sending letters (sender, recipient, the subject, message) and choose Type of stuffing: 1) your own yavaskript code (convenient option to insert malicious code with iframe) 2) code, driving the victim to a page feykovuyu authorization. In the first case, the victim is in the browser's just a matter of your own scripte but in the second case, the victim is redirected to a page with false authorization, there enters its data, which logiruyutsya you, and sent back to his box. For the script is simple and free hosting with support for sendmail, php, but nonetheless you should be aware that for more kachetvennoy work will not prevent you buy a beautiful domain. Also appearing inexpensive paid updated as closing loopholes in the mail filters."

Automating the process of phishing by using the vulnerable sites as redirectors can outpace the success of the Rock Phish kit whose key success factor relies on diversity of the brands targeted whereas all the campaigns operate on the same IP.

Moreover, as we've seen recently, highly popular and high-profile sites whose ever growing web applications infrastructure continues to grow, still remain vulnerable to XSS vulnerabilities which were used in a successful blackhat SEO poisoning campaign by injecting IFRAME redirectors to rogue security applications in between live exploit URLs. In fact, Ryan Singel is also pointing out on such existing vulnerability at the CIA.gov, showcasing that spear phishing in times when phishers, spammers and malware authors are consolidating, can be just as effective for conducting cyber espionage, just as gathering OSINT through botnets by segmenting the infected population is. Why try to malware infect the high-profile targets, when they could already be malware infected?

Furthermore, XSS vulnerabilities within banking sites are also nothing new, and as always the very latest XSS vulnerabilities will go on purposely unreported by the time phishers move onto new ones. How about the customer service aspect given that this XSS exploitation kit is yet another example of a proprietary underground tool? If the XSS vulnerabilities aren't working, custom zero day XSS vulnerabilities within the providers can be provided to the customer. Commercializing XSS vulnerabilities is one thing, embedding the exploits in a do-it-yourself type of tool another, but positioning the kit as a efficient way for running your "Request an Email Account to be Hacked" business is entirely another, which is the case with the kit.

In 2008, is the infamous quote "Hack the Planet!" still relevant, or has it changed to "XSS the Planet!" already, perhaps even "Remotely File Include the Planet!"?