Let's dissect the campaign, expose its structure, the dropped malware, and connect the dots on who's behind it.
Observed iFrames in rotation:
hxxp://umaiskhan.com/znzd.html
hxxp://umaiskhan.com/ztuj.html
hxxp://priceworldpublishing.com/aynk.html
hxxp://toplineops.com/mtnk.html
hxxp://moi-npovye-sploett.com/qqqq/1.php
hxxp://www.jaylenosgarage.com/trucks/PHP/google.php
hxxp://nikweinstein.com/cl/google.php
Observed redirections leading to:
hxxp://gonullersultani.net/znzd.htm
hxxp://erabisnis.net/znzd.htm
hxxp://electricianfortwayne.info/62.html
hxxp://moi-npovye-sploett.com/cGeQc0wz1KPI/larktion.php
Sample client-side exploitation chain for the first campaign: hxxp://toplineops.com/mtnk.html -> hxxp://electricianfortwayne.info/62.html -> hxxp://electricianfortwayne.info/987.pdf
Upon successful client-side exploitation, the campaign drops MD5: 4e48ddc2a2481f9ff27113e6395160e1 - detected by 7 out of 46 antivirus scanners as Trojan-Spy.Win32.Zbot.jfgj.
Once executed the sample creates the "Xi3FVneIx" Mutex and phones back to:
hxxp://eastsidetennisassociation.com/i.htm?jzd63F1JyFUfMyyf1Q8U9 - 74.220.215.229
hxxp://envirsoft.com/n.htm?xWasESNrgozQ13QNR1PNCGTGhPAW16QJ67Bnj - 174.120.29.2 - Email: louis.bouchard@envirsoft.com
hxxp://beautiesofcanada.com/s.htm?2dlYtfCwTLfFBzTL8TrY7btwJDVszO - 66.96.145.104 - Email: eddom@yahoo.com
hxxp://magasin-shop.com/v.htm?ZPlkcqLyyHFRxHmhVxQN8HdfszymBrXxuy - 66.96.160.143
hxxp://couche-transport.comlu.com/r.htm?Mb6kKF3mq5H8YxeVXYM9yOwK - 31.170.161.96
Second redirection redirection chain for a sampled iFrame: hxxp://moi-npovye-sploett.com/qqqq/1.php -> hxxp://moi-npovye-sploett.com/cGeQc0wz1KPI/larktion.php -> hxxp://moi-npovye-sploett.com/cGeQc0wz1KPI/aflybing.php?esusvity=785280 where it attempts to exploit CVE-2010-0188.
Malicious domains reconnaissance:
umaiskhan.com - 173.254.28.49 - Email: chfaisal009@gmail.com - appears to be a compromised site belonging to someone named "Azhar Mahmood", unless of course you want to believe that Pakistan's cyber warfare unit is behind the campaign, since this is the second time that I come across to this IP. Keep reading!
priceworldpublishing.com - 174.122.45.74 - Email: info@sportsworkout.com
electricianfortwayne.info - 173.201.92.1 - Email: mdkline65@yahoo.com
gonullersultani.net - 72.167.2.128 - Email: gonullersultani@gmail.com
erabisnis.net - 74.220.207.161
moi-npovye-sploett.com - 130.185.157.102 - Email: josephhaddad829@yahoo.com
jaylenosgarage.com - 80.239.148.217
nikweinstein.com - 205.178.145.95 - Email: nikweinstein@hotmail.com
mdkline65@yahoo.com is also known to have registered the following domains:
dedirt.com
dogsrit.com
spiritualspice.us
madamerufus.com
herbalstatelegal.com
myauditionsite.com
injurylawyercleveland.info
injurylawyerspringfieldmo.info
injurylawyercolumbus.info
injurylawyerindianapolis.info
Who's behind this campaign and can we connect this malicious activities to previously analyzed malicious campaigns? But, of course.
umaiskhan.com responds to 173.254.28.49, and on 2013-01-28 18:56:19 we know that another domain used in a Facebook Inc. themed campaign was also responding to the same IP, namely hxxp://shutterstars.com/wp-content/plugins/akismet/resume_facebook.html. The compromised legitimate host back then used to serve client-side exploits through hxxp://gotina.net/detects/sign_on_to_resume.php – 222.238.109.66 – Email: lockwr@rocketmail.com.
Deja vu! We've already seen and profiled this malicious domain in the following assessment "Fake ‘You’ve blocked/disabled your Facebook account’ themed emails serve client-side exploits and malware", indicating that both of these campaigns have been launched by the same cybercriminal/gang of cybercriminals. What's also worth emphasizing on is that the same email (lockwr@rocketmail.com) used to register gonita.net was also profiled in the following assessment "Fake ‘Verizon Wireless Statement” themed emails lead to Black Hole Exploit Kit", where it was used to register the Name Servers used in the campaign.
Someone's multi-tasking. That's for sure.
Updates will be posted as soon as new developments take place.
