Spamvertised 'Confirmed Facebook Friend Request' Themed Emails Serve Client-Side Exploits

Thursday, August 15, 2013

Spamvertised 'Confirmed Facebook Friend Request' Themed Emails Serve Client-Side Exploits

A currently circulating malicious spam campaign, entices users into thinking that they've received a legitimate 'Friend Confirmation Request' on Facebook. In reality thought, the campaign attempts to exploit client-side vulnerabilities, CVE-2010-0188 in particular.

Client-side exploits serving URL:
hxxp://facebook.com.n.find-friends.lindoliveryct.net:80/news/facebook-onetime.php?dpheelxa=1l:30:1l:1g:1j&pkvby=h&rzuhhh=1h:33:1o:2v:32:1o:2v:1o:1j:1m&ycxlcvr=1f:1d:1f:1d:1f:1d:1f

Detection rate for the malicious PDF: MD5: 39326c9a2572078c379eb6494dc326ab - detected by 3 out of 45 antivirus scanners as PDF/Blacole-FAA!39326C9A2572; Exploit:Win32/CVE-2010-0188; Exploit.Script.Pdfka.btvxj

Domain name reconnaissance:
facebook.com.n.find-friends.lindoliveryct.net - 66.230.163.86; 95.111.32.249; 188.134.26.172 - Email: zsupercats@yahoo.com

Responding to the same IPs (66.230.163.86; 95.111.32.249; 188.134.26.172) are also the followig malicious domains:
actiry.com - Email: stritton@actiry.com
askfox.net - Emai: bovy@askfox.net
bnamecorni.com
briltox.com - Email: lyosha@briltox.com
condalinneuwu37.net
condrskajaumaksa66.net
cyberflorists.su - Email: mipartid@gmx.com
evishop.net - Email: hardwicke@evishop.net
exnihujatreetrichmand77.net
gondorskiedelaahuetebanj88.net
gotoraininthecharefare88.net
liliputttt9999.info - Email: dolgopoliy.alexei@yandex.ru
lucams.net - Email: renault@lucams.net
micnetwork100.com - Email: 369258wq@sina.com
musicstudioseattle.net- Email: rexona1948@live.com
nvufvwieg.com - Email: 369258wq@sina.com
partyspecialty.su - Email: mipartid@gmx.com
pinterest.com.onsayoga.net
quill.com.account.settings.musicstudioseattle.net
seoworkblog.net - Email: mendhamnewjersey@linuxmail.org
seoworkblog.net
tigerdirect.com.secure.orderlogin.asp.palmer-ford.net
tor-connect-secure.com - Email: 369258wq@sina.com
vip-proxy-to-tor.com

Name servers used in these campaigns:
Name Server: NS1.TEMPLATESWELL.NET - 94.249.254.48 - Email: freejob62@rocketmail.com
Name Server: NS1.THEGALAXYATWORK.COM - 94.249.254.48 - Email: samyideaa@yahoo.com
Name Server: NS1.MOBILE-UNLOCKED.NET - 91.227.220.104 - Email: usalifecoach47@mail.com
Name Server: NS2.MOBILE-UNLOCKED.NET - 32.100.2.98
Name Server: NS1.KNEESLAPPERZ.NET
Name Server: NS1.MEDUSASCREAM.NET - 37.247.108.250 - Email: m_mybad@yahoo.com
Name Server: NS1.CREDIT-FIND.NET - 194.209.82.222 - Email: mendhamnewjersey@linuxmail.org
Name Server: NS1.GONULPALACE.NET - 194.209.82.222 - Email: mitinsider@live.com
Name Server: NS1.NAMASTELEARNING.NET - 93.178.205.234 - Email: minelapse2001@outlook.com
Name Server: NS2.NAMASTELEARNING.NET - 205.28.29.52

The following malicious MD5s are also known to have phoned back to the same IPs/were downloaded from the same IPs in the past:
MD5: e08c8ed751a3fc36bc966e47b76e2863
MD5: f507b822651d2fbc82a98e4cc7f735a2
MD5: e08c8ed751a3fc36bc966e47b76e2863
MD5: f88d6a7381c0bbac1b1558533cfdfd62
MD5: 11be39e64c9926ea39e6b2650624dab4
MD5: ea893fb04cc536ff692cc3177db7e66f
MD5: c8f8b4c0fced61f8a4d3b2854279b4ef
MD5: 93bae01631d10530a7bac7367458abea
MD5: 199b8cf0ffd607787907b68c9ebecc8b
MD5: 6b1bef6fb45f5c2d8b46a6eb6a2d5834
MD5: 9eb6ed284284452f7a1e4e3877dded2d
MD5: efacf1c2c6b33f658c3df6a3ed170e2d
MD5: 7c70d5051826c9c93270b8c7fc9d276f
MD5: dcb378d6033eed2e01ff9ab8936050a0
MD5: 8556f98907fd74be9a9c1b3bf602f869

Updates will be posted as soon as new developments take place.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com