Spamvertised 'Confirmed Facebook Friend Request' Themed Emails Serve Client-Side Exploits

August 15, 2013
A currently circulating malicious spam campaign, entices users into thinking that they've received a legitimate 'Friend Confirmation Request' on Facebook. In reality thought, the campaign attempts to exploit client-side vulnerabilities, CVE-2010-0188 in particular.

 Client-side exploits serving URL:
hxxp://facebook.com.n.find-friends.lindoliveryct.net:80/news/facebook-onetime.php?dpheelxa=1l:30:1l:1g:1j&pkvby=h&rzuhhh=1h:33:1o:2v:32:1o:2v:1o:1j:1m&ycxlcvr=1f:1d:1f:1d:1f:1d:1f

 Detection rate for the malicious PDF: MD5: 39326c9a2572078c379eb6494dc326ab - detected by 3 out of 45 antivirus scanners as PDF/Blacole-FAA!39326C9A2572; Exploit:Win32/CVE-2010-0188; Exploit.Script.Pdfka.btvxj

Domain name reconnaissance:
facebook.com.n.find-friends.lindoliveryct.net - 66.230.163.86; 95.111.32.249; 188.134.26.172 - Email: zsupercats@yahoo.com

Responding to the same IPs (66.230.163.86; 95.111.32.249; 188.134.26.172) are also the followig malicious domains:
actiry.com - Email: stritton@actiry.com
askfox.net - Emai: bovy@askfox.net
bnamecorni.com
briltox.com - Email: lyosha@briltox.com
condalinneuwu37.net
condrskajaumaksa66.net
cyberflorists.su - Email: mipartid@gmx.com
evishop.net - Email: hardwicke@evishop.net
exnihujatreetrichmand77.net
gondorskiedelaahuetebanj88.net
gotoraininthecharefare88.net
liliputttt9999.info - Email: dolgopoliy.alexei@yandex.ru
lucams.net - Email: renault@lucams.net
micnetwork100.com - Email: 369258wq@sina.com
musicstudioseattle.net- Email: rexona1948@live.com
nvufvwieg.com - Email: 369258wq@sina.com
partyspecialty.su - Email: mipartid@gmx.com
pinterest.com.onsayoga.net
quill.com.account.settings.musicstudioseattle.net
seoworkblog.net - Email: mendhamnewjersey@linuxmail.org
seoworkblog.net
tigerdirect.com.secure.orderlogin.asp.palmer-ford.net
tor-connect-secure.com - Email: 369258wq@sina.com
vip-proxy-to-tor.com

Name servers used in these campaigns:
Name Server: NS1.TEMPLATESWELL.NET - 94.249.254.48 - Email: freejob62@rocketmail.com
Name Server: NS1.THEGALAXYATWORK.COM - 94.249.254.48 - Email: samyideaa@yahoo.com
Name Server: NS1.MOBILE-UNLOCKED.NET - 91.227.220.104 - Email: usalifecoach47@mail.com
Name Server: NS2.MOBILE-UNLOCKED.NET - 32.100.2.98
Name Server: NS1.KNEESLAPPERZ.NET
Name Server: NS1.MEDUSASCREAM.NET - 37.247.108.250 - Email: m_mybad@yahoo.com
Name Server: NS1.CREDIT-FIND.NET - 194.209.82.222 - Email: mendhamnewjersey@linuxmail.org
Name Server: NS1.GONULPALACE.NET - 194.209.82.222 - Email: mitinsider@live.com
Name Server: NS1.NAMASTELEARNING.NET - 93.178.205.234 - Email: minelapse2001@outlook.com
Name Server: NS2.NAMASTELEARNING.NET - 205.28.29.52

The following malicious MD5s are also known to have phoned back to the same IPs/were downloaded from the same IPs in the past:
MD5: e08c8ed751a3fc36bc966e47b76e2863
MD5: f507b822651d2fbc82a98e4cc7f735a2
MD5: e08c8ed751a3fc36bc966e47b76e2863
MD5: f88d6a7381c0bbac1b1558533cfdfd62
MD5: 11be39e64c9926ea39e6b2650624dab4
MD5: ea893fb04cc536ff692cc3177db7e66f
MD5: c8f8b4c0fced61f8a4d3b2854279b4ef
MD5: 93bae01631d10530a7bac7367458abea
MD5: 199b8cf0ffd607787907b68c9ebecc8b
MD5: 6b1bef6fb45f5c2d8b46a6eb6a2d5834
MD5: 9eb6ed284284452f7a1e4e3877dded2d
MD5: efacf1c2c6b33f658c3df6a3ed170e2d
MD5: 7c70d5051826c9c93270b8c7fc9d276f
MD5: dcb378d6033eed2e01ff9ab8936050a0
MD5: 8556f98907fd74be9a9c1b3bf602f869

Updates will be posted as soon as new developments take place.

About the author

Donec non enim in turpis pulvinar facilisis. Ut felis. Praesent dapibus, neque id cursus faucibus. Aenean fermentum, eget tincidunt.