Dissecting NBC's Late Night with Jimmy Fallon Web Site Compromise

Oops, they did it again!

The official Web site (hxxp://www.latenightwithjimmyfallon.com) of NBC's Late Night With Jimmy Fallon is currently compromised/hacked and is automatically serving multiple Java exploits to its visitors through a tiny iFrame element embedded on the front page. According to Google's Safe Browsing Diagnostic page, the same malicious iFrame domain that affected the Web site, is also known to have affected 15 more domains.

Let's dissect the campaign, expose the complete domains domains portfolio used in the campaign, reproduce the malicious payload, and establish a direct connection between this campaign, and a series of phishing campaigns that appear to have been launched by the same cybercriminal/gang of cybercriminals.

Sample client-side exploitation chain: hxxp://20-monkeys-b.com/exp/agencept.php?vialjack=339214 - 144.135.8.182; 192.154.103.66 -> hxxp://20-monkeys-b.com/exp/tionjett.php

Although the currently embedded iFrame domain is offline, we know that on 2013-03-06 17:02:35 it used to respond to 192.154.103.66. We've got several malicious domains currently parked at the same IP and responing, allowing us to obtain the malicious payload used in the campaign affecting NBC's Web site. Upon further examination, the obtained malicious PDF used in the campaign, also attempts to connect to the initial iFrame domain (20-monkeys-b.com), proving that the domains are operated by the same cybercriminal/gang of cybercriminals.

Sample exploitation chain for a currently active malicious domain responding to 192.154.103.66: hxxp://poople-huelytics.com/exp/agencept.php?vialjack=694842 -> hxxp://poople-huelytics.com/exp/addajapa/jurylamp.jar -> hxxp://poople-huelytics.com/exp/addajapa/ptlyable.jar -> hxxp://poople-huelytics.com/exp/jectrger.php

Sample client-side exploits served: CVE-2013-0431; CVE-2012-1723; CVE-2010-0188

Sample detection rates for the reproduced malicious payload:
test.pdf - MD5: 013ed8ef6d92cfe337d9d82767f778da - detected by 10 out of 46 antivirus scanners as PDF:Exploit.PDF-JS.VU
jurylamp.jar - MD5: dcba86395938737b058299b8e22b6d65 - detected by 7 out of 46 antivirus scanners as Exploit:Java/CVE-2013-0431
ptlyable.jar - MD5: 2446aa6594fc7935ca13b130d4f67442 - detected by 6 out of 46 antivirus scanners as HEUR:Exploit.Java.CVE-2012-1723.gen

test.pdf drops MD5: 51311FDECCD8B6BC5059BE33E0046A27 and MD5: 72B670F4582BC73C0D05FF506B51B8EB it then attempts to obtain the malicious payload from 20-monkeys-b.com/exp/senccute.php? (144.135.8.182)

Responding to 192.154.103.66 are also the following malicious domains:
snova-vdel-e.com
mimemimikat.info

Malicious domain names reconnaissance:
20-monkeys-b.com - Email: haneslyndsey@yahoo.com
poople-huelytics.com - Email: brianmyhalyk@yahoo.com
snova-vdel-e.com - Email: guerin_k@yahoo.com
mimemimikat.info - Email: xbroshost@live.com

More domains share the same exploitation directory structure (agencept.php?vialjack=) such as for instance:
hxxp://upd.pes2020.com.ar/up/agencept.php?vialjack%3D219215
hxxp://upd.typescript.com.ar/up/agencept.php?vialjack=219215
hxxp://4ad32203.dyndns.info/agencept.php?vialjack=428181
hxxp://4ad34364.dyndns.info/agencept.php?vialjack=428181
hxxp://4ad28306.dyndns.info/agencept.php?vialjack=428181
hxxp://4ad23745.dyndns.info/agencept.php?vialjack=428181
hxxp://4ad96968.dyndns.info/agencept.php?vialjack%3D428181
hxxp://4ad21321.dyndns.info/agencept.php?vialjack=428181

The same email (xbroshost@live.com) is also known to have registered the following phishing domains in the past:
hxxp://www.realtorviewproperties.info/realtorjj/index.htm
hxxp://www.usaindependentmerchids.com
hxxp://www.usamerchandiseinc.com/
hxxp://www.blogconsciente.com/~secadmin/eLogin.php

Although the cybercriminal/gang of cybercriminals behind this campaign applied basic OPSEC practices to it, the fact that the C&C/malicious payload acquisition strategy is largely centralized, (thankfully) indicates a critical flaw in their mode of thinking. Continue reading →

Dissecting NBC's Exploits and Malware Serving Web Site Compromise

The web site of the National Broadcasting Company (NBC), NBC.com, is currently compromised, and is redirecting tens of thousands of legitimate users to multiple exploits serving and malware dropping malicious URLs. The campaign appears to have been launched by the same gang of cybercriminals that's also been recently involved in impersonating Facebook Inc. and Verizon Wireless, in an attempt to trick their users/customers into clicking on links found in hundreds of thousands of spamvertised emails pretending to come from the companies.

Let's dissect the campaign, expose its structure, the dropped malware, and connect the dots on who's behind it.

Observed iFrames in rotation:
hxxp://umaiskhan.com/znzd.html
hxxp://umaiskhan.com/ztuj.html
hxxp://priceworldpublishing.com/aynk.html
hxxp://toplineops.com/mtnk.html
hxxp://moi-npovye-sploett.com/qqqq/1.php
hxxp://www.jaylenosgarage.com/trucks/PHP/google.php
hxxp://nikweinstein.com/cl/google.php

Observed redirections leading to:
hxxp://gonullersultani.net/znzd.htm
hxxp://erabisnis.net/znzd.htm
hxxp://electricianfortwayne.info/62.html
hxxp://moi-npovye-sploett.com/cGeQc0wz1KPI/larktion.php

Sample client-side exploitation chain for the first campaign: hxxp://toplineops.com/mtnk.html -> hxxp://electricianfortwayne.info/62.html -> hxxp://electricianfortwayne.info/987.pdf

Upon successful client-side exploitation, the campaign drops MD5: 4e48ddc2a2481f9ff27113e6395160e1 - detected by 7 out of 46 antivirus scanners as Trojan-Spy.Win32.Zbot.jfgj.

Once executed the sample creates the "Xi3FVneIx" Mutex and phones back to:
hxxp://eastsidetennisassociation.com/i.htm?jzd63F1JyFUfMyyf1Q8U9 - 74.220.215.229
hxxp://envirsoft.com/n.htm?xWasESNrgozQ13QNR1PNCGTGhPAW16QJ67Bnj - 174.120.29.2 - Email: louis.bouchard@envirsoft.com
hxxp://beautiesofcanada.com/s.htm?2dlYtfCwTLfFBzTL8TrY7btwJDVszO - 66.96.145.104 - Email: eddom@yahoo.com
hxxp://magasin-shop.com/v.htm?ZPlkcqLyyHFRxHmhVxQN8HdfszymBrXxuy - 66.96.160.143
hxxp://couche-transport.comlu.com/r.htm?Mb6kKF3mq5H8YxeVXYM9yOwK - 31.170.161.96

Second redirection redirection chain for a sampled iFrame: hxxp://moi-npovye-sploett.com/qqqq/1.php -> hxxp://moi-npovye-sploett.com/cGeQc0wz1KPI/larktion.php -> hxxp://moi-npovye-sploett.com/cGeQc0wz1KPI/aflybing.php?esusvity=785280 where it attempts to exploit CVE-2010-0188.

Malicious domains reconnaissance:
umaiskhan.com - 173.254.28.49 - Email: chfaisal009@gmail.com - appears to be a compromised site belonging to someone named "Azhar Mahmood", unless of course you want to believe that Pakistan's cyber warfare unit is behind the campaign, since this is the second time that I come across to this IP. Keep reading!
priceworldpublishing.com - 174.122.45.74 - Email: info@sportsworkout.com
electricianfortwayne.info - 173.201.92.1 - Email: mdkline65@yahoo.com
gonullersultani.net - 72.167.2.128 - Email: gonullersultani@gmail.com
erabisnis.net - 74.220.207.161
moi-npovye-sploett.com - 130.185.157.102 - Email: josephhaddad829@yahoo.com
jaylenosgarage.com - 80.239.148.217
nikweinstein.com - 205.178.145.95 - Email: nikweinstein@hotmail.com

mdkline65@yahoo.com is also known to have registered the following domains:
dedirt.com
dogsrit.com
spiritualspice.us
madamerufus.com
herbalstatelegal.com
myauditionsite.com
injurylawyercleveland.info
injurylawyerspringfieldmo.info
injurylawyercolumbus.info
injurylawyerindianapolis.info

Who's behind this campaign and can we connect this malicious activities to previously analyzed malicious campaigns? But, of course.

umaiskhan.com responds to 173.254.28.49, and on 2013-01-28 18:56:19 we know that another domain used in a Facebook Inc. themed campaign was also responding to the same IP, namely hxxp://shutterstars.com/wp-content/plugins/akismet/resume_facebook.html. The compromised legitimate host back then used to serve client-side exploits through hxxp://gotina.net/detects/sign_on_to_resume.php – 222.238.109.66 – Email: lockwr@rocketmail.com.

Deja vu! We've already seen and profiled this malicious domain in the following assessment "Fake ‘You’ve blocked/disabled your Facebook account’ themed emails serve client-side exploits and malware", indicating that both of these campaigns have been launched by the same cybercriminal/gang of cybercriminals. What's also worth emphasizing on is that the same email (lockwr@rocketmail.com) used to register gonita.net was also profiled in the following assessment "Fake ‘Verizon Wireless Statement” themed emails lead to Black Hole Exploit Kit", where it was used to register the Name Servers used in the campaign.

Someone's multi-tasking. That's for sure.

Updates will be posted as soon as new developments take place. Continue reading →