Saturday, September 28, 2013

Spamvertised Facebook 'You have friend suggestions, friend requests and photo tags' Themed Emails Lead to Client-side Exploits and Malware


A currently circulating malicious 'Facebook notifications" themed spam campaign, attempts to trick Facebook's users into thinking that they've received a notifications digest for the activity that (presumably) took place while they were logged out of Facebook. In reality though, once users click on any of the links found in the malicious email, they're automatically exposed to client-side exploits ultimately dropping malware on their hosts.

Let's dissect the campaign, provide actionable intelligence on the campaign's structure, the involved portfolio of malicious domains, actual/related MD5s, and as always, connect the currently ongoing campaign with two other previously profiled malicious campaigns.

Spamvertised URL:
hxxp://user4634.vs.easily.co.uk/darkened/PSEUDO_RANDOM_CHARACTERS

Attempts to load the following malicious scripts:
hxxp://3dbrandscapes.com/starker/manipulator.js
hxxp://distrigold.eu/compounding/melisa.js
hxxp://ly-ra.com/shallot/mandalay.js

Client-side exploits serving URL:
hxxp://directgrid.org/topic/lairtg-nilles-slliks.php

Malicious domain name reconnaissance:
directgrid.org - 50.116.10.71 - Email: ringfields@islandresearch.net

Responding to the following IP (50.116.10.71) are also the following malicious domains participating in the campaign:
directgrid.biz
directgrid.com
directgrid.info
directgrid.net
directgrid.org
directgrid.us
gilkjones.com
integra-inspection.ca
integra-inspection.co
integra-inspection.info
taxipunjab.com
taxisamritsar.com
watttrack.com

The following malicious MD5s are known to have been downloaded -- related campaigns -- from the same IP (50.116.10.71):
MD5: 7eb6740ed6935da49614d95a43146dea
MD5: 7768f7039988236165cdd5879934cc5d

The following malicious MD5s are known to have 'phoned back' to the same IP (50.116.10.71) over the past 24 hours:
MD5: a0065f7649db9a885acd34301ae863b0
MD5: 5503573f4fe15b211956f67c66e18d02
MD5: 01d757b672673df8032abbaa8acf3e22
MD5: 7ad68895e5ec9d4f53fc9958c70df01a
MD5: fd99250ecb845a455499db8df1780807
MD5: fd99250ecb845a455499db8df1780807
MD5: 3983170d46a130f23471340a47888c93
MD5: c86c79d9fee925a690a4b0307d7f2329
MD5: 25f498f7823f12294c685e9bc79376d2
MD5: 470f4aa3f76ea3b465741a73ce6c22fe
MD5: 43b78852a7363d8a4cf7538d4e68c887
MD5: e3aae430ed4036b19f26fa2ed9bbe2bf
MD5: e782619301a0a0a843cedc5d02c563b5
MD5: fc16335d0e1827b271b031309634dc0f
MD5: a55e21b0231d0508cb638892b6ee8ec5
MD5: 053c84c12900b81506eb884ec9f930c9
MD5: e03d0dd786b038c570dc53690db0673b
MD5: 086b16af34857cb5dfb0163cc1c92569
MD5: e066b50bae491587574603bdfd60826e
MD5: eb22137880f8c5a03c73135f288afb8a
MD5: b88392fb63747668c982b6321e5ce712
MD5: 6254d901b1566bef94e673f833adff8c
MD5: 258d640b802a0bbe08471f4f064cb94a
MD5: c1cefb742107516c3a73489eae176745
MD5: a19f1d5c98c2d7f036f2693ad6c14626
MD5: 3f02f35bc73ad9ef14ab4f960926fd45

Sample detection rate for the client-side exploits serving malicious script:
MD5: 00f5d150ff1b50c0bbc1d038eb676c29 - detected by 2 out of 48 antivirus scanners as Script.Exploit.Kit.C; Troj/ObfJS-EO


Sample detection rate for the served exploit:
MD5: d49275523cae83a5e7639bb22604dd86 - detected by 5 out of 48 antivirus scanners as HEUR:Exploit.Java.Generic; HEUR_JAVA.EXEC; TROJ_GEN.F47V0927

Upon successful client-side exploitation the campaign drops the following malicious sample on the affected hosts:
MD5: 6ef9476e6227ef631b231b66d7a2a08b - detected by 7 out of 48 antivirus scanners as Win32/Spy.Zbot.AAU; Trojan-Spy.Win32.Zbot.qckm; TROJ_GEN.F47V0927

Once executed, the sample starts listening on ports 3185 and 7101.

It also creates the following Mutexes on the system:
Local\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Local\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Local\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Local\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Local\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Local\{911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A}
Global\{2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A}
Global\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Global\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Global\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Global\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Global\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Global\{BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A}
Global\{3DC7903B-A05A-C62A-11EB-B06D3016937F}
Global\{3DC7903B-A05A-C62A-75EA-B06D5417937F}
Global\{3DC7903B-A05A-C62A-4DE9-B06D6C14937F}
Global\{3DC7903B-A05A-C62A-65E9-B06D4414937F}
Global\{3DC7903B-A05A-C62A-89E9-B06DA814937F}
Global\{3DC7903B-A05A-C62A-BDE9-B06D9C14937F}
Global\{3DC7903B-A05A-C62A-51E8-B06D7015937F}
Global\{3DC7903B-A05A-C62A-81E8-B06DA015937F}
Global\{3DC7903B-A05A-C62A-FDE8-B06DDC15937F}
Global\{3DC7903B-A05A-C62A-0DEF-B06D2C12937F}
Global\{3DC7903B-A05A-C62A-5DEF-B06D7C12937F}
Global\{3DC7903B-A05A-C62A-95EE-B06DB413937F}
Global\{3DC7903B-A05A-C62A-F1EE-B06DD013937F}
Global\{3DC7903B-A05A-C62A-89EB-B06DA816937F}
Global\{3DC7903B-A05A-C62A-F9EF-B06DD812937F}
Global\{3DC7903B-A05A-C62A-E5EF-B06DC412937F}
Global\{3DC7903B-A05A-C62A-0DEE-B06D2C13937F}
Global\{3DC7903B-A05A-C62A-09ED-B06D2810937F}
Global\{3DC7903B-A05A-C62A-51EF-B06D7012937F}
Global\{3DC7903B-A05A-C62A-35EC-B06D1411937F}
Global\{3DC7903B-A05A-C62A-55EF-B06D7412937F}
Global\{DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A}
Global\{2E1C200D-106C-D5F1-DBC9-BE58FA349D4A}
MPSWabDataAccessMutex
MPSWABOlkStoreNotifyMutex


The following Registry Keys:
HKEY_CURRENT_USER\Software\Microsoft\Waosumag

And changes the following Registry Values:

[HKEY_CURRENT_USER\Identities] -> Identity Login = 0x00098053
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] -> Keby = ""%AppData%\Ortuet\keby.exe""
[HKEY_CURRENT_USER\Software\Microsoft\Waosumag] -> 2df3e6ig = 23 CD 87 C3 1E D1 FA C6 28 2E DF 4D 12 21; 2icbbj3a = 0xC3E6CD13; 185cafc2 = CB D5 E6 C3 F6 D8 CD C6 05 2E EF 4D


It then phones back to the following C&C (command and control) servers:
99.157.164.179
174.76.94.24
99.60.68.114
217.35.75.232
184.145.205.63
99.60.111.51
207.47.212.146
108.240.232.212
107.193.222.108
173.202.183.58
201.170.83.92
81.136.188.57
71.186.174.184


We've already seen the same IPs (217.35.75.232; 108.240.232.212) in the following previously profiled malicious campaign - Spamvertised “FDIC: Your business account” themed emails serve client-side exploits and malware.

We've also seen (107.193.222.108) in the following malicious campaign - Spamvertised ‘Export License/Invoice Copy’ themed emails lead to malware, indicating that all of these campaigns are controlled using the same malicious botnet infrastructure.

The following malicious MD5s are also known to have phoned back to the same C&C servers used in this campaign, over the past 24 hours:
MD5: 9f550edbb505e22b0203e766bd1b9982
MD5: 46cdaead83d9e3de803125e45ca88894
MD5: ffe07e0997d8ec82feb81bac53838d6d
MD5: 28c0bc772aec891a08b06a4029230626
MD5: c8055c6668d1c4c9cb9d68c2c09c14d4
MD5: 0bbabb722e1327cbe903ab477716ae2e
MD5: c4c5db70e7c971e3e556eb9d65f87c84
MD5: 0ff4d450ce9b1eaaef5ed9a5a1fa392d
MD5: e01f435a8c5ed93f6800971505a2cdd2
MD5: 042508083351b79f01a4d7b7e8e35826
MD5: 1f5f75ae82d6aa7099315bf19d0ae4e0
MD5: 35c4d4c2031157645bb3a1e4e709edeb
MD5: a0065f7649db9a885acd34301ae863b0
MD5: 5503573f4fe15b211956f67c66e18d02
MD5: 01d757b672673df8032abbaa8acf3e22
MD5: fd99250ecb845a455499db8df1780807
MD5: 1fab971283479b017dfb79857ecd343b
MD5: a130cddd61dad9188b9b89451a58af28
MD5: 2af94e79f9b9ee26032ca863a86843be
MD5: 8b03a5cf4f149ac7696d108bff586cc5
MD5: 802a522405076d7f8b944b781e4fe133
MD5: b9c7d2466a689365ebb8f6f607cd3368
MD5: 43b78852a7363d8a4cf7538d4e68c887
MD5: c62b6206e9eefe75ba1804788dc552f7
MD5: 385b5358f6a1f15706b536a9dc5b1590
MD5: e3aae430ed4036b19f26fa2ed9bbe2bf
MD5: e782619301a0a0a843cedc5d02c563b5
MD5: fc16335d0e1827b271b031309634dc0f
MD5: 4850969b7febc82c8b82296fa129e818
MD5: 203e0acced8a76560312b452d70ff1e7
MD5: a55e21b0231d0508cb638892b6ee8ec5
MD5: edb1a26ebb8ab5df780b643ad1f0d50f
MD5: 053c84c12900b81506eb884ec9f930c9
MD5: e03d0dd786b038c570dc53690db0673b
MD5: 47d4804fda31b6f88b0d33b86fc681ae
MD5: 086b16af34857cb5dfb0163cc1c92569

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Wednesday, September 18, 2013

Dissecting FireEye's Career Web Site Compromise


Remember when back in 2010, I established a direct connection between several mass Wordpress blogs compromise campaigns, with the campaign behind the compromised Web site of the U.S. Treasury, prompting the cybercriminal(s) behind it to redirect all the campaign traffic to my Blogger profile?

It appears that the cybercriminal/gang of cybercriminals behind these mass Web site compromise campaigns is/are not just still in business, but also -- Long Tail of the malicious Web -- managed to infect FireEye' (external network) Careers Web Site.

Let's dissect the campaign, expose the malicious domains portfolio behind it, provide MD5s for a sample exploit, the dropped malware, and connect it to related malicious campaigns, all of which continue to share the same malicious infrastructure.

Sample redirection chain:
hxxp://vjs.zencdn.net/c/video.js -> hxxp://cdn.adsbarscipt.com/links/jump/ (198.7.59.235; 63.247.93.69; 69.39.238.28; 74.81.94.44) (IE) -> hxxp://cdn.adsbarscipt.com/links/flash/?updnew (CHROME) -> hxxp://209.239.127.185/591918d6c2e8ce3f53ed8b93fb0735cd/face-book.php

Detection rate for a sample malicious script found on the client-side exploits serving site:
MD5: 809f70b26e3a50fb9146ddfa8cf500be - detected by 1 out of 49 antivirus scanners as Trojan.Script.Heuristic-js.iacgm

Sample detection rate for the served client-side exploit:
MD5: 71c92ebc2a889d3541ff6f20b4740868 - detected by 4 out of 49 antivirus scanners as HEUR:Exploit.Java.CVE-2012-1723.gen; HEUR_JAVA.EXEC

Detection rate for a sample dropped malware:
MD5: 4bfb3379a2814f5eb67345d43bce3091 - detected by 15 out of 49 antivirus scanners as Trojan-PSW.Win32.Fareit.acqv; PWS:Win32/Fareit.gen!C

The following malicious MD5s are known to have been downloaded from the same IPs (cdn.adsbarscipt.com (198.7.59.235; 63.247.93.69; 69.39.238.28; 74.81.94.44):
MD5: 82e1013106736b74255586169a217d66
MD5: 01771c3500a5b1543f4fb43945337c7d
MD5: dbf6f5373f56f67e843af30fded5c7f2

Additionally, the campaign is also known to have dropped MD5: 01771c3500a5b1543f4fb43945337c7d

Once executed, the most recently dropped sample (MD5: 4bfb3379a2814f5eb67345d43bce3091) phones back to the following C&C servers:
main-firewalls.com (67.228.177.174; 74.204.171.69; 85.195.104.90) - Email: alex1978a@bigmir.net
simple-cdn-node.com (109.120.143.109) - Email: alex1978a@bigmir.net
akamai.com/gate.php

Deja vu! We've already seen alex1978a@bigmir.net in Network Solution's (2010) mass Wordpress blogs compromise, a campaign which is also directly connected with the compromise of the Web site of the U.S Treasury.

The sample also attempts to download the following additional malware variants:
main-firewalls.com/6.exe
main-firewalls.com/1.exe

simple-cdn-node.com/1.exe - MD5: 05d003a374a29c9c2bbc250dd5c56d7c

Responding to 67.228.177.174 are also the following malicious domains:
aodairangdong.com
bolsaminimall.com
catch-cdn.com
corp-firewall.com
himarkrealty.com
ngnetworld.com
ritz-entertainment.com
server.evietmusic.com
viettv24.com
vpoptv.com        
plussolarsolutions.com
artistflower.com
autoairsystems.com   
eighteas.com
greenpowersurvey.com
phattubi.com
ritz-entertainment.com
saigoncitymall.com


The following malicious MD5s are also known to have phoned back to the same IP (67.228.177.174) in the past:
MD5: 05636d38090e5726077cea54d2485806
MD5: 53b73675f1b08cf7ecfc3c80677c8d2e
MD5: 0f424ff9db97dafaba746f26d6d8d5c0
MD5: 633d6de861edc2ecf667f02d0997f10e
MD5: d13ead2b8a424b5e9c5977f8715514c4
MD5: bfc9803c94cc8ba76a916f8e915042e4
MD5: a04d33ced90f72c1a77f312708681c07
MD5: 7e6e15518cc48639612aa4ff00a2a454
MD5: 98d78ef8cc5aee193a7b7a3c3bb58c87
MD5: a030d6e35d736db9dd433a8d2ac8a915
MD5: 1f7a6ed70be6e13efb45e5ba80eed76e
MD5: cfc727a0ad51eb1f111305873d2ade04
MD5: 1b6de030ed3b42e939690630f63d6933
MD5: fa9e92d42580e1789ed04e551a379e4e
MD5: 2ed9d63e4d557667bad7806872cf4412
MD5: bef16d25b2cada2a388ea06c204b44f3
MD5: 77a93ba48d6532e069745bca117d26ed
MD5: 7c7e4cef8a7181f7982a841f7f752368
MD5: 57b5e6f38998e32fa93856970cc66c5e
MD5: 5d388b1f2bf2dc9493f5c4cfb9d53ca0
MD5: ec24a959e39c5d2eb7dc769f4b098efb
MD5: 6357085196499ef5301548ff17b62619
MD5: 3173d4be34f489a4630f2439f9653c2c
MD5: 3bd239ee46ab8ba02f57ed1762bd3ae6
MD5: dce3e33eb294f0a7688be5bea6b7e9d4
MD5: 1ed678e9d29c25043fdd1b4c44f5b2ea
MD5: eccce6f5f509f4ef986d426445a98f0d
MD5: 74e1e2f2d562ab6883124cfa43300cf2
MD5: 6922efa2e5aa16b78c982d633cbe44e9

Responding to 85.195.104.90 are also the following malicious domains:
catch-cdn.com
corp-firewall.com
kronoemail.com
main-firewalls.com
viacominfosys.com
emaildatastore.com


The following malicious MD5s are also known to have phoned back to the same IP (85.195.104.90) in the past:
MD5: 88110dbce9591b68b06b859e7965d509
MD5: 0e055888564fb59cb6d4e35a5c5fb33d
MD5: e9d8d2842b576fd4f6ef9dde1fea4b9f
MD5: e750031fc9b9264852133d8f7284ac7a
MD5: e0da2ca4e9a174cd3c6f8a348e4861ad
MD5: b23a579d7b8bf5a03c121d2f74234b2d
MD5: a1ee5246d984d900f27ce94fbfc37c2b
MD5: 2118a70a2ccf0a7772725e765ad64e08
MD5: f26848e64040b4b6614d95bd967045df
MD5: 9c5997b32bea6945f0cb9ff0c18cf040
MD5: 353305483087a5316fd75f63d641ec1f
MD5: 34e67771ca411b163866f1e795b2e72e
MD5: 571e04b5af915979efc5a7f77794facb
MD5: a21df3ee0c9dd87cf6ca66581aa7eb76
MD5: e2137edd5f550b1942c16e70095c436b
MD5: 97437f6d670db2596b6a6b53c887055c

Such type of factual attribution based on gathered historical OSINT, isn't surprising, thanks to the fact that despite the increasing number of novice cybercriminals joining the ecosystem, the "usual suspects" continue operating for the sake of achieving their fraudulent and malicious objectives.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Monday, September 16, 2013

Rogue iFrame Injected Web Sites Lead to the AndroidOS/FakeInst/Trojan-SMS.J2ME.JiFake Mobile Malware


A currently ongoing malicious campaign relying on injected iFrames at legitimate Web sites, successfully segments mobile traffic, and exposes mobile users to fraudulent legitimately looking variants of the AndroidOS/FakeInst/Trojan-SMS.J2ME.JiFake mobile malware.

Let's dissect the campaign, expose the domains portfolio currently/historically known to have been involved in this campaign, as well as list all the malicious MD5s known to have been pushed by it.

iFrame injected domains containing the mobile traffic segmentation script parked on the same IP:
asphalt7-android.org - 93.170.109.193
fifa12-android.org

gta3-android.org
fruit-ninja-android.org
wildblood-android.org
osmos-android.org
moderncombat-android.org
minecraft-android.org
googlanalytics.ws
getinternet.ws
ddlloads.com
googlecount.ws
opera-com.com
opgrade.ws
statuses.ws
ya-googl.ws
yadirect.ws
yandex-google.ws




Sample mobile malware MD5s pushed by the campaign:
MD5: e77f3bffe18fb9f5a1b1e5e6a0b8aaf8
MD5: 5fb4cc0b0d8dfe8011c44f97c6dd0aa2
MD5: 9348b5a13278cc101ae95cb2a88fe403
MD5: f4966c315dafa7e39ad78e31e599e8d0
MD5: 6f839dd29d2c7807043d06ba19e9c916
MD5: 8cfebfa7175e6e9a10e2a9ade4d87405
MD5: 4e5af55dd6a310bced83eb08c9a635b3

Phone back location: hxxp://depositmobi.com/getTask.php/task=updateOpening&s= - 93.170.107.130

Parked on the same IP (93.170.107.130) are also the following domains participating in the campaign's infrastructure:
123diskapp.com
1gameminecraft.ru
2010mobile.ru
absex.ru
ammla.info
and4mobiles.ru
android-apk-file.ru
android-games-skachat.ru.com
android-key.ru
android-market-apk.ru
android-market-cools.ru
android-vk.com
android7s.ru
androidcool.tk
androiderus.com
androidnns.ru
androidone.net
androidperfomance.com
androids-market.ru
androidupos.ru
24-android.ru
online-android.ru
moiandroid.ru
ktozdesj.ru
super-androids.ru


The following malicious mobile malware MD5s are known to have phoned back to the same IP in the past:
MD5: 572b07bd031649d4a82bb392156b25c6
MD5: 9685ff439e610fa8f874bf216fa47eee
MD5: 6d9dd3c9671d3d88f16071f1483faa12
MD5: 276b77b3242cb0f767bfba0009bcf3e7
MD5: aefdbdee7f873441b9d53500e1af34fa

What's also worth emphasizing on is that we've also got a decent number of malicious Windows samples known to have phoned back to the same IP in the past, presumably in an attempt by fellow cybercriminals to monetize the traffic through an affiliate program.
MD5: bac8f2c5d0583ee8477d79dc52414bf5
MD5: a1ae35eadf7599d2f661a9ca7f0f2150
MD5: 419fdb78356eaf61f9445cf828b3e5cf
MD5: abce96eaa7c345c2c3a89a8307524001
MD5: 93d11dc11cccc5ac5a1d57edce73ea07
MD5: 53bbad9018cd53d16fb1a21bd4738619
MD5: 15f3eca26f6c8d12969ffb1dbeead236
MD5: 72c6c14f9bab8ff95dbaf491f2a2aff6
MD5: a282b40d654fee59a586b89a1a12cac2
MD5: e0798c635d263f15ab54a839bf6bac7f
MD5: 7b1d8820cc012deac282fc72471310bd
MD5: 21fdbb9e9e13297ae12768764e169fb4
MD5: 47fa4a3a7d94dad9fac1cbdc07862496
MD5: 5e9321027c73175cf6ff862019c90af7
MD5: cfbaccc61dc51b805673000d09e99024
MD5: 8bc4dd1aff76fd4d2513af4538626033
MD5: f6a622f76b18d3fa431a34eb33be4619
MD5: c068d11293fc14bebdf3b3827e0006ac
MD5: d68338a37f62e26e701dfe45a2f9cbf2
MD5: e1c9562b6666d9915c7748c25376416f
MD5: 1dccd14b23698ecc7c5a4b9099954ae4
MD5: 47601e9f8b624464b63d499af60f6c18

Actual download location of a sample mobile malware sample:
hxxp://mediaworks3.com/getfile.php?dtype=dle&u=getfl&d=FLVPLayer - 78.140.131.124


The following mobile malware serving domains are also known to have responded to the same IP (78.140.131.124) in the past:
4apkser.ru
absex.ru
agw-railway.com
androedis.ru
android-apk-file.ru
android-update.name
android6s.ru
android7s.ru
androidappfile.name
androidaps.ru
androidbizarre.com
androidilve.ru
androidovnloads.com
androidupss.ru
apk-load.ru
apkzona.ru
bali-special.ru
com-opera.com
dml-site.ru
download-opera.com


As well as the following malicious MD5s:
MD5: 8cfebfa7175e6e9a10e2a9ade4d87405
MD5: 4e5af55dd6a310bced83eb08c9a635b3

Thanks to the commercial availability of DIY iFrame injecting platforms, the current commoditization of hacked/compromised accounts across multiple verticals, the efficiency-oriented mass SQL injection campaigns, as well as the existence of beneath the radar malvertising campaigns, cybercriminals are perfectly positioned to continue monetizing mobile traffic for fraudulent/malicious purposes.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.