CNN "Perfect gift for royal baby" Malware - July 24, 2013
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
CNN “Perfect gift for royal baby” Malware – July 24, 2013
Today’s Top Threats Report: CNN “Perfect gift for royal baby” Malware –
July 24, 2013
Analyst: Brendan Griffin
Today's most notable threat continues the trend of spammers jumping onto popular news
trends by utilizing news of the birth of the British royal baby as the bait in a spam campaign aiming to
distribute Cridex to recipients of the spam. This behavior has been reported by Today’s Top Threats
before after spammers attempted to leverage the Boston Marathon Bombing and West, Texas fertilizer
plant explosion to distribute malware. Today’s threat comes via malicious links embedded in the
message content of these spammed emails which points the recipient’s browser to a webpage which
contains references to a number of JavaScript files which contain a function which redirects the browser
to a location hosting the Blackhole exploit kit which in turn places the malware on the now-infected
machine. The message content, sender domain, and subject line are all intended to provide the
impression that the email originated from CNN and the logo at the top of the email message even acts
as a link to the CNN homepage in an attempt to garner a greater sense of legitimacy.
Subject = ‘"Perfect gift for royal baby ... a tree?" - BreakingNews CNN”’: .. 2
Message Content: ....................................................................................... 3
Link Analysis: .............................................................................................. 4
Registry Analysis: ........................................................................................ 5
File Analysis: ............................................................................................... 5
Additional information about these malware samples or the spam email messages
in which they were distributed is available from Malcovery Security. Contact Gary
Warner (gar@malcovery.com) or support@malcovery.com to request samples.
© Malcovery Security, LLC Page 1
CNN “Perfect gift for royal baby” Malware – July 24, 2013
Subject = ‘"Perfect gift for royal baby ... a tree?" - BreakingNews CNN”’:
The first of these messages was received at 8:15 AM when 6 copies were noted. The largest number
were recorded at 11:00 AM with the receipt of 63 emails. A total of 112 copies of these emails were
recorded in the Malcovery data mine today.
count mbox 17 7/24/2013 10:15
6 7/24/2013 8:15 6 7/24/2013 10:45
20 7/24/2013 8:30 63 7/24/2013 11:00
Domains:
The only sender domain used for all 112 messages captured by the Malcovery data mine used the
sender domain “mail.cnn.com”, adding another field in which the CNN brand was impersonated
IP addresses:
The headers of spammed emails with this subject line and sender domain utilized 60 unique sending IP
addresses in the distribution of these
count sender IP 4 178.219.75.90
7 41.72.6.11 4 216.112.107.200
5 95.56.48.239 3 174.137.66.139
4 41.254.5.166 3 41.202.196.189
4 69.33.137.10 3 12.139.9.84
4 190.146.244.117
URLs:
The 103 URLs contained in the message content of these spammed messages took a simple pattern in
comparison to those exhibited by most campaigns utilizing malicious links as the method of infection.
These URLs are comprised of 35 unique machine names and 102 unique path names. Additional
variation was added the path name through the inclusion of a seemingly random dictionary term as the
directory in which the .html page can be found.
count machine path
2 www.bernderl.de /oleaginous/index.html
2 www.schmaeing-reken.de /blocking/index.html
2 ftp.suavva.com /sousa/index.html
2 www.compare-treadmills.co.uk /faster/index.html
2 www.saito-office.biz /suggestively/index.html
2 joerg.gmxhome.de /skeptically/index.html
2 bordihn.net /reformulates/index.html
2 hackspitz.com /kook/index.html
2 whittakerwatertech.com /guardroom/index.html
2 bbsmfg.biz /tourist/index.html
© Malcovery Security, LLC Page 2CNN “Perfect gift for royal baby” Malware – July 24, 2013 Message Content: The CNN logo at the top of this message contains a link to the CNN home page. The malicious links are anchored by the image (masquerading as a video with the “Click to play” button) and by the blue hyperlink text following the message body. These both reference the same URL: h00p://villaflorida.biz|/cliquish/index.html © Malcovery Security, LLC Page 3
CNN “Perfect gift for royal baby” Malware – July 24, 2013
From no-reply@facebook.com Wed Jul 24 10:47:08 2013
Return-Path:
Received: from 95.56.48.239.megaline.telecom.kz (95.56.48.239.megaline.telecom.kz
[95.56.48.239] (may be forged)); Wed, 24 Jul 2013 10:47:06 -0500
Received: from reatbbbtbbcjbehid by reatbbbtbbcjbehid. (95.56.48.239) with Microsoft
SMTP Server id 8.0.685.24; Wed, 24 Jul 2013 21:47:04 +0600
Message-ID:
Date: Wed, 24 Jul 2013 21:47:04 +0600
From: "Perfect gift for royal baby ... a tree?"
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.9) Gecko/20101112
Thunderbird/3.1.4
MIME-Version: 1.0
To: < >
Subject: "Perfect gift for royal baby ... a tree?" - BreakingNews CNN
Content-Type: multipart/alternative;
boundary="------------03050900405070708060104"
X-Proofpoint-Virus-Version: vendor=fsecure
engine=2.50.10432:5.10.8794,1.0.431,0.0.0000
definitions=2013-07-24_05:2013-07-22,2013-07-24,1970-01-01 signatures=0
The IP address 95.56.48.239 is registered to Kazakhstan Almaty Jsc Kazakhtelecom Almaty Affiliate
(http://whois.domaintools.com/95.56.48.239)
Link Analysis:
Sample URL: h00p://isgett.org|/flux/index.html
Network Traffic:
DNS Standard query 0xbc0d A isgett.org with response 0xbc0d A 74.208.88.92
GET /flux/index.html HTTP/1.1
HTTP/1.1 200 OK
Date: Wed, 24 Jul 2013 19:27:48 GMT
Server: Apache
Last-Modified: Wed, 24 Jul 2013 13:20:52 GMT
ETag: "3ed4e8-1b2-4e241c75fffa5"
Accept-Ranges: bytes
Content-Length: 434
Keep-Alive: timeout=2, max=200
Connection: Keep-Alive
Content-Type: text/html
Connecting to server...
This webpage contains references to the locations of three JavaScript files. These.js files are single-line
files runnable in the web browser which redirect the browser to a location hosting the Blackhole Exploit
kit.
© Malcovery Security, LLC Page 4CNN “Perfect gift for royal baby” Malware – July 24, 2013
teaing.js, disfavor.js, mouthful.js
teaing.js MD5: 22225e6e64160ea79a85d85f6930bc1e
disfavor.js MD5: dee01e44684077eac4c441ac80ad13e1
mouthful.js MD5: dee01e44684077eac4c441ac80ad13e1
https://www.virustotal.com/en/file/33a68e65ac0e5d9719746b36ed1ba352f58f9574f656afaf465bf627cce2c165/analysis/1374696636/
https://www.virustotal.com/en/file/7e69ea724d864d09ebf98428b62f1650b478ea50a77cd328e9c9c1972c88c41f/analysis/1374697337/
These JavaScript files each contained a single line, constituting a redirection to Blackhole exploit kit
locations responsible for placing malware on the machine. These were as follows.
While the Blackhole exploit kit resources were not available for analysis via the web browser, actionable
intelligence on locations hosting Blackhole resources can be gathered such as IP addresses hosting these
domains and blocking and registration information for the locations hosting malicious software. In this
case, both domains in the above URLs resolve to the same IP address.
Whois of Blackhole location IP address:
IP address Registrant NetName ASN
192.216.18.169 United States Miami Uni Communications LVLT-ORG-192-216 AS3356
Registry Analysis:
While no relevant alterations were made to the registry within this analysis environment, the
malware believed to be distributed by this campaign will create a new registry key and populate it with
XML data which directs the behavior of the Cridex malware based on the detection of around 500 URL
substrings within the user’s web browser. These URL substrings are predominantly associated with
websites of prominent banks and finance companies as well as social networks. Upon detecting any of
these substrings, the malware performs activities targeting a user’s access credentials and stealing them
for the distributor of the malware. The methods by which the malware does this vary based on the URL
substrings but include performing keylogging activities, taking screenshots, and (most insidiously)
displaying fake JavaScript elements through HTTP injection and in essence phishing for a user’s
credentials.
File Analysis:
The malware distributed as a result of this campaign will typically drop a single executable into a
directory hidden within the current user’s home directory, leaving this .exe behind and adding it to the
list of applications slated to run at boot—ensuring that it continues to carry out attacks on users’
credentials.
© Malcovery Security, LLC Page 5You can also read
