The past two weeks have been quite busy for especially one group of criminals using different lures to force feed unpatched Windows machines with different types of malware. The exploits are provided with the assistance of the infamous Blackhole exploitkit.
Although these campaigns look very different they are quite easy to ID as they use the same 3 step javascript curve to get the victim to the drive-by domain.
Yesterday we saw yet another wave of these spam campaigns and with four different lures.
Screen dumps and some infection chains can be found below:
This one is somewhat different from the other campaigns as it uses a attached HTML to deliever the content that the victim is supposed to click on. The HTML includes a link/URL which leads to a compromised website. This is the first stage. In this case takes you to:
hxxp://westchesterrent.com/lacy/index.htm
This webpage contains injected content which sends you to three different/rotating additional servers. The content looks like this:
From any of these we are redirected to the drive-by server. In this case:
hxxp://buyfranklinrealty.com/topic/regard_alternate_sheet.php
Looking at a different campaign, but from the same gang we also saw this yesterday:
Clicking on any links contained in that e-mail will take you to this URL:
hxxp://00002nd.rcomhost.com/dickered/index.html
Soon we realize that this likely comes from the same group:
Again any of these will redirect to the drive-by server. In this campaign it will take you here:
hxxp://buyfranklinrealty.com/topic/regard_alternate_sheet.php
From the same group we have:
Naturally they use both different hijacked domains, compromised servers, and drive-by domains to deliver the malicious payloads.
The payload may vary but we have often seen both Pony Loader and Medfos as the first stage infection.
Drive-by servers observed and related to these spammails can be found below:
hxxp://amicale-calvel.eu/topic/accidentally-results-stay.php
hxxp://fragrancewalla.com/topic/accidentally-results-stay.php
hxxp://nphscards.com/topic/accidentally-results-stay.php
hxxp://califvacationhomes.com/topic/accidentally-results-stay.php
hxxp://artimagefrance.com/topic/accidentally-results-stay.php
hxxp://evocarr.net/topic/accidentally-results-stay.php
hxxp://drstephenlwolman.com/topic/sessions-folk-binds.php
hxxp://californiadeltacruises.com/topic/accidentally-results-stay.php
hxxp://capitalagreements.com/topic_reguard_altnernate_sheet.php
At present time the binary is delivered with the filename: “update_flash_player.exe” which of course is misleading and somewhat ironic, as part of the exploits are targeted Adobe Flash Player.
Unfortunately antivirus detection is not good. This goes for both the exploit code and the binary payloads. Also these campaigns seems to continue, so take care folks!