By Dancho Danchev
A cybercriminal/group of cybercriminals that’s been responsible for a series of malware attacks that I’ve been recently profiling, continues to systematically rotate the impersonated brands and the actual malicious payload dropped by the market leading Black Hole Exploit Kit. The prospective target of their latest campaign? PayPal users.
Sample screenshot of the spamvertised email:
Sample compromised URLs used in the campaign: hxxp://smksapg.edu.my/acschanged.html; hxxp://kylecommunity.com/acschanged.html; hxxp://tonymerritt.com/acschanged.html; hxxp://gorod-sport.ru/acschanged.html; hxxp://family.joeinfo.org/acschanged.html; hxxp://sabaevo.ru/acschanged.html; hxxp://www.dzivebezzalem.lv/acschanged.html; hxxp://www.eqtv.com.ar/acschanged.html; hxxp://consultancy.jcsinvestment.com/acschanged.html; hxxp://www.ilampokhari.co.uk/acschanged.html; hxxp://sonnen- ernte.de/acschanged.html; hxxp://www.dzivebezzalem.lv/acschanged.html; hxxp://www.modelzwerge.de/acschanged.html; hxxp://wiggleeyes.pedromorales.com/acschanged.html; hxxp://aloeweb.cl/acschanged.html; hxxp://yuriy.at/acschanged.html; hxxp://www.llv.lichlamviec.com/acschanged.html; hxxp://ipadcover.ru/acschanged.html; hxxp://www.robertguyser.com/wp-content/themes/twentyten/ppacchanges.html; hxxp://partnerzy.net/wp-content/plugins/ppacchanges.html; hxxp://www.ufec.info/wp-content/plugins/akismet/ppacchanges.html; hxxp://msinventors.org/wp-content/plugins/akismet/ppacchanges.html; hxxp://www.textranetwork.com/wp-content/plugins/akismet/ppacchanges.html; hxxp://sclics.com/wp-content/plugins/akismet/ppacchanges.html; hxxp://www.passwork.org/wp-content/plugins/akismet/ppacchanges.html
Client-side exploits serving URL: hxxp://puzzledbased.net/detects/suited_awful_infinite_estimate.php; hxxp://packleadingjacket.org/detects/hidden-temperature.php
Malicious domain name reconnaissance: puzzledbased.net – 22.214.171.124, AS2519 – Email: firstname.lastname@example.org
Name Server: NS1.TOPPAUDIO.COM
Name Server: NS2.TOPPAUDIO.COM
packleadingjacket.org – 126.96.36.199
Name Server: ns1.chelseafun.net
Name Server: ns2.chelseafun.net
Although we couldn’t reproduce puzzledbased.net’s malicious activity, we know for certain that on 2012/11/01 at 15:19, hxxp://netgear-india.net/detects/discover-important_message.php was responding to the same IP. We’ve already seen and profiled the malicious activity of the campaign using this URL in the “‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware“ analysis.
Moreover, we’ve also seen the same name servers (NS1.TOPPAUDIO.COM; NS2.TOPPAUDIO.COM) used in a series of recently profiled campaigns, once again launched by the same cybercriminal/gang of cybercriminals. The campaigns in question are: “‘American Express Alert: Your Transaction is Aborted’ themed emails serve client-side exploits and malware“; “Your Discover Card Services Blockaded’ themed emails lead to Black Hole Exploit Kit“; “BofA ‘Online Banking Passcode Reset’ themed emails serve client-side exploits and malware“; “‘ADP Immediate Notification’ themed emails lead to Black Hole Exploit Kit“.
The name servers (ns1.chelseafun.net; ns2.chelseafun.net) used by the most recently used client-side exploits serving domain, have also been seen in the following previously profiled malicious campaigns – “‘Payroll Account Holded by Intuit’ themed emails lead to Black Hole Exploit Kit“; “‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware“.
The following malicious domains are also part of the campaign’s infrastructure and respond to the same IP (188.8.131.52) as the client-side exploits serving domains:
The following malicious domain (stempare.net) was also seen in the recently profiled “‘American Express Alert: Your Transaction is Aborted’ themed emails serve client-side exploits and malware” campaign, indicating yet another connection between these campaigns.
We’ve also seen steamedboasting.info in the following recently profiled malicious campaigns – “‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and malware“; “‘ADP Immediate Notification’ themed emails lead to Black Hole Exploit Kit“.
PayPal is a commonly impersonated brand by a lot of cybercriminals. In fact, some of them are so efficient in the process of obtaining PayPal accounting data, that they launch online shops targeting fellow cybercriminals who are interested in purchasing the fraudulently obtained data. We’ve also seen the brand impersonated in a series of malicious attacks:
- PayPal ‘Notification of payment received’ themed emails serve malware
- Spamvertised ‘PayPal has sent you a bank transfer’ themed emails lead to Black Hole exploit kit
- Spamvertised ‘Confirm PayPal account” notifications lead to phishing sites
- Spamvertised ‘Your Paypal Ebay.com payment’ emails serving client-side exploits and malware
- Cybercriminals spamvertise PayPay themed ‘Notification of payment received’ emails, serve malware
- Spamvertised ‘Your Ebay funds are cleared’ themed emails lead to Black Hole exploit kit
Webroot SecureAnywhere users are proactively protected from these threats.