By Dancho Danchev
Facebook users, watch what you click on!
Cybercriminals are currently mass mailing bogus “Facebook Account Cancellation Requests“, in an attempt to trick Facebook’s users into clicking on the malicious link found in the email. Upon clicking on the link, users are exposed to client-side exploits which ultimately drop malware on the affected host.
Sample screenshot of the spamvertised email:
Sample client-side exploitation chain: hxxp://adlinkservhost.strangled.net -> hxxp://lakkumigdc.com/media/clients/index.php?showtopic=397065 -> hxxp://lakkumigdc.com/media/clients/rhin.jar -> hxxp://lakkumigdc.com/media/clients/Goo.jar -> hxxp://lakkumigdc.com/media/clients/lib.php -> hxxp://lakkumigdc.com/media/clients/load.php?showforum=lib
Malicious domain name reconnaissance:
lakkumigdc.com – 126.96.36.199 – Email: email@example.com
Name Server: NS1.MACROVIEWTECH.COM – 188.8.131.52
Name Server: NS2.MACROVIEWTECH.COM – 184.108.40.206
Domains responding to the same IP, including domains also registered with the same GMail account:
Upon successsful client-side exploitation, the campaign drops MD5: 8b3979c1a9c85a7fd5f8ff3caf83fc56 – detected by 3 out of 46 antivirus scanners as PWS-Zbot.gen.aru
Upon execution, the sample creates the following file on the affected hosts:
%AppData%\Ixriyv\emarosa.exe – MD5: A33684FD2D1FA669FF6573921F608FBB
It also creates the following directories:
As well as the following Mutex:
It then phones back to shallowave.jumpingcrab.com (220.127.116.11) on port 8012. Another similar subdomain on this host (takemeout.jumpingcrab.com), was also seen in a crowdsourced DDoS campaign in 2009.
Historically, more malware is known to have been hosted at another subdomain (hxxp://dady.jumpingcrab.com:881/js/js/) in 2011. List of associated MD5s:
MD5: e58fe6d04e8d9fce1020f532d3f0bd49 – detected by 40 out of 44 antivirus scanners as Backdoor.Win32.Delf.yqo
MD5: 60fde61eea4da0601a294d8cac18fb85 – detected by 37 out of 42 antivirus scanners as Backdoor:Win32/Hupigon.EA
MD5: ac95c84a99edd65b00fbc845f8e167f0 – detected by 38 out of 42 antivirus scanners as TrojanDropper:Win32/Delfsnif.A
MD5: 7487bbfadde66edddf131b879382a9ef – detected by 38 out of 43 antivirus scanners as Trojan-PSW.Win32.Bjlog.vge
MD5: 6cf58ce47e4a9163ecf2e5e0498d3fa8 – detected by 38 out of 43 antivirus scanners as Worm.Win32.AutoRun.davw
MD5: a694f0c6a0b64cc3601d946f63330a23 – detected by 34 out of 44 antivirus scanners as Trojan.RAR.Qhost.c
Webroot SecureAnywhere users are proactively protected from these threats.