Malicious ‘Sendspace File Delivery Notifications’ lead to Black Hole Exploit Kit


By Dancho Danchev

Cybercriminals are currently attempting to trick hundreds of thousands of users into clicking on the malicious links found in the currently spamvertised bogus ‘Sendspace File Delivery Notifications‘.

Upon clicking on any of the links found in the email, users are exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit.

More details:

Sample screenshot of the spamvertised email:

Email_Spam_Exploits_Malware_Social_Engineering_Black_Hole_Exploit_Kit

Sample spamvertised malicious URls: hxxp://mininet.nl/forwarding.htm; hxxp://hd-group.cn/redirect.htm; hxxp://cztiyu.com/upload.htm

Sample client-side exploits serving URL: hxxp://canadianpanakota.ru:8080/forum/links/column.php; hxxp://anifkailood.ru:8080/forum/links/column.php; hxxp://pelamutrika.ru:8080/forum/links/public_version.php

Sample malicious payloa dropping URL: hxxp://canadianpanakota.ru:8080/forum/links/column.php?
bwi=1i:2w:1h:1n:1l&oaera=3l&zmbxivwt=2v:1k:1m:32:33:1k:1k:31:1j:1o&evgiw=1n:1d:1g:1d:1h:1d:1f

Sample client-side exploits served: CVE-2010-0188

Upon successful client-side exploitation, the campaign drops MD5: 532bdd2565cae7b84cb26e4cf02f42a0 – detected by 33 out of 44 antivirus scanners as Worm:Win32/Cridex.E

Once executed it creates %AppData%\kb00121600.exe on the affected system.

The sample also creates the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CFBDC89D4
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S25BC2D7B

As well as the following Mutexes:
Local\XMM00000418
Local\XMI00000418
Local\XMRFB119394
Local\XMM000005E4
Local\XMI000005E4
Local\XMM0000009C
Local\XMI0000009C
Local\XMM000000C8
Local\XMI000000C8

It then phones back to hxxp://210.253.102.95:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/ and to hxxp://123.49.61.59:8080/AJtw/UCyqrDAA/Ud+asDAA/

We’ve already seen the same pseudo-randomly generated C&C characters used in the first ‘phone back request’ (DPNilBA/ue1elBAAAA/tlSHAAAAA/) used in the following previously profiled malicious campaigns:

Not surprisingly, we’ve also seen the second ‘phone back’ IP (123.49.61.59) used in the following campaigns:

As well as the actual pseudo-randomly generated characters used in the second C&C (AJtw/UCyqrDAA/Ud+asDAA/) in the following analyses:

Malicious domain names reconnaissance:
canadianpanakota.ru – 120.138.20.54; 203.80.16.81; 202.180.221.186
Name server: ns1.canadianpanakota.ru – 62.76.178.233
Name server: ns2.canadianpanakota.ru – 132.248.49.112
Name server: ns3.canadianpanakota.ru – 84.22.100.108
Name server: ns4.canadianpanakota.ru – 65.99.223.24

The following malicious domains also respond to the same IP:
forumibiza.ru
donkihotik.ru
lemonadiom.ru
peneloipin.ru
finitolaco.ru
moneymakergrow.ru
fionadix.ru

pelamutrika.ru – 202.180.221.186
Name server: ns1.pelamutrika.ru – 62.76.189.72
Name server: ns2.pelamutrika.ru – 41.168.5.140
Name server: ns3.pelamutrika.ru – 132.248.49.112
Name server: ns4.pelamutrika.ru – 209.51.221.247
Name server: ns5.pelamutrika.ru – 208.87.243.196
Name server: ns6.pelamutrika.ru – 216.99.149.226

The following malicious domains also respond to the same IP:
ganiopatia.ru – 202.180.221.186
pelamutrika.ru – 202.180.221.186
ganalionomka.ru – 202.180.221.186
genevaonline.ru – 202.180.221.186
francese.ru – 202.180.221.186
podarunoki.ru – 202.180.221.186
publicatorian.ru – 202.180.221.186
cinemaallon.ru – 202.180.221.186
pitoniamason.ru – 202.180.221.186
leberiasun.ru – 202.180.221.186
dimarikanko.ru – 202.180.221.186
somaliaonfloor.ru – 202.180.221.186
panamechkis.ru – 202.180.221.186

anifkailood.ru – 202.180.221.186; 212.162.52.180; 212.162.56.210
Name server: ns1.anifkailood.ru – 62.76.189.72
Name server: ns2.anifkailood.ru – 62.76.177.104
Name server: ns3.anifkailood.ru – 41.168.5.140
Name server: ns4.anifkailood.ru – 209.51.221.247
Name server: ns5.anifkailood.ru – 42.121.116.38
Name server: ns6.anifkailood.ru – 110.164.58.250

The following malicious domains also respond to the same IP:
ganiopatia.ru – 202.180.221.186
pelamutrika.ru – 202.180.221.186
ganalionomka.ru – 202.180.221.186
anifkailood.ru – 202.180.221.186
genevaonline.ru – 202.180.221.186
francese.ru – 202.180.221.186
podarunoki.ru – 202.180.221.186
publicatorian.ru – 202.180.221.186
cinemaallon.ru – 202.180.221.186
pitoniamason.ru – 202.180.221.186
leberiasun.ru – 202.180.221.186
dimarikanko.ru – 202.180.221.186
somaliaonfloor.ru – 202.180.221.186
panamechkis.ru – 202.180.221.186

We’ve also seen some of these malicious domains used in previously profiled campaigns, indicating that the cybercriminal/gang of cybercriminals behind these attacks are continuing to rotate the impersonated brands and launch new social engineering driven campaigns in the wild.

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

10 thoughts on “Malicious ‘Sendspace File Delivery Notifications’ lead to Black Hole Exploit Kit

  1. Pingback: Fake ‘Flight Reservation Confirmations’ themed emails lead to Black Hole Exploit Kit « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  2. Pingback: Fake ‘Citi Account Alert’ themed emails lead to Black Hole Exploit Kit « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  3. Pingback: Spamvertised AICPA themed emails serve client-side exploits and malware « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  4. Pingback: ‘Please confirm your U.S Airways online registration’ themed emails lead to Black Hole Exploit Kit « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  5. Pingback: ‘Batch Payment File Declined’ EFTPS themed emails lead to Black Hole Exploit Kit « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  6. Pingback: ‘Your Kindle e-book Amazon receipt’ themed emails lead to Black Hole Exploit Kit « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  7. Pingback: Fake “You’ve blocked/disabled your Facebook account’ themed emails serve client-side exploits and malware « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  8. Pingback: Spamvertised BBB ‘Your Accreditation Terminated” themed emails lead to Black Hole Exploit Kit | Webroot Threat Blog - Internet Security Threat Updates from Around the World

  9. Pingback: ‘ADP Package Delivery Notification’ themed emails lead to Black Hole Exploit Kit | Webroot Threat Blog - Internet Security Threat Updates from Around the World

Join the Conversation

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s