Fake ‘Citi Account Alert’ themed emails lead to Black Hole Exploit Kit


By Dancho Danchev

Cybercriminals are currently mass mailing hundreds of thousands of emails impersonating Citi, using two different professionally looking email templates. Upon clicking on any of the links found in the malicious emails, users are exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit.

More details:

Sample screenshot of the first spamvertised template:

Citi_Email_Spam_Exploits_Malware_Social_Engineering_Black_Hole_Exploit_Kit

Sample screenshot of the second spamvertised template:

Citi_Email_Spam_Exploits_Malware_Social_Engineering_Black_Hole_Exploit_Kit_01

Sample spamvertised compromised URLS used in the campaign:
hxxp://franctelnetwork.com/components/com_ag_google_analytics2/citialertservice.html
hxxp://ghostdeal.com/components/com_ag_google_analytics2/citialertservice.html
hxxp://thesmsway.com/components/com_ag_google_analytics2/citialertservice.html
hxxp://911pcs.com/components/com_ag_google_analytics2/alert-service-citibank.html
hxxp://rjewelryd.com/components/com_ag_google_analytics2/alert-service-citibank.html
hxxp://softwarehit.com/components/com_ag_google_analytics2/alert-service-citi-sign_in.html
hxxp://ceipfernandogavilan.com/components/com_ag_google_analytics2/alert-service-citi-sign_in.html
hxxp://troubleshootersacademy.com/components/com_ag_google_analytics2/citialert-sign_in.html

Sample client-side exploits serving URLs:
hxxp://eaglepointecondo.biz/detects/operation_alert_login.php – 59.57.247.185
Name Server: NS1.AMISHSHOPPE.NET – 209.140.18.37 – Email: solaradvent@yahoo.com
Name Server: NS2.AMISHSHOPPE.NET – 211.27.42.138 – Email: solaradvent@yahoo.com

hxxp://platinumbristol.net/detects/alert-service.php – 59.57.247.185
Name Server: NS1.AMISHSHOPPE.NET – 209.140.18.37 – Email: solaradvent@yahoo.com
Name Server: NS2.AMISHSHOPPE.NET – 211.27.42.138 – Email: solaradvent@yahoo.com

Upon successful client-side exploitation, the campaign drops MD5: b360fec7652688dc9215fd366530d40c – detected by 28 out of 45 antivirus scanners as Worm:Win32/Cridex.E.

Once executed, the sample performs the following activities:

  • Accesses Firefox’s Password Manager local database
  • Creates a thread in a remote process
  • Installs a program to run automatically at logon

It creates the following Registry Keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CFBDC89D4
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S25BC2D7B

With the following value:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
KB00121600.exe = “”%AppData%\KB00121600.exe””

It then creates the following Mutexes:
Local\XMM000003F8
Local\XMI000003F8
Local\XMRFB119394
Local\XMM000005E4
Local\XMI000005E4
Local\XMM0000009C
Local\XMI0000009C
Local\XMM000000C8
Local\XMI000000C8

It also drops the following MD5s:
MD5: 9e7577dc5d0d95e2511f65734249eba9
MD5: 61bb88526ff6275f1c820aac4cd0dbe9
MD5: b360fec7652688dc9215fd366530d40c
MD5: f6ee1fcaf7b87d23f09748cbcf5b3af5
MD5: d7a950fefd60dbaa01df2d85fefb3862
MD5: ed662e73f697c92cd99b3431d5d72091

It then phones back to 209.51.221.247/AJtw/UCyqrDAA/Ud+asDAA.

We’ve already seen the same command and control server used in the following previously profiled malicious campaigns:

The same email (solaradvent@yahoo.com) that was used to register the name server domains in this campaign, is also known to have registered the following domains:
AFRICANBEAT.NET
ALEGRECAMPO.NET
GAUGE-MASTER.NET
TOMOLLALLAMAFARM.NET

Responding to 59.57.247.185 are also the following malicious domains:
eaglepointecondo.org
sessionid0147239047829578349578239077.pl
pleansantwille.com
ibertomoralles.com
eaglepointecondo.co
eaglepointecondo.biz
ansncm.org
canbmn.org
hfeitu.net
labpr.com
namelesscorn.net
platinumbristol.net
porkystory.net
robertokarlosskiy.su
romoviebabenki.ru
seldomname.com
winterskyserf.ru

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

9 thoughts on “Fake ‘Citi Account Alert’ themed emails lead to Black Hole Exploit Kit

  1. Pingback: Digital Forensics, Inc. Fake ‘Citi Account Alert’ themed emails lead to Black Hole Exploit Kit … | Digital Forensics, Inc.

  2. Pingback: Spamvertised ‘Your Recent eBill from Verizon Wireless’ themed emails serve client-side exploits and malware « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  3. Pingback: Fake BBB (Better Business Bureau) Notifications lead to Black Hole Exploit Kit « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  4. Pingback: Fake ‘You have made an Ebay purchase’ themed emails lead to client-side exploits and malware « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  5. Pingback: Spamvertised AICPA themed emails serve client-side exploits and malware « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  6. Pingback: ‘Please confirm your U.S Airways online registration’ themed emails lead to Black Hole Exploit Kit « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  7. Pingback: Fake “You’ve blocked/disabled your Facebook account’ themed emails serve client-side exploits and malware « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  8. Pingback: Spamvertised BBB ‘Your Accreditation Terminated” themed emails lead to Black Hole Exploit Kit | Webroot Threat Blog - Internet Security Threat Updates from Around the World

  9. Pingback: ‘ADP Package Delivery Notification’ themed emails lead to Black Hole Exploit Kit | Webroot Threat Blog - Internet Security Threat Updates from Around the World

Join the Conversation

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s