Malicious ‘Facebook Account Cancellation Request” themed emails serve client-side exploits and malware


By Dancho Danchev

In December, 2012, we intercepted a professional-looking email that was impersonating Facebook Inc. in an attempt to trick its users into thinking that they’ve received an “Account Cancellation Request“. In reality, once users clicked on the links, their hosts were automatically exploited through outdated and already patched client-side vulnerabilities, which dropped malware on the affected PCs.

Over the past 24 hours, cybercriminals have resumed spamvertising tens of thousands of legitimate-looking Facebook themed emails, once again using the same social engineering theme.

More details:

Sample screenshot of the spamvertised email:

Fake_Facebook_Account_Cancellation_Request_Email_Spam_Exploits_Malware

Malicious client-side exploitation URL chain: hxxp://mailstatic.twilightparadox.com -> hxxp://kidstoytowers.com/log/forums/index.php?showtopic=852510 -> hxxp://kidstoytowers.com/log/forums/rhin.jar -> hxxp://kidstoytowers.com/log/forums/Goo.jar -> hxxp://kidstoytowers.com/log/forums/lib.php -> hxxp://kidstoytowers.com/log/forums/load.php?showforum=lib

Sample client-side exploits served: CVE-2010-0188; CVE-2011-3544; CVE-2010-0840

Malicious domain name reconnaissance:
kidstoytowers.com – 62.75.181.220 – responding to the same IP is also the following domain – dailyfrontiernews.com

Upon successful client-side exploitation, the campaign drops MD5: 9356fcd388b4bae53cad7aea4127d966 – detected by 3 out of 46 antivirus scanners as W32/Injector.YMS!tr.

Once executed, the sample sets the following Registry Keys to 1:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProxyBypass
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\IntranetName
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\UNCAsIntranet
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a20cd692-8e41-11e1-9999-806d6172696f}\\BaseClass
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\(null)\C:\WINDOWS\system32\ipconfig.exe

It also (successfully) creates the following process:
C:\d97f042474a0b1814fd681dca3ec2c5edf7054acff979f585a044478bc7c5cbd

If you catch a Facebook impersonating email in the wild, please forward it to phish@fb.com to notify Facebook of the attack. Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Join the Conversation

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s