By Dancho Danchev
In December, 2012, we intercepted a professional-looking email that was impersonating Facebook Inc. in an attempt to trick its users into thinking that they’ve received an “Account Cancellation Request“. In reality, once users clicked on the links, their hosts were automatically exploited through outdated and already patched client-side vulnerabilities, which dropped malware on the affected PCs.
Over the past 24 hours, cybercriminals have resumed spamvertising tens of thousands of legitimate-looking Facebook themed emails, once again using the same social engineering theme.
Sample screenshot of the spamvertised email:
Malicious client-side exploitation URL chain: hxxp://mailstatic.twilightparadox.com -> hxxp://kidstoytowers.com/log/forums/index.php?showtopic=852510 -> hxxp://kidstoytowers.com/log/forums/rhin.jar -> hxxp://kidstoytowers.com/log/forums/Goo.jar -> hxxp://kidstoytowers.com/log/forums/lib.php -> hxxp://kidstoytowers.com/log/forums/load.php?showforum=lib
Malicious domain name reconnaissance:
kidstoytowers.com – 220.127.116.11 – responding to the same IP is also the following domain – dailyfrontiernews.com
Upon successful client-side exploitation, the campaign drops MD5: 9356fcd388b4bae53cad7aea4127d966 – detected by 3 out of 46 antivirus scanners as W32/Injector.YMS!tr.
Once executed, the sample sets the following Registry Keys to 1:
It also (successfully) creates the following process: