‘Your Kindle e-book Amazon receipt’ themed emails lead to Black Hole Exploit Kit


By Dancho Danchev

Kindle owners, watch what you click on!

Cybercriminals are currently attempting to trick Kindle owners into thinking that they’ve received a receipt from an E-book purchase from Amazon.com. In reality, when users click on any of the links found in the malicious emails, they’re automatically exposed to the  client-side exploits served by the Black Hole Exploit Kit.

More details:

Sample screenshot of the spamvertised email:

Email_Spam_Exploits_Malware_Amazon_Kindle_Ebook_Receipt_Black_Hole_Exploit_Kit

Sample compromised URLs used in the campaign:
hxxp://fatlossfactorscams.com/wp-content/plugins/tell-a-friend/orderedlistamazon.html
hxxp://v-mishchenko.com/wp-content/plugins/tell-a-friend/orderedlistamazon.html
hxxp://pasadenacaregiver.com/wp-content/plugins/tell-a-friend/orderedlistamazon.html

Sample client-side exploits serving URL:
hxxp://starsoftgroup.net/detects/weeks_movie_whether.php

Sample malicious payload dropping URLs:
hxxp://starsoftgroup.net/detects/weeks_movie_whether.php?jf=31:2v:33:1o:1m&le=2w:2v:1o:1g:1m:31:1l:1k:30:1k&s=1f&tf=s&kv=r
hxxp://starsoftgroup.net/detects/weeks_movie_whether.php?uf=2v:1i:1h:31:1o&he=2w:2v:1o:1g:1m:31:1l:1k:30:1k&f=1f&kr=t&bp=y

Malicious domain name reconnaissance:
starsoftgroup.net – 175.121.229.209; 198.144.191.50 – Email: wondermitch@hotmail.com
Name Server: NS1.HTTP-PAGE.NET
Name Server: NS2.HTTP-PAGE.NET

We’ve already seen the same name servers used in the following previously profiled campaigns, indicating that they’ve been launched by the same cybercriminals:

Upon successful client-side exploitation, the campaign drops MD5: 13d23f4c1eb1d4d3841e2de50b1948cc – detected by 7 out of 46 antivirus scanners as UDS:DangerousObject.Multi.Generic.

Once executed, the sample creates the following processes on the affected hosts:
C:\WINDOWS\system32\cmd.exe” /c “C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\exp1.tmp.bat
C:\Documents and Settings\<USER>\Application Data\KB00927107.exe

The following Registry Keys:
\REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows NT\S9CC20790
\REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows NT\CBA6D3F36

As well as the following Mutexes:
Local\XMM000001C4
Local\XMI000001C4
Local\XMM00000380
Local\XMI00000380

Upon execution, the sample also phones back to the following C&C servers:
hxxp://195.191.22.90:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
hxxp://37.122.209.102:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
hxxp://217.65.100.41:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
hxxp://173.201.177.77/J9/vp//EGa+AAAAAA/2MB9vCAAAA/
hxxp://210.56.23.100/J9/vp//EGa+AAAAAA/2MB9vCAAAA/
hxxp://213.214.74.5/J9/vp//EGa+AAAAAA/2MB9vCAAAA/
hxxp://180.235.150.72/J9/vp//EGa+AAAAAA/2MB9vCAAAA/

We’ve already seen the same pseudo-random C&C communication characters (DPNilBA) used in the following campaigns:

As well as the same C&C server IPs (173.201.177.77; 210.56.23.100; 180.235.150.72) in the following campaigns, indicating that they’ve been launched by the same malicious party:

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

6 thoughts on “‘Your Kindle e-book Amazon receipt’ themed emails lead to Black Hole Exploit Kit

  1. Pingback: Fake Amazon Kindle receipt leads to persistent malware | My Blog

  2. Pingback: Fake Amazon Kindle receipt leads to persistent malware | Virus-Aware.com

  3. Pingback: Fake “You’ve blocked/disabled your Facebook account’ themed emails serve client-side exploits and malware « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  4. Pingback: Malicious ‘Data Processing Service’ ACH File ID themed emails serve client-side exploits and malware | Webroot Threat Blog - Internet Security Threat Updates from Around the World

  5. Pingback: Spamvertised BBB ‘Your Accreditation Terminated” themed emails lead to Black Hole Exploit Kit | Webroot Threat Blog - Internet Security Threat Updates from Around the World

  6. Pingback: Cybercriminals resume spamvertising ‘Re: Fwd: Wire Transfer’ themed emails, serve client-side exploits and malware | Webroot Threat Blog - Internet Security Threat Updates from Around the World

Join the Conversation

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s