Spamvertised BBB ‘Your Accreditation Terminated” themed emails lead to Black Hole Exploit Kit


By Dancho Danchev

Over the past week, a cybercriminal/gang of cybercriminals whose activities we’ve been actively profiling over a significant period of time, launched two separate massive spam campaigns, this time impersonating the Better Business Bureau (BBB), in an attempt to trick users into thinking that their BBB accreditation has been terminated.

Once users click on any of the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit Kit.

More details:

Sample screenshot of the first BBB themed spamvertised campaign:

BBB_Better_Business_Bureau_Email_Spam_Exploits_Malware_Black_Hole_Exploit_Kit

Sample screenshot of the second BBB themed spamvertised campaign:

BBB_Better_Business_Bureau_Email_Spam_Exploits_Malware_Black_Hole_Exploit_Kit_01

Sample spamvertised compromised URLs:
hxxp://paltashaco.com/templates/beez/bbb_termacr.html
hxxp://ogr.kuzstu.ru/templates/beez/bbb_termacr.html
hxxp://proba.ts6.ru/templates/beez/bbb_termacr.html
hxxp://bpconstructores.com/templates/beez/bbb_termacr.html
hxxp://mozyrproject.by/templates/beez/bbb_termacr.html
hxxp://bpconstructores.com/templates/beez/bbb_termacr.html
hxxp://bz-soft.com.ua/templates/beez/bbb_termacr.html
hxxp://www.texasspec.com/abortd_bbb.html
hxxp://www.thecrusaders.co.nz/abortd_bbb.html

Sample client-side exploits serving URLs: hxxp://bbb-complaint.org/kill/establishment-wide_causes-widest.php; hxxp://bbb-accredited.net/kill/enjoy-laws-partially-unwanted.php

Sample malicious payload dropping URL: hxxp://bbb-complaint.org/kill/establishment-wide_causes-widest.php?dkcj=1n:33:2v:1l:1h&abqiksds=3i&rfquxhnq=32:2v:1k:30:1n:1h:33:1o:2v:32&vkcakj=1n:1d:1f:1d:1f:1d:1j:1k:1l

Malicious domain names reconnaissance:
bbb-complaint.org – 63.141.224.171; 149.154.68.214; 155.239.247.247 – Email: gonumina1@dbzmail.com
Name Server: NS1.STREETCRY.NET – 93.186.171.133 – Email: webclipradio@aol.com
Name Server: NS2.STREETCRY.NET – 15.214.13.118 – Email: webclipradio@aol.com

bbb-accredited.net – not responding

Responding to 149.154.68.214 are also the following malicious domains:
fab73.ru
misharauto.ru
secureaction120.com – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: markovochn@yandex.ru
secureaction150.com – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: markovochn@yandex.ru
iberiti.com – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: biedermann@iberiti.com
notsk.com – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: jenifer@notsk.com
metalcrew.net – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: heffner@metalcrew.net
roadix.net – 149.154.68.214; 155.239.247.247; 141.0.176.234 – Email: marunga@roadix.net
gatovskiedelishki.ru – 149.154.68.214; 155.239.247.247; 141.0.176.234
conbicormiks.ru

Name servers used in the campaign:
Name Server: NS1.STREETCRY.NET – 93.186.171.133 – Email: webclipradio@aol.com
Name Server: NS2.STREETCRY.NET – 15.214.13.118 – Email: webclipradio@aol.com
Name Server: NS1.E-ELEVES.NET – 173.208.88.196
Name Server: NS1.E-ELEVES.NET – 43.109.79.23
Name Server: NS1.LETSGOFIT.NET – 173.208.88.196 – Email: weryrebel@live.com
Name Server: NS1.LETSGOFIT.NET – 11.3.51.158 – Email: weryrebel@live.com
Name Server: NS1.BLACKRAGNAROK.NET – 209.140.18.37 – Email: onetoo@gmx.com
Name Server: NS2.BLACKRAGNAROK.NET – 6.20.13.25 – Email: onetoo@gmx.com
Name Server: NS1.OUTBOUNDUK.NET
Name Server: NS2.OUTBOUNDUK.NET

Not surprisingly, we’ve already seen the onetoo@gmx.com email in the following previously profiled malicious campaign – “Malicious ‘Data Processing Service’ ACH File ID themed emails serve client-side exploits and malware“.

Upon successful client-side exploitation, a sampled campaign drops: MD5: 126a104f260cb0059b901c6a23767d76 – detected by 19 out of 46 antivirus scanners as
Worm:Win32/Cridex.E

Once executed, the sample stores the following modified files:
C:\Documents and Settings\Administrator\Application Data\KB00635017.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\exp8.tmp.bat
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\89OC5JKA\2MB9vCAAAA[1].txt
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\exp9.tmp.exe
C:\Documents and Settings\Administrator\Application Data\9CC20790\9CC20790
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\expA.tmp.exe
C:\Documents and Settings\Administrator\Application Data\9CC20790\9CC20790
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\89OC5JKA\2MB9vCAAAA[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\89OC5JKA\2MB9vCAAAA[2].txt
C:\Documents and Settings\Administrator\Application Data\KB00635017.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\expB.tmp.bat

It also creates the following Registry Keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CFBDC89D4
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S25BC2D7B

And the following Registry Value:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] -> KB00121600.exe = “”%AppData%\KB00121600.exe””

It then creates the following Mutexes:
Local\XMM000003F8
Local\XMI000003F8
Local\XMRFB119394
Local\XMM000005D4
Local\XMI000005D4
Local\XMM000005E8
Local\XMI000005E8
Local\XMM000000C8
Local\XMI000000C8
Local\XMM0000014C
Local\XMI0000014C

And phones back to the following command and control (C&C) servers:
213.214.74.5:8080/AJtw/UCyqrDAA/Ud+asDAA/
194.97.99.120/J9/vp//EGa+AAAAAA/2MB9vCAAAA/
109.168.106.162/J9/vp//EGa+AAAAAA/2MB9vCAAAA/
203.114.112.156/asp/intro.php

We’ve already seen 213.214.74.5 in the following previously profiled malicious campaign -‘Your Kindle e-book Amazon receipt’ themed emails lead to Black Hole Exploit Kit“. As well as 203.114.112.156, seen in the following assessment “Fake ‘You’ve blocked/disabled your Facebook account’ themed emails serve client-side exploits and malware“.

As for the pseudo-random characters used in the C&C communication (UCyqrDAA/Ud+asDAA/), we’ve also seen them in the following previously profiled campaigns, indicating that these campaigns have been launched by the same cybercriminal/gang of cybercriminals.

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

7 thoughts on “Spamvertised BBB ‘Your Accreditation Terminated” themed emails lead to Black Hole Exploit Kit

  1. Pingback: BBB “Your Accreditation Terminated” Spam Spreads Cridex Worm | Hyphenet IT Security Blog

  2. Pingback: Cybercriminals resume spamvertising ‘Re: Fwd: Wire Transfer’ themed emails, serve client-side exploits and malware | Webroot Threat Blog - Internet Security Threat Updates from Around the World

  3. Pingback: ‘ADP Package Delivery Notification’ themed emails lead to Black Hole Exploit Kit | Webroot Threat Blog - Internet Security Threat Updates from Around the World

  4. Pingback: Fake ‘CNN Breaking News Alerts’ themed emails lead to Black Hole Exploit Kit | Webroot Threat Blog - Internet Security Threat Updates from Around the World

  5. Pingback: ‘Terminated Wire Transfer Notification/ACH File ID” themed malicious campaigns lead to Black Hole Exploit Kit | Webroot Threat Blog - Internet Security Threat Updates from Around the World

  6. Pingback: Spamvertised ‘Your order for helicopter for the weekend’ themed emails lead to malware | Webroot Threat Blog - Internet Security Threat Updates from Around the World

  7. Pingback: BBB “Your Accreditation Terminated” Spam Spreads Cridex Worm

Join the Conversation

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s