Malicious Email Sample;
ntercepted emails generated interest as they are highly convincing as breaking news alerts and are targeting highly popular and polarizing topics such as Immigration reform, the war on terror, and sending troops to Syria.
Example email subjects include:
U.S. Military Action in Syria - is it WW3 start?
US deploys 19,000 troops in Syria
Obama Sending US Forces to Syria
Malicious Email Analysis
The emails above contain links that follow a series of redirections leading to a BlackHole exploit kit which delivers a malicious PDF. Once opened, the malicious PDF executes embedded and obfuscated JavaScript code which delivers an exploit (CVE-2010-0188). In the event the exploit is successful, the shellcode downloads a malicious component from: hxxp://sartorilaw.net/news/source_fishs.php?kxdtlz=1l:1g:1i:1o:1j&mbtdi=1k:33:1f:32:2w:30:1h:1o:1h:1g&swlpwu=1i&doko=vaif&wgnrppva=xoti
Redirection Chain:
The malicious component downloaded by the shell-code is characterized as a Trojan that is capable of downloading malicious files onto a compromised computer and spreading itself via mapped and removable drives.
Malicious component:
https://www.virustotal.com/en/file/2b6a58cbf235fedfbcdb1f15645f5d3f9156ebeb916074539b83c1e7934b1ef9/analysis/
Malicious component:
https://www.virustotal.com/en/file/2b6a58cbf235fedfbcdb1f15645f5d3f9156ebeb916074539b83c1e7934b1ef9/analysis/
About the PDF file:
https://www.virustotal.com/en/file/f2130f5c0e388454db7c8b25d16b59cb19ba193fe6cd1a5a7b7168d94e6d243b/analysis/
Malicious PDF Analysis
First Stage - Obfuscated JavaScript embedded in PDF:
First Stage - Obfuscated JavaScript embedded in PDF:
Second Stage:
The third and final stage reveals the shellcode and URL:
Should the malicious PDF successfully exploit the victim's machine, it creates a Windows Registry entry in order to maintain persistence by running automatically as the system starts:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Once executed, a number of HTTP connections on port 8080 are opened in order to download additional malicious payloads:
Associated Domains
The domain (hxxp://sartorilaw.net) that hosts the malware downloaded by the PDF exploit above was first registered on June 25th, 2013. In that time, it has resolved to three different IP addresses (119.147.137.31, 203.80.17.155, 174.140.166.239) and has hosted multiple pieces of malware which resulted in it being characterized as a malicious website by the Websense ThreatSeeker® Intelligence Cloud nearly immediately.
The domain (hxxp://sartorilaw.net) that hosts the malware downloaded by the PDF exploit above was first registered on June 25th, 2013. In that time, it has resolved to three different IP addresses (119.147.137.31, 203.80.17.155, 174.140.166.239) and has hosted multiple pieces of malware which resulted in it being characterized as a malicious website by the Websense ThreatSeeker® Intelligence Cloud nearly immediately.
Malicious domain (hxxp://sartorilaw.net)
Contact email: soldwias@usa.com
Registrant: Cabrieto, Debbie
Contact email: soldwias@usa.com
Registrant: Cabrieto, Debbie
A WhoIS lookup on the contact email and registrant indicates that a second domain was registered on the same day (hxxp://enterxcasino.net). This domain does not resolve yet, but is likely to be used for malicious purposes in the future.
http://community.websense.com/blogs/securitylabs/archive/2013/06/28/fox-news-themed-malicious-email-campaign.aspx
Hiç yorum yok:
Yorum Gönderme