Cyber criminals capitalize on news of Boston bombing

Posted by:

Cyber criminals remain indifferent and insensitive to events showcased on the national stage, such as the bombings at the Boston marathon on April 15, 2013. Since the event, the Dell SecureWorks CTU(TM) research team has been monitoring the Waledac/Kelihos botnet, which has begun distributing spam claiming to provide information about the bombing (see Figure 1). The email messages contain a single malicious link and entice victims to click the link for more information.

 

 

Figure 1. Example of spam subject lines. (Source: http://www.malekal.com/2013/04/17/redkit-exploitkit-par-campagne-de-spam-sur-la-tragedie-de-boston/)

Victims who click the malicious link are directed to a page that loads several iframes. The iframes perform simultaneous actions when rendered in a victim’s web browser:

  • Redirect the browser to a YouTube video showing the attack.
  • Redirect the browser to a Redkit exploit pack landing page.


Figure 2. Video loaded by an iframe after clicking the link. Example of loaded iframes at right.

After the web browser loads the Redkit landing page, Redkit initiates a series of requests that ultimately lead to the installation of a variety of malware (see Figure 3).


Figure 3. Malicious request chain, starting from the original link contained within the spam. (Source: Dell SecureWorks)

The CTU research team has observed this spam campaign installing several malware families:

Figure 4 shows activity for these threats observed by the CTU research team between March 17 and April 17, 2013.
Figure 4. Alert activity for the past 30 days. (Source: Dell SecureWorks)

The CTU research team has developed the iSensor signatures/countermeasures in Table 1 to detect activity associated with this spam campaign. Third-party devices receive updated protection as it is released from the respective vendors and deployed by Dell SecureWorks device management security teams.

Signature ID Alert Message
47934 Redkit Returning AES Encrypted Payload
48446 Trojan Win32/Karagany.I Requesting Encoded EXE
33390 Pony Downloader Trojan Phone Home Request Detected
47815 ZeroAccess GeoIP check with Maxmind
39204 Waledac/Storm V4 Trojan Contacting Peer

Table 1. Dell SecureWorks iSensor countermeasures covering this spam activity.

To mitigate exposure to these malware, CTU researchers recommend that customers use available controls to restrict access the indicators listed in Table 2.

Indicator Type Context
hxxp:// 178.137.120.224/news . html Web page Web page that loads iframes to redirect to Redkit and YouTube.
hxxp:// 95.87.6.156/news . html Web page Web page that loads iframes to redirect to Redkit and YouTube.
hxxp:// 188.2.164.112/boston . html Web page Web page that loads iframes to redirect to Redkit and YouTube.
hxxp:// 178.137.120.224/news . html Web page Web page that loads iframes to redirect to Redkit and YouTube.
hxxp:// 46.233.4.113/boston . html Web page Web page that loads iframes to redirect to Redkit and YouTube.
hxxp:// 94.28.49.130/boston . html Web page Web page that loads iframes to redirect to Redkit and YouTube.

Table 2. Indicators for this spam activity.

0
  Related Posts
})
SEC Cybersecurity Exams