The Boston Marathon bombings, RedKit and a malware zoo

Just some hours after the bombings during the Boston Marathon we already had several spam campaigns using that subject to infect users. It seems that cybercriminals don't respect anything, did we really expect something different? :p

On the past Wednesday I received four emails talking about the Boston incident. They were really suspicious, just a URL in the body, the URLs had just an IP instead of a good domain...I think someone was in a rush trying to profit from this as soon as possible, while it was still on the news...
 

 
The subjects were:
 

BREAKING - Boston Marathon Explosion 
Explosion at the Boston Marathon
Aftermath to explosion at Boston Marathon
Explosions at the Boston Marathon

 
And the URLs I saw:
 

hxxp://94.28.49 .130/boston.html 
hxxp://78.90.133 .133/boston.html
hxxp://118.141.37 .122/news.html
hxxp://110.92.80 .47/news.html

 
These URLs leaded to a simple webpage with six iframes. Five of them pointed to real videos about the tragedy and the other one redirected to a RedKit exploit kit which was trying to exploit a CVE-2012-1723 Java vulnerability (take a look at the vulnerability explanation). Also, a Meta Refresh Tag was leading to this URL:
 

hxxp://188.2.164 .112/boston.avi_______.exe

 
The URLs related to the exploit kit were:
 

hxxp://chartspmsasia .com/weir.html 
hxxp://chartspmsasia .com/oug.jar (477ce8dba54e76017755a85e1de66eb8)
hxxp://chartspmsasia .com/82.html

 

 

 

 
After the exploitation of the Java vulnerability, the RedKit loader downloaded and executed several binaries. Some of the URLs related to the loader:
 

hxxp://kaelenaliyah .com/e.htm?NiDAIBYwuUxEEmUYpPYvc1XDkbhYDyBkui 
hxxp://tayrenaminah .com/y.htm?TD9w3AtYBNTHiqs4WSD2d9xikD3YsjYuXe
hxxp://inlandroofing .com/r.htm?CdEJ868sNFAFzc7WsCGizDK3pwFR3gkFR
hxxp://chesneyandgreen .com.au/o.htm?P4hIzghmJGiD1AgnVCyywGZmT3Ds

 

 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

 
So here we had our malware zoo ;)
 

It is a password stealer which sends the stolen information in encrypted POST requests (one of the responses was “STATUS-IMPORT-OK”). The URLs related were the following:
 

hxxp://koizone .com/default.php?HWoWQckkzRqFVl3BOoZslqMYjONykqG1vSfXB6JT 
hxxp://largebonsai .com/default.php?o2kwyp3RwjDPqudAO3bifhTvBmthWavxJjg2
hxxp://linuxforever .com/default.php?E6d5AsmoudUrwjiIaFosK4q5DNlbQH9VRas
hxxp://miniwatergarden .com/default.php?IaonWreTn5eIB2giAWYOC93UFptgfP4a
hxxp://navigationpage .com/default.php?qeeymYgEs31tBuH26jTIsJECCmZyW8bGN

 
The user-agent used by this sample was quite old and suspicious:
 

Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

  

 

This Kelihos sample was downloaded from the following URL:
 

hxxp://ymvuchyq .ru/newbos3.exe

 
It created the following registry key to assure its execution:
 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SonyAgent

 
It also contained some components to sniff the network:
 

%SysDir%\drivers\npf.sys 
%SysDir%\Packet.dll
%SysDir%\wpcap.dll

 
One of the objectives of this trojan was stealing FTP / Mail / Mozilla / Chrome credentials:
 

 
The user-agent was changed within each request to the C&C:
 

Mozilla/5.0 (Windows; U; Windows NT 6.1; ja; rv:1.9.2a1pre) Gecko/20090403 Firefox/3.6a1pre 
Mozilla/5.0 (X11; U; Linux x86_64; cy; rv:1.9.1b3) Gecko/20090327 Fedora/3.1-0.11.beta3.fc11 Firefox/3.1b3
Mozilla/5.0 (Windows; U; Windows NT 5.1; es-AR; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_6 ; nl; rv:1.9) Gecko/2008051206 Firefox/3.0
Mozilla/5.0 (Windows; U; Windows NT 6.1; es-AR; rv:1.9) Gecko/2008051206 Firefox/3.0
Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15
Mozilla/5.0 (Windows; U; Windows NT 6.0; zh-HK; rv:1.8.1.7) Gecko Firefox/2.0
Mozilla/5.0 (Windows; U; Win95; it; rv:1.8.1) Gecko/20061010 Firefox/2.0
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Mozilla/5.0 (ZX-81; U; CP/M86; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1
Mozilla/5.0 (X11; U; NetBSD alpha; en-US; rv:1.8) Gecko/20060107 Firefox/1.5
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8b5) Gecko/20051006 Firefox/1.4.1
Mozilla/5.0 (X11; I; SunOS sun4u; en-GB; rv:1.7.8) Gecko/20050713 Firefox/1.0.4
Mozilla/5.0 (X11; U; Linux i686; de-AT; rv:1.7.5) Gecko/20041222 Firefox/1.0 (Debian package 1.0-4)
Mozilla/5.0 (Windows; U; Win 9x 4.90; rv:1.7) Gecko/20041103 Firefox/0.9.3
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; fr; rv:1.7) Gecko/20040624 Firefox/0.9
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; FDM; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 1.1.4322)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; Tablet PC 2.0; OfficeLiveConnector.1.3; OfficeLivePatch.1.3; MS-RTC LM 8; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 3.5.21022)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; Win64; x64; SV1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Mozilla/4.0 (compatible; MSIE 5.5; Windows 95)
Mozilla/4.0 (compatible; MSIE 4.01; Windows NT 5.0)
Mozilla/2.0 (compatible; MSIE 3.0; Windows 3.1)
Mozilla/1.22 (compatible; MSIE 1.5; Windows NT) Microsoft Internet Explorer/1.0 (Windows 95)

 
The URLs were created using the following words (eg. hxxp://1.2.3.4/home.htm):
 

file 
online
main
start
install
login
setup
welcome
search
home
default
index

 
In this case, this sample was also performing a denial of service (DoS) against some sites using TCP and UDP request to the port 80.
 

190.93.254.46 
108.162.193.131
50.62.238.103
186.2.175.13
90.156.201.13
186.2.166.44
199.245.52.128

  

Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.2.17) Gecko/20110420 Firefox/3.6.17

  

 

The last one to join the party was a police Ransomware (not the version I analyzed some time ago), asking for money and trying to scare the people, as usual. In this case we didn't need many more evidences to find out the malware family...
 

 
After being launched it assured its execution adding itself as a custom shell related to Winlogon:
 

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon 
Shell = explorer.exe,c:\Documents and Settings\$USER\Application Data\skype.dat

 
It used encryption to communicate with the panel to download the page that it will show to the user (depending on his IP) and to send the code of Paysafecard or Ukash to pay the ransom.
 

hxxp://varjx .org/ht-twwpwbjgnfwfmr-kqcgfy-glza-hcjums-cjac-gtcr-snzm_mvfzrchekkuauksi-mxpr-yxpr-qutf-akdu_kqvq-ifqs-.php 
hxxp://varjx .org/yj-bqricoarzm-frqs-jzcohcyjqrcd_qsnfuu-bqblbwkodaglpi-abxqgntsxl-wbca_ihdfprbisunb-dinm-fcfm-ns.php
hxxp://varjx .org/vnvy-vlcu_opvk-dgksnhstvpea-oyjv-rziq-cejhoubffvzoigvayevannbl_ramrtm-fyakxscnusgxcbbqkbwpnn.php

 

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11

 

One day after these emails I was receiving others related to the Texas plant explosion, exactly with the same characteristics:
 

 

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

Type the characters you see in this picture. (verify using audio)
Type the characters you see in the picture above; if you can't read them, submit the form and a new image will be generated. Not case sensitive.