Just some hours after the bombings during the Boston Marathon we already had several spam campaigns using that subject to infect users. It seems that cybercriminals don't respect anything, did we really expect something different? :p

On the past Wednesday I received four emails talking about the Boston incident. They were really suspicious, just a URL in the body, the URLs had just an IP instead of a good domain...I think someone was in a rush trying to profit from this as soon as possible, while it was still on the news...
 

 
The subjects were:
 

BREAKING - Boston Marathon Explosion 
Explosion at the Boston Marathon 
Aftermath to explosion at Boston Marathon 
Explosions at the Boston Marathon

 
And the URLs I saw:
 

hxxp://94.28.49 .130/boston.html 
hxxp://78.90.133 .133/boston.html 
hxxp://118.141.37 .122/news.html 
hxxp://110.92.80 .47/news.html

 
These URLs leaded to a simple webpage with six iframes. Five of them pointed to real videos about the tragedy and the other one redirected to a RedKit exploit kit which was trying to exploit a CVE-2012-1723 Java vulnerability (take a look at the vulnerability explanation). Also, a Meta Refresh Tag was leading to this URL:
 

hxxp://188.2.164 .112/boston.avi_______.exe

 
The URLs related to the exploit kit were:
 

hxxp://chartspmsasia .com/weir.html 
hxxp://chartspmsasia .com/oug.jar (477ce8dba54e76017755a85e1de66eb8) 
hxxp://chartspmsasia .com/82.html

 

 
After the exploitation of the Java vulnerability, the RedKit loader downloaded and executed several binaries. Some of the URLs related to the loader:
 

hxxp://kaelenaliyah .com/e.htm?NiDAIBYwuUxEEmUYpPYvc1XDkbhYDyBkui 
hxxp://tayrenaminah .com/y.htm?TD9w3AtYBNTHiqs4WSD2d9xikD3YsjYuXe 
hxxp://inlandroofing .com/r.htm?CdEJ868sNFAFzc7WsCGizDK3pwFR3gkFR 
hxxp://chesneyandgreen .com.au/o.htm?P4hIzghmJGiD1AgnVCyywGZmT3Ds

 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

 
So here we had our malware zoo ;)
 

• Pony Loader / Fareit (79a5d69a53e96d619272509215a38dee)

It is a password stealer which sends the stolen information in encrypted POST requests (one of the responses was “STATUS-IMPORT-OK”). The URLs related were the following:
 

hxxp://koizone .com/default.php?HWoWQckkzRqFVl3BOoZslqMYjONykqG1vSfXB6JT 
hxxp://largebonsai .com/default.php?o2kwyp3RwjDPqudAO3bifhTvBmthWavxJjg2 
hxxp://linuxforever .com/default.php?E6d5AsmoudUrwjiIaFosK4q5DNlbQH9VRas 
hxxp://miniwatergarden .com/default.php?IaonWreTn5eIB2giAWYOC93UFptgfP4a 
hxxp://navigationpage .com/default.php?qeeymYgEs31tBuH26jTIsJECCmZyW8bGN 

 
The user-agent used by this sample was quite old and suspicious:
 

Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

• Kelihos (ee8aa69a9e2b7e4a014157a8412be020)

This Kelihos sample was downloaded from the following URL:
 

hxxp://ymvuchyq .ru/newbos3.exe

 
It created the following registry key to assure its execution:
 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SonyAgent

 
It also contained some components to sniff the network:
 

%SysDir%\drivers\npf.sys 
%SysDir%\Packet.dll 
%SysDir%\wpcap.dll

 
One of the objectives of this trojan was stealing FTP / Mail / Mozilla / Chrome credentials:
 

 
The user-agent was changed within each request to the C&C:
 

Mozilla/5.0 (Windows; U; Windows NT 6.1; ja; rv:1.9.2a1pre) Gecko/20090403 Firefox/3.6a1pre 
Mozilla/5.0 (X11; U; Linux x86_64; cy; rv:1.9.1b3) Gecko/20090327 Fedora/3.1-0.11.beta3.fc11 Firefox/3.1b3 
Mozilla/5.0 (Windows; U; Windows NT 5.1; es-AR; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_6 ; nl; rv:1.9) Gecko/2008051206 Firefox/3.0 
Mozilla/5.0 (Windows; U; Windows NT 6.1; es-AR; rv:1.9) Gecko/2008051206 Firefox/3.0 
Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15 
Mozilla/5.0 (Windows; U; Windows NT 6.0; zh-HK; rv:1.8.1.7) Gecko Firefox/2.0 
Mozilla/5.0 (Windows; U; Win95; it; rv:1.8.1) Gecko/20061010 Firefox/2.0 
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 
Mozilla/5.0 (ZX-81; U; CP/M86; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1 
Mozilla/5.0 (X11; U; NetBSD alpha; en-US; rv:1.8) Gecko/20060107 Firefox/1.5 
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8b5) Gecko/20051006 Firefox/1.4.1 
Mozilla/5.0 (X11; I; SunOS sun4u; en-GB; rv:1.7.8) Gecko/20050713 Firefox/1.0.4 
Mozilla/5.0 (X11; U; Linux i686; de-AT; rv:1.7.5) Gecko/20041222 Firefox/1.0 (Debian package 1.0-4) 
Mozilla/5.0 (Windows; U; Win 9x 4.90; rv:1.7) Gecko/20041103 Firefox/0.9.3 
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; fr; rv:1.7) Gecko/20040624 Firefox/0.9 
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; FDM; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 1.1.4322) 
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; Tablet PC 2.0; OfficeLiveConnector.1.3; OfficeLivePatch.1.3; MS-RTC LM 8; InfoPath.3) 
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 3.5.21022) 
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322) 
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; Win64; x64; SV1) 
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) 
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) 
Mozilla/4.0 (compatible; MSIE 5.5; Windows 95) 
Mozilla/4.0 (compatible; MSIE 4.01; Windows NT 5.0) 
Mozilla/2.0 (compatible; MSIE 3.0; Windows 3.1) 
Mozilla/1.22 (compatible; MSIE 1.5; Windows NT) Microsoft Internet Explorer/1.0 (Windows 95)

 
The URLs were created using the following words (eg. hxxp://1.2.3.4/home.htm):
 

file 
online 
main 
start 
install 
login 
setup 
welcome 
search 
home 
default 
index

 
In this case, this sample was also performing a denial of service (DoS) against some sites using TCP and UDP request to the port 80.
 

190.93.254.46 
108.162.193.131 
50.62.238.103 
186.2.175.13 
90.156.201.13 
186.2.166.44 
199.245.52.128

Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.2.17) Gecko/20110420 Firefox/3.6.17

• Ransomware (dd8bc67a29e1ea3056960253fed367bb)

The last one to join the party was a police Ransomware (not the version I analyzed some time ago), asking for money and trying to scare the people, as usual. In this case we didn't need many more evidences to find out the malware family...
 

 
After being launched it assured its execution adding itself as a custom shell related to Winlogon:
 

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon 
Shell = explorer.exe,c:\Documents and Settings\$USER\Application Data\skype.dat

 
It used encryption to communicate with the panel to download the page that it will show to the user (depending on his IP) and to send the code of Paysafecard or Ukash to pay the ransom.
 

hxxp://varjx .org/ht-twwpwbjgnfwfmr-kqcgfy-glza-hcjums-cjac-gtcr-snzm_mvfzrchekkuauksi-mxpr-yxpr-qutf-akdu_kqvq-ifqs-.php 
hxxp://varjx .org/yj-bqricoarzm-frqs-jzcohcyjqrcd_qsnfuu-bqblbwkodaglpi-abxqgntsxl-wbca_ihdfprbisunb-dinm-fcfm-ns.php 
hxxp://varjx .org/vnvy-vlcu_opvk-dgksnhstvpea-oyjv-rziq-cejhoubffvzoigvayevannbl_ramrtm-fyakxscnusgxcbbqkbwpnn.php

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11

One day after these emails I was receiving others related to the Texas plant explosion, exactly with the same characteristics: