It’s unfortunate, but when the general public is captivated by a certain news story, cybercriminals are hard at work exploiting the publicity that the news attracts. Exploitation can take many forms. In the cybersecurity space, we often see fake news stories about trending topics floating around. Fake news is becoming a serious problem. It is becoming harder to differentiate fake news from real news. Those fake news stories often have one sole purpose. To trick Internet users into clicking on a malicious link.
Such is the case right now. The public is captivated by content about the new royal baby – His Royal Highness Prince George of Cambridge – born to the Duke and Duchess of Cambridge on Tuesday.
This was the topic of a spam email campaign that purported to have been sent by CNN Breaking News. When users click on the link contained in the email, they are infected with a malicious Trojan. That Trojan steals financial data from the user.
As Gary Warner explains in his blog post this morning, “As many sources reported earlier today, an email claiming to be from CNN’s “Scribbler” provided a link to “Watch Live Hospital Updates” of the Royal Baby.”
What do Harrison Ford, President Obama, and Edward Snowden have in common with The Royal Baby?
They were all subjects of fake “CNN Breaking News” stories delivered by spam email today. Those messages all contained links to malicious websites which automatically downloaded malware to users’ computers when clicked. In fact, PhishMe maintains a database of hundreds of copies of these and other similar emails, a small selection of the subject lines used in yesterday’s spam emails are listed below:
“Snowden able to leave Moscow airport” – BreakingNews CNN
“Harrison Ford on ‘Ender’s Game’ controversy: ‘Not an issue for me'”
“Obama speech to urge refocus ”
“Perfect gift for royal baby … a tree?” – BreakingNews CNN
I’ve added spaces to the URLs for your protection – DO NOT VISIT ANY OF THOSE URLS!!! – Doing so will result in infection with malware.
(early morning version <== redirects to nphscards.com / topic / accidentally-results-stay.php )
index.html with MD5 = 958a887fcfcad89b3fdeea4b58e55905
ftp.thermovite.de / kurile / teeniest.js
traditionalagoonresort.com / prodded / televised.js
(afternoon version <== redirects to deltaboatraces.net / topic / accidentally-results-stay.php )
index.html with MD5 = bc73afe28fc6b536e675cea4ac468b7d
thealphatechnologies.com / advantageously / autopilots.js
atlas247.com / mussiest /syndicating.js
www.mshc.in /drubbing / mouthful.js
Since it was late in the day by the time I was able to review these myself, I infected myself with the afternoon version.
deltaboatraces.net == 126.96.36.199 and is still an active infector as of this timestamp.
I got a randomly named 297,472 byte file, detected by 11 of 46 Anti-Virus vendors at VirusTotal.com as Zeus.
Adobe Flash Player Update?
After infecting an end user, the website tries to trick the user into “upgrading Adobe Flash Player”, but while it appeared that I was on the correct Adobe site from the graphics, I was not.
After “installing” my Adobe update, my sandbox went crazy and also fetched malware from a number of different locations.
After the second infection, my sandbox went to “deltarivehouse.net / forum / viewtopic.php” (188.8.131.52) which caused a string of additional infections to occur. The initial infection was Zeus. Zeus is a well-known financial information-stealing malware, but also provides criminals with full remote-control capabilities of the infected computer. The purpose of the additional malware was for another form of malicious income generation.
“sainitravels.in” (184.108.40.206) to fetch “f7Qsfao.exe”
(VirusTotal: 8 of 46)) – “Tepfor” or “Medfos” malware
”server1.extra-web.cz” (220.127.116.11) to fetch “dbm.exe”
(VirusTotal: 8 of 46)
”www.MATTEPLANET.com” (18.104.22.168) to fetch “q7ojEH7.exe”
(VirusTotal: 4 of 46)
”ictsolutions.net.au” (22.214.171.124) to fetch “SAQjaWu.exe”
(VirusTotal: 8 of 46)
Medfos, one of the malware names given to several of the above, is an “Advertisement redirection” malware campaign. Microsoft did a great job explaining how Medfos works in their blog post, Medfos – Hijacking Your Daily Search on the Microsoft Malware Protection Center – back in September. Some of the sites that seem to be related to this Medfos installation include “bidpenniesforgold.net” (IP: 126.96.36.199) and “webpayppcclick.com” (IP: 188.8.131.52).
According to our friends at Domain Tools, that last IP address is associated with a whole world of “Pay Per Click” fraud domains, including:
Hopefully, tying these malware samples to that activity can help someone clean up that mess! (Attention: Leaseweb!)