Cyber Criminals Exploiting the Boston Marathon Aftermath [UPDATED]

While the world recoils in shock at the horrifying events at Monday’s Boston Marathon, cybercriminals are actively seeking to exploit people’s thirst for information and eagerness to help those affected by the attacks.

The Websense ThreatSeeker® Intelligence Cloud is currently detecting and blocking multiple email-borne campaigns that attempt to lure unsuspecting recipients to malicious websites in order to exploit their machines for criminal gains.

Let’s follow this campaign through the 7 Stages of Advanced Threats (as explained in our whitepaper) to see how cyber-criminals attempt to dupe and compromise users and their machines. We’ll also show that breaking any one link in the chain can protect potential victims.

 

Stage 1: Reconnaissance

This campaign, like many other topical or event-based campaigns, attempts to propagate as widely as possible, rather than being directed at specific individuals or organizations. Given this, those behind the nefarious campaign simply have to identify a news story with global appeal (in this case, Monday’s events), and then propagate their lure to as many people as possible.

 

Stage 2: Lure

Preying on human curiosity, in particular after a significant event, the lure is designed to get as many victims onto the hook as possible. In the email campaigns being monitored by Websense® Security Labs™, the email subjects have been designed to suggest that the message contains information or news regarding the events:

  • 2 Explosions at Boston Marathon
  • Aftermath to explosion at Boston Marathon
  • Boston Explosion Caught on Video
  • BREAKING – Boston Marathon Explosion
  • Explosion at the Boston Marathon
  • Explosions at Boston Marathon
  • Explosions at the Boston Marathon
  • Runner captures. Marathon Explosion
  • Video of Explosion at the Boston Marathon

The message body itself, in most cases, contains a single URL in the format http://<IP Address>/news.html or http://<IP Address>/boston.html with no further detail or information. At this point, the recipient is lured to click on the malicious link, which ushers them on to stage 3.

 

Stage 3: Redirect

Having clicked the link, the unwitting victim is presented with a page containing YouTube videos of the horrific events (intentionally obscured below) while an iframe redirects them to an exploit page.

 

Stage 4 – Exploit Kit

Based on an analysis of a sample set of the malicious URLs seen in this campaign so far, the RedKit Exploit Kit has been used to, in our case, exploit an Oracle Java 7 Security Manager Bypass vulnerability (CVE-2013-0422) in order to deliver a file onto our analysis machine.

 

Stage 5 – Dropper File

Rather than using a dropper file, which contains the malicious code within itself and often packed to prevent detection by antivirus signatures, this campaign uses a downloader belonging to the Win32/Waledac family which is used to download further malicious binaries. In this case, two bots named Win32/Kelihos and Troj/Zbot are downloaded and installed on the compromised machine in order to join it to the cyber-criminals’ bot network.

 

Stage 6 – Call Home / Stage 7 – Data Theft

Once the compromised machine is under the control of the cyber-criminal, the bots call home, which allows remote commands to be issued and for data to be sent and received. Common abuses of a compromised machine include data collection and exfiltration, such as the theft of financial and personal information. Other abuses include the sending of unsolicited email or the unwilling participation in Distributed Denial of Service attacks.

 

 

Websense customers are protected by ACE™, our Advanced Classification Engine, against cyber threats of this nature.  In addition to blocking lures at stage 2 before they reach end-users, access to malicious destinations throughout stages 3 through 6 are denied which, combined with data loss controls to protect against stage 7, help to ensure that your data stays where it belongs and not in the hands of an attacker.

Our thoughts are with the victims and their families at this time. While these cyber abuses are minor by comparison, users can help protect themselves by sourcing the news directly from reputable news agencies. Should you want to donate (be that blood to local hospitals or money to assisting organizations), be sure to visit official websites rather than following links that appear in your mailbox.

 

 

[Update]

 

Thursday, April 18, 2013:

The campaign quickly evolved to match the latest news from the Texas fertilizer plant explosion.

The emails are similar, but use texas.html instead of boston.html path.

 

Subjects lines include:

 

  • Texas Plant Explosion
  • Raw: Texas Explosion Injures Dozens
  • Texas Explosion Injures Dozens
  • CAUGHT ON CAMERA: Fertilizer Plant Explosion
  • Waco Explosion HD
  • Video footage of Texas explosion
  • Plant Explosion Near Waco, Texas
  • West Tx Explosion

 

 

The lure pages have updated titles, but the rest is similar:

 

 

Websense Security Labs will continue to monitor this campaign.

Margaret Thatcher’s Death Used in Cyber Attacks

As the world remembers former British Prime Minister Margaret Thatcher, cyber attackers are participating too, but in their own tricky ways. Websense® Security Labs™ and the Websense ThreatSeeker® Intelligence Cloud have detected that attackers are sending malicious email spam with a topic referencing the death of Mrs. Thatcher. Actually, it is not new for an attacker to use a hot topic (like the death of Hugo Chavez) to spread malware. In this case, the lure email is very simple, with just a few words related to Mrs. Thatcher, but it pretends to be from your friends by using the “Re:
Fwd:” notation
. Internet-savvy customers will know that it looks suspicious and should not be tempted to click the link in the email.

 

 

When recipients click the malicious link, they are taken to a redirection page first, and then redirected to a Blackhole Exploit Kit landing page. The landing page detects the browser and plugin information in the client, and then serves the vulnerability file based on the plugin information. The final payload is a Cridex trojan, as seen in our ThreatScope™ report and in the VirusTotal report here.  Cridex is known in breaking CAPTCHA codes and you can see this trojan in action on our previous blog here.

 

Server-side polymorphic technology has been applied to evade traditional AV detection. 

 

 

It is not the first time we have seen the Blackhole malicious email campaign. It has evolved over time in combination with hot topics like the current crisis in Korea or major companies filing for bankruptcy. Please be careful about any email that contains 1 of  the following subjects:


Fwd: Dollar Bank bankruptcy

Re: Shedding light on ‘dark matter’

Re: Why Washington is corrupt

Re: Kissinger: Thatcher’s strong beliefs

Re: Tax havens busted

Fwd: Re: First Citizens Bank bankruptcy

Fwd: Re: Living large in Don Draper’s New York

Fwd: Re: Kissinger: Thatcher’s strong beliefs

Re: Fwd: California Bank & Trust bankruptcy

Fwd: Re: Bank of America bankruptcy

Fwd: Allowing knives on planes is ‘insane’

Fwd: Re: War with N. Korea

Fwd: Air Canada goes ‘Gangnam style’

Fwd: Re: NASA plans to catch an asteroid

Re: Fwd: Dollar Bank bankruptcy

Fwd: Why Washington is corrupt

Fwd: Blast kills 29 on bus in New-York

Fwd: Shedding light on ‘dark matter’

Fwd: Re: Marikana massacre aftermath

Re: Fwd: Kissinger: Thatcher’s strong beliefs

Fwd: Re: PNC Bank bankruptcy

Re: Fwd: Bank Of The West bankruptcy

Re: Fwd: M&I Bank bankruptcy

Re: Bank Of The West bankruptcy

Fwd: Bank Of The West bankruptcy

Re: Fwd: PNC Bank bankruptcy

Re: Bank of America bankruptcy

Re: Fwd: War with N. Korea

Re: California Bank & Trust bankruptcy

Re: Blast kills 29 on bus in New-York

Re: Fwd: Blast kills 29 on bus in New-York

Re: Sending out SOS for ‘America’s flagship’

Re: Fwd: Marikana massacre aftermath

Re: Living large in Don Draper’s New York

Re: War with N. Korea

Fwd: Re: Death penalty ‘harms Bali’s reputation’

Re: Fwd: Death penalty ‘harms Bali’s reputation’

Re: PNC Bank bankruptcy

Re: NASA plans to catch an asteroid

Re: Northern Trust Bank bankruptcy

Fwd: Tax havens busted

Re: Fwd: Why Washington is corrupt

Re: Fwd: Tax havens busted

Fwd: M&I Bank bankruptcy

Re: Fwd: Fashion designer Lilly Pulitzer dies

Re: First Citizens Bank bankruptcy

Re: Fwd: Shedding light on ‘dark matter’

Re: Fwd: Living large in Don Draper’s New York

Re: Fwd: Northern Trust Bank bankruptcy

Fwd: Re: California Bank & Trust bankruptcy

Re: Air Canada goes ‘Gangnam style’

Re: Fashion designer Lilly Pulitzer dies

Re: Dollar Bank bankruptcy

Fwd: Sending out SOS for ‘America’s flagship’

 

Websense technologies can protect customers in a multi-stage attack:

  • Websense email security blocks the malicious email.
  • Our Advanced Classification Engine (ACE™) detects the malicious content both in redirection and in the exploit page with real-time intelligence.
  • Vunlerability files and the payload trojan are detected by Websense Gateway products.
  • Websense technologies can identify malicious droppers both statically and behaviorally (via Websense ThreatScope).