Boston bomb blast video spam – RedKit (April 17, 2013)
The Dell SonicWALL Threats Research team has discovered a new malware spam campaign taking advantage of the recent Boston marathon bomb blast news. The e-mail messages contain a malicious URL that leads to a RedKit Exploit Kit hosting site which serves various exploits eventually infecting the victim machine with multiple malware families.
The spam campaign started late yesterday – April 16, 2013 and is active at the time of writing this Alert. We have captured more than 41,000 copies of e-mails from this spam attack up until now as seen below:
Infection Cycle:
An e-mail arrives using one of the above Subjects, pretending to contain URL of Boston marathon blast video. The e-mail message body contains a URL which leads to a HTML page containing six iframes, 5 of them point to legitimate YouTube videos and the last one points to a malicious RedKit exploit site as seen below:
If the user clicks the URL inside the e-mail, it will open the following page and trigger the RedKit exploit kit infection cycle.
During our analysis, we saw a malicious JAR applet getting served by the RedKit site which lead to the download of a new Tepfer variant. The Tepfer variant further downloads a new P2P Zbot variant and a Ransomware on the victim machine.
Network requests observed on the victim machine:
It drops the following malicious executables on the victim machine:
- %Temp%alifna.exe [Detected as GAV: Zbot.USBV (Trojan)]
- %Temp%coppe.exe [Detected as GAV: Zbot.KLRY (Trojan)]
- %Temp%temp91.exe [Detected as GAV: Zbot.USBV (Trojan)]
It creates the following key in the Windows registry to persist infection on system reboot:
- HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunSonyAgent: “%Temp%temp91.exe”
Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:
- GAV: Redkit.BS (Exploit)
- GAV: Zbot.USBV (Trojan)
- GAV: Zbot.KLRY (Trojan)
