Royal Baby Spam and Malware Attack Happening Now

It’s unfortunate, but when the general public is captivated by a certain news story, cybercriminals are hard at work exploiting the publicity that the news attracts. Exploitation can take many forms. In the cybersecurity space, we often see fake news stories about trending topics floating around. Fake news is becoming a serious problem. It is becoming harder to differentiate fake news from real news. Those fake news stories often have one sole purpose. To trick Internet users into clicking on a malicious link.

Such is the case right now. The public is captivated by content about the new royal baby – His Royal Highness Prince George of Cambridge – born to the Duke and Duchess of Cambridge on Tuesday.

This was the topic of a spam email campaign that purported to have been sent by CNN Breaking News. When users click on the link contained in the email, they are infected with a malicious Trojan. That Trojan steals financial data from the user.

As Gary Warner explains in his blog post this morning, “As many sources reported earlier today, an email claiming to be from CNN’s “Scribbler” provided a link to “Watch Live Hospital Updates” of the Royal Baby.”

What do Harrison Ford, President Obama, and Edward Snowden have in common with The Royal Baby?

They were all subjects of fake “CNN Breaking News” stories delivered by spam email today. Those messages all contained links to malicious websites which automatically downloaded malware to users’ computers when clicked. In fact, PhishMe maintains a database of hundreds of copies of these and other similar emails, a small selection of the subject lines used in yesterday’s spam emails are listed below:

“Snowden able to leave Moscow airport” – BreakingNews CNN
“Harrison Ford on ‘Ender’s Game’ controversy: ‘Not an issue for me'”
“Obama speech to urge refocus ”
“Perfect gift for royal baby … a tree?” – BreakingNews CNN

To demonstrate the relatedness of the spam, a list of the URLs that were used by each of the four campaigns is listed at the end of this article, labeled either “Snowden”, “Ender”, “Obama”, or “Tree”, corresponding to each of the four campaigns. We threw all of the advertised URLs into a fetcher and found that there were malicious files found at each of the destinations. The first link (from earlier in the day) pointed to two Javascript files that were used to redirect the visitor to an Exploit Kit that would cause malware to be dropped onto their computer. The second (later in the day, and still live at the time of writing) pointed to three Javascript files that redirected the user to a different Exploit Kit site.

I’ve added spaces to the URLs for your protection – DO NOT VISIT ANY OF THOSE URLS!!! – Doing so will result in infection with malware.

(early morning version <== redirects to nphscards.com / topic / accidentally-results-stay.php )
index.html with MD5 = 958a887fcfcad89b3fdeea4b58e55905
- which loads two Javascript files:
ftp.thermovite.de / kurile / teeniest.js
traditionalagoonresort.com / prodded / televised.js
(afternoon version <== redirects to deltaboatraces.net / topic / accidentally-results-stay.php )
index.html with MD5 = bc73afe28fc6b536e675cea4ac468b7d
- which loads three Javascript files:
thealphatechnologies.com / advantageously / autopilots.js
atlas247.com / mussiest /syndicating.js
www.mshc.in /drubbing / mouthful.js

Since it was late in the day by the time I was able to review these myself, I infected myself with the afternoon version.
deltaboatraces.net == 173.246.104.136 and is still an active infector as of this timestamp.
I got a randomly named 297,472 byte file, detected by 11 of 46 Anti-Virus vendors at VirusTotal.com as Zeus.

Adobe Flash Player Update?

After infecting an end user, the website tries to trick the user into “upgrading Adobe Flash Player”, but while it appeared that I was on the correct Adobe site from the graphics, I was not.

After “installing” my Adobe update, my sandbox went crazy and also fetched malware from a number of different locations.

After the second infection, my sandbox went to “deltarivehouse.net / forum / viewtopic.php” (173.246.104.136) which caused a string of additional infections to occur. The initial infection was Zeus. Zeus is a well-known financial information-stealing malware, but also provides criminals with full remote-control capabilities of the infected computer. The purpose of the additional malware was for another form of malicious income generation.

“sainitravels.in” (204.11.58.185) to fetch “f7Qsfao.exe”
(VirusTotal: 8 of 46)) – “Tepfor” or “Medfos” malware
”server1.extra-web.cz” (212.80.69.55) to fetch “dbm.exe”
(VirusTotal: 8 of 46)
”www.MATTEPLANET.com” (208.86.184.10) to fetch “q7ojEH7.exe”
(VirusTotal: 4 of 46)
”ictsolutions.net.au” (27.124.120.1) to fetch “SAQjaWu.exe”
(VirusTotal: 8 of 46)

Medfos, one of the malware names given to several of the above, is an “Advertisement redirection” malware campaign. Microsoft did a great job explaining how Medfos works in their blog post, Medfos – Hijacking Your Daily Search on the Microsoft Malware Protection Center – back in September. Some of the sites that seem to be related to this Medfos installation include “bidpenniesforgold.net” (IP: 50.63.25.37) and “webpayppcclick.com” (IP: 85.17.147.34).

According to our friends at Domain Tools, that last IP address is associated with a whole world of “Pay Per Click” fraud domains, including:

advertisingclickfeed.com
allfeedppcadvertising.com
clickppcadvertisingone.com
clickwebppcpay.com
csuperclick.com
feedppcadvertisingdirect.com
feedppcadvertisinginfo.com
feedyourppcdirect.com
firstfeedppcadvertising.com
newpaywebclick.com
onlineppcclick.com
paymittelsclick.com
payonlineppc.com
payppcclickonline.com
paywebclick.com
paywebclicksite.com
perclickguide.com
perclicksite.com
perclickworld.com
ppcadvertisingfeed.com
ppcadvertisingworld.com
ppcclickonlineppc.com
ppcnewfeed.com
ppcperclickadvertising.com
ppcperpayadvertising.com
ppcwebclickpay.com
streamppcadvertising.com
webpayppcclick.com
Hopefully, tying these malware samples to that activity can help someone clean up that mess! (Attention: Leaseweb!)

What Trend Micro’s research means for organizations

Trend Micro has just published research confirming what we at PhishMe already knew – spear phishing is the top threat to enterprise security. Trend Micro’s report estimates that spear phishing accounts for 91% of targeted attacks, making it the most prevalent method of introducing APT to corporate and government networks. Industry recognition of the severity of the dangers posed by spear phishing is always a positive development, but merely acknowledging the problem doesn’t provide a solution.

Fortunately, many of the underlying issues Trend Micro identifies are problems PhishMe is already helping our customers address.