Examining Malware Bred by Boston Tragedy

Whenever there is any major news outbreak, from tragedies to British royal marriages, there is someone who uses the opportunity for malicious gains or purposes. As with the recent Boston tragedy, this is no different. Researchers have found many sites offering videos on the event or news on possibly finding the attacker that are actually hiding malicious iframes or redirects. These links and files have been found being distributed throughout the internet via email and instant messaging. These sites lead to everything from a BlackHole exploit pack landing page to downloading fake videos that are actually ransomware. Below is one of the samples that was analyzed.

Here are the iframes behind to above screenshots. As you can see, five of them point to a legitimate website for video play (Youtube), but the one without any displayed content actually points to a malicious site that attempts to download two files and further redirect you to other malicious sites. Good video iframe: <iframe src=”http://www.youtube.com/embed/7ooIDyTZ-Zs” width=”640″ height=”360″></iframe> Malicious iframe: <iframe src=”http://thecubeconf.com/hhsq.html” width=”640″ height=”360″></iframe> When the malicious iframe url was ran through a malware sandbox, we saw the following information:

The associated malware modifies dns entries and browser start page, then downloads two more files that are related to a JAVA exploit that pushes more malware in a normal PPI (Pay Per Install) style.

The following files are downloaded: 1.) 70E693A2DB.exe which connects out ymvuchyq.ru (159.224.226.211) to download newbos3.exe. Which then redirects to all of these domains:

2.) 8837BAA117.exe which communicates to domains that have additional malicious code or redirects. Some of these are legitimate sites that have been infected for this campaign or were previously infected and just being repurposed for this campaign. These domains include: thehookahhookup.net – 184.168.52.62 gowithcasanova.com – 66.96.147.102 parkwaykc.org – 66.96.134.6 glidercollection.com – 184.168.52.62 americanweighwholesale.com – 184.168.52.62 These are all common methods of infection and distribution. What was just analyzed and shown is common in today’s malware as a business world. Attackers are consistently taking advantage of recent news that people would search for (or crafting up new news stories and pushing them to news aggregators like reddit), abusing search engine optimization tricks and keywords or compromising legitimate news sites to get these pages at the top of the search results, all to push a pay per install campaign.