The email

The structure of the displayed URL is always the same:
http ://IP-address/news.html or http ://IP-address/boston.html

The subject lines vary but are always related directly to Boston. Here are some examples in alphabetical order:

• 2 Explosions at Boston Marathon
• Aftermath to explosion at Boston Marathon
• Boston Explosion Caught on Video
• BREAKING – Boston Marathon Explosion
• Explosion at Boston Marathon
• Explosions at the Boston Marathon
• Video of Explosion at the Boston Marathon 2013

The website

A click on the link in this email opens a website that appears to be full of YouTube videos on the events in Boston. The five videos shown, which are integrated into the site using an iframe, are legitimate and work.

The sixth box, which also uses an iframe to integrate HTML code into the site, however, starts something entirely different: a primed Java applet. If the Java applet is executed in the browser and the Java version installed on the computer is older than version 7 update 11, the victim is in trouble. A Java exploit is sent to the client (CVE-2013-0422), exploits the vulnerability and installs malware, the so-called payload, on the computer. The G Data SecurityBlog already reported about this vulnerability at the beginning of 2013.

Another attack option

If users spend more than 60 seconds on the website with the videos, they are automatically redirected to a new address, an executable file disguised as a video, which is downloaded automatically. The URL currently has the following format: http ://IP-address/boston.avi_______.exe

The supplied malware

Initial analyses discovered two different payloads. Of course it is impossible to exclude the possibility that there might or will be additional variants. The attackers can easily replace the desired malware code.

Payload variant 1 – the password thief

The malicious function of this sample is varied but has some components that stand out at first glance. Among other things, it collects the passwords that are stored on the victim’s hard drive in unencrypted form, e.g. for the Filezilla FTP program or for the Firefox browser.
The collected passwords are then most likely sent to a predefined server. However, they are transferred in encrypted form, hence the exact content of the transferred data could be determined. Another function is the analysis of network traffic.

What makes things worse is that the malware also includes spam bot functions and, once the PC has been infected, spreads the fateful email that started it all. The IP address used in the email changes but the approach for the different variants does not.
It is not yet clear whether the malware code uses the user’s contacts for sending spam messages or whether the target addresses come from another source, such as the contacted server.

Payload variant 2 – the blackmail variant

The analysed sample did not do anything for a few minutes but then it used ransomware, a GVU Trojan, to lock the computer.

If that wasn’t bad enough for the victim, this malware also sends out emails pretending to contain news in the style of a spam bot, as described above, and thus tries to lure additional victims into the trap.

Protection against attacks

• An up-to-date comprehensive security solution with a malware scanner, firewall, web and real-time protection is an absolute must. A spam filter that protects you from unwanted spam emails also makes sense.
• The installed operating system, browser and its components as well as the security solution installed should always be kept up-to-date. Program updates should be installed immediately to close existing security vulnerabilities.
• In your web browser, we recommend deactivating the execution of plug-ins, scripts and also most advertising content by default and activating them only as needed. You can make these settings in the browser or use appropriate browser enhancements.
• You should not click on links or file attachments in emails and social networks without pausing to think first. The files or website could be infected with malicious code. If a message from a friend seems strange, users should first check if it’s authentic.
• Oracle’s Java, in particular, is frequently targeted by cyber attackers. We therefore recommend keeping a close eye on your Java installation. For more information on this subject, see "Using Java safely" (German site) in the G Data SecurityLabs section of our website.

**** UPDATE, 18.04.2013, 5:15 p.m. ***

The attackers have chosen another event to promote their spam campaign. Besides the alleged news regarding the Boston Marathon, reports about the explosion in a fertility plant in Texas are now used to lure victims.

The emails sent do not essentially differ from the ones sent before – only the subject lines changed. Here is a selection of the subject lines we currently see:

• CAUGHT ON CAMERA: Fertilizer Plant Explosion Near Waco, Texas
• Fertilizer Plant Explosion Near Waco, Texas
• Raw: Texas Explosion Injures Dozens
• Texas Plant Explosion
• Texas Explosion Injures Dozens
• Texas Plant Explosion
• Video footage of Texas explosion

The structure of the URLs displayed remains the same. In addition to http :// IP-Adresse/news.html we now also see http :// IP-Adresse/texas.html.

The appearance of the website opened is identical to the one mentioned above. Obviously, the videos were edited to display the events in Texas and the source of the Java applet also varies.