In the same day with the spam campaign that was making use of the tragedy in Boston to spread malware, we have started to see the second wave of spam going on.
This campaign is making use of the explosion in the fertilizer plant in Waco, Texas, US.
The emails are using the same template as before: “Waco explosion HD”, “Raw: Texas Explosion Injures Dozens” and others and contain the same type of URL composed of an IP address and a file.
The target websites after the redirects show videos with the explosion and various interviews collected from YouTube.
The malicious payload is distributed in similar ways as that in the previous attack:
- Java exploit (in the picture below no longer available on the remote site that was hosting it)
- 47dc82e5b451bce5f40fa8dc890310d5 *Anau.class
- 69333fdd3aaab29ed4bcdfaa42ed8e28 *barks.class
- 5b84ea75fb42a1953a4c5bef516f873e *Code.class
- 00954374c3a4e6cfc2823850c02a83c8 *Doitfore.class
- 763ff5e1a1ad65dc8c1e21a13c484154 *Hluiak.class
- 975bc1f970f661d6da16c26fb27f8c3c *Hujter.class
- 254d4b4a61a5ab90192994a7f9a79491 *Kivib.class
- dccfc30208ef0d4a6a4ade01666355b8 *Monoa.class
- 4a3c45a062fe7a88a2e4ecdb52678542 *Nespeho.class
- f67c5de1b1691ed989921db0d8ba8fe3 *OItyep.class
- b82e7b290e5c0c3f0c9251d0c8a4bc17 *Senna.class
- 90d24d49c3d8188690a3c03262f8a55a *Szux.class
- (and many others)
- dropped executable files
- 58971f985efb7ae05fc01d334719f427 *fuwqj.exe
- 3ef06bae42ba35e0a1a1da4a587b87da *lrwtv.exe
- 77b46f1e9c23632e8fe093e877df7523 *temp86.exe
- (and many others)
All Avira software detect these files as TR/Motsob.*, and all intermediate websites are also detected as HTML/Blacole.* and HTML/iFrame.* (‘*’ means that there are many variants of the same malware).
Many thanks to Jason Soo from the VLAB in Kuala Lumpur for the quick analysis.
Sorin Mustaca
Leave a reply
