The Latest in IT Security

Emails with malicious links exploit the explosion in Waco,Texas

19
Apr
2013

In the same day with the spam campaign that was making use of the tragedy in Boston to spread malware, we have started to see the second wave of spam going on.

This campaign is making use of the explosion in the fertilizer plant in Waco, Texas, US.

The emails are using the same template as before: “Waco explosion HD”, “Raw: Texas Explosion Injures Dozens” and others and contain the same type of URL composed of an IP address and a file.

1

The target websites after the redirects show videos with the explosion and various interviews collected from YouTube.

The malicious payload is distributed in similar ways as that in the previous attack:

  • Java exploit (in the picture below no longer available on the remote site that was hosting it)
    • 47dc82e5b451bce5f40fa8dc890310d5 *Anau.class
    • 69333fdd3aaab29ed4bcdfaa42ed8e28 *barks.class
    • 5b84ea75fb42a1953a4c5bef516f873e *Code.class
    • 00954374c3a4e6cfc2823850c02a83c8 *Doitfore.class
    • 763ff5e1a1ad65dc8c1e21a13c484154 *Hluiak.class
    • 975bc1f970f661d6da16c26fb27f8c3c *Hujter.class
    • 254d4b4a61a5ab90192994a7f9a79491 *Kivib.class
    • dccfc30208ef0d4a6a4ade01666355b8 *Monoa.class
    • 4a3c45a062fe7a88a2e4ecdb52678542 *Nespeho.class
    • f67c5de1b1691ed989921db0d8ba8fe3 *OItyep.class
    • b82e7b290e5c0c3f0c9251d0c8a4bc17 *Senna.class
    • 90d24d49c3d8188690a3c03262f8a55a *Szux.class
    • (and many others)
  • dropped executable files
    • 58971f985efb7ae05fc01d334719f427 *fuwqj.exe
    • 3ef06bae42ba35e0a1a1da4a587b87da *lrwtv.exe
    • 77b46f1e9c23632e8fe093e877df7523 *temp86.exe
    • (and many others)

ps3

All Avira software detect these files as TR/Motsob.*, and all intermediate websites are also detected as HTML/Blacole.* and HTML/iFrame.* (‘*’ means that there are many variants of the same malware).

Many thanks to Jason Soo from the VLAB in Kuala Lumpur for the quick analysis.

Sorin Mustaca

IT Security Expert

Leave a reply


Categories

MONDAY, DECEMBER 10, 2018
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments

Social Networks