Within a short time period of less than 24 hours, cybercriminals have already taken advantage of Monday’s explosion at the Boston Marathon as a newsworthy item. My colleague Mary Ermitano-Aquino noted a spam outbreak of more than 9,000 Blackhole Exploit Kit spammed messages, all related to the said tragedy that killed at least three people and injured many more. Some of the spammed messages used the subjects “2 Explosions at Boston Marathon,” “Aftermath to explosion at Boston Marathon,” “Boston Explosion Caught on Video,” and “Video of Explosion at the Boston Marathon 2013″ to name a few. Below is a spam sample she found:
Figure 1. Sample spam email related to the Boston Marathon blast
The spammed message only contains the URL http://{BLOCKED}/boston.html , but once you click it, it displays a web page with an embedded video, supposedly from YouTube. At this point, users who click the link may have already downloaded malware unknowingly, aka drive-by-download attacks. Here’s a screenshot of the web page with the embedded video:
Figure 2. Malicious web page with the embedded video
Simply clicking the link in the email triggers an automatic download from the URL http://{BLOCKED}.boston.avi_______.exe . If you’ll notice the lower left-hand corner of the download bar, the file name boston.avi_____.exe is seen as a downloaded file. This is actually a malicious file which happens to be a new variant of WORM_KELIHOS malware.
WORM_KELIHOS.NB routines
Throughout the course of my investigation, I noticed that the IP of the download link varies every time it is accessed. As of this writing, we confirmed that the locations of the IP addresses are found in several countries such as Argentina, Taiwan, Netherlands, Japan, Ukraine, Russia, and Australia. The URL also downloads other similar malware from different links, as seen in the URL log below:
Figure 3. Malicious URL log
The downloaded samples have the same behavior and same file size, except that it changes the icons used and the file names.
Our analysis also shows that WORM_KELIHOS.NB hides all the directories on the removable drive and replaces them with a .LNK file that uses a folder icon. This executes the malware before it opens that original folder. In addition, it creates .LNK files on infected removable drives with the command C:\WINDOWS\system32\cmd.exe F/c “start %cd%\game.exe. Below is a screenshot of an infected removable drive:
Figure 4. Removable drive infected by WORM_KELIHOS.NB
This worm has the capability to steal credentials from the different File Transfer Protocol (FTP) such as LeapFTP, P32bit FTP, FTP Control, SecureFX, BitKinex, FileZilla, and many more. One noteworthy routine about it is that it harvests email addresses from the affected computer’s local drive.
Spreading like wildfire
As of today, we have noted a significant number of malicious URLs gathered via the Trend MicroT Smart Protection NetworkT related to the Boston Marathon explosions, with the United States leading the pack among the other countries we monitored.
Figure 5. Trend MicroT Smart Protection NetworkT data for malicious URLs related to the Boston Marathon bombings
Aside from the spam sample discussed earlier, we also found that other platforms have also been exploited to spread similar threats. Malicious Tweets and links on free blogging platforms were also crafted just hours after the blast took place.
Figure 6. Malicious Tweets and blog posts
This goes to show that a cybercriminal’s work is never complete. Taking advantage of newsworthy events is indeed a cybercrime staple; each new scheme always seems to vary, which results in a never-ending cycle of malicious mischief.
Leave a reply
