It’s one thing to indirectly target a bank’s reputation by brand-jacking it for phishing or malware servince purposes, and entirely another when the front page of the bank (NorthWesternBankOnline.com) itself is embedded with an iFrame leading to client-side exploits, to ultimately serve a copy of Backdoor.DMSpammer.
- Go through an assessment of a similar incident from 2007 – Bank of India Serving Malware
This is exactly what happened on Friday, with the front page of the Northwestern Bank of Orange City and Sheldon, Iowa acting as an infection vector. And although the site is now clean, the compromise offers some interesting insights into the multitasking on behalf of some of the most prolific malware spreaders for Q1, 2010.
- Go through assessments of their previous campaigns: Scareware, Sinowal, Client-Side Exploits Serving Spam Campaign in the Wild; AS50215 Troyak-as Taken Offline, Zeus C&Cs Drop from 249 to 181; Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware; Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams; PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild; Tax Report Themed Zeus/Client-Side Exploits Serving Campaign in the Wild; IRS/PhotoArchive Themed Zeus/Client-Side Exploits Serving Campaign in the Wild)
How come? The iFrame domain used in the Northwestern Bank’s campaign, is parked on the very same IP (18.104.22.168 – AS4134, CHINA-TELECOM China Telecom) that is still active, and was profiled in last month’s spamvertised “Zeus Crimeware/Client-Side Exploits Serving Campaign in the Wild” campaign.
The iFrame embedded on the front page of Northwestern Bank’s web site, mumukafes.net /trf/index.php – 22.214.171.124 – Email: firstname.lastname@example.org, redirects through the following directories, to ultimately attempt to serve client-side exploits through the copycat Phoenix Exploit Kit web malware exploitation kit:
– mumukafes.net /trf/index.php – 126.96.36.199 – Email: email@example.com
– sobakozgav.net /index.php – 188.8.131.52
– sobakozgav.net /tmp/newplayer.pdf – CVE-2009-4324
– sobakozgav.net /l.php?i=16
– sobakozgav.net /statistics.php
Parked on the same IP (184.108.40.206) are also the following domains, all of which have been seen serving client-side exploits in previous campaigns:
aaa.fozdegen.com – Email: firstname.lastname@example.org
bbb.fozdegen.com – Email: email@example.com
cogs.trfafsegh.com – Email: firstname.lastname@example.org
countrtds.ru – Email: email@example.com
dogfoog.net – Email: firstname.lastname@example.org
eee.fozdegen.com – Email: email@example.com
fff.sobakozgav.net – Email: firstname.lastname@example.org
fozdegen.com – Email: email@example.com
lll.sobakozgav.net – Email: firstname.lastname@example.org
mumukafes.net – Email: email@example.com
sobakozgav.net – Email: firstname.lastname@example.org
trfafsegh.com – Email: email@example.com
Moreover, there are also active ZeuS C&Cs on the same IP – 220.127.116.11, with the following detection rates for the currently active binaries:
– exe1.exe – Trojan/Win32.Zbot.gen; Trojan-Spy.Win32.Zbot – Result: 32/38 (84.22%)
– exe.exe – Backdoor.DMSpammer – Result: 23/39 (58.97%)
– svhost.exe – Trojan.Win32.Swisyn; Trojan.Win32.Swisyn.acfo – Result: 33/38 (86.85%)
– vot.exe – Trojan.Spy.ZBot.EOR; TSPY_ZBOT.SMG – Result: 15/38 (39.48%)
Detection rates for the campaign files obtained through Northwestern Bank’s client-side exploit serving campaign:
– js.js – Mal/ObfJS-CT; JS/Crypted.CV.gen – Result: 3/39 (7.7%)
– newplayer.pdf – Exploit.PDF-JS.Gen; Exploit:Win32/Pdfjsc.EP – Result: 22/39 (56.42%)
– update.exe – Backdoor.DMSpammer – Result: 24/39 (61.54%)
The sampled update.exe phones back to the following locations:
usrdomainn.net /n2/checkupdate.txt – 18.104.22.168, AS38356, TimeNet – Email: firstname.lastname@example.org
AS38356, TimeNet is most recently seen in the migration of the money mule recruiters “Keeping Money Mule Recruiters on a Short Leash – Part Four“, with tuktuk.php literally translated as herehere.php.
The site is now clean, however, the iFrame domains and ZeuS C&Cs remain active.
This post has been reproduced from Dancho Danchev’s blog. Follow him on Twitter.