The bomb explosions during the famous marathon in Boston have shocked people around the globe – it is still unclear who is behind them and cyber attackers are shamelessly exploiting this fact. They promise news about the events but transmit malware to unsuspecting users!
The structure of the displayed URL is always the same:
http ://IP-address/news.html or http ://IP-address/boston.html
The subject lines vary but are always related directly to Boston. Here are some examples in alphabetical order:
A click on the link in this email opens a website that appears to be full of YouTube videos on the events in Boston. The five videos shown, which are integrated into the site using an iframe, are legitimate and work.
The sixth box, which also uses an iframe to integrate HTML code into the site, however, starts something entirely different: a primed Java applet. If the Java applet is executed in the browser and the Java version installed on the computer is older than version 7 update 11, the victim is in trouble. A Java exploit is sent to the client (CVE-2013-0422), exploits the vulnerability and installs malware, the so-called payload, on the computer. The G Data SecurityBlog already reported about this vulnerability at the beginning of 2013.
If users spend more than 60 seconds on the website with the videos, they are automatically redirected to a new address, an executable file disguised as a video, which is downloaded automatically. The URL currently has the following format: http ://IP-address/boston.avi_______.exe
Initial analyses discovered two different payloads. Of course it is impossible to exclude the possibility that there might or will be additional variants. The attackers can easily replace the desired malware code.
The malicious function of this sample is varied but has some components that stand out at first glance. Among other things, it collects the passwords that are stored on the victim's hard drive in unencrypted form, e.g. for the Filezilla FTP program or for the Firefox browser.
The collected passwords are then most likely sent to a predefined server. However, they are transferred in encrypted form, hence the exact content of the transferred data could be determined. Another function is the analysis of network traffic.
What makes things worse is that the malware also includes spam bot functions and, once the PC has been infected, spreads the fateful email that started it all. The IP address used in the email changes but the approach for the different variants does not.
It is not yet clear whether the malware code uses the user's contacts for sending spam messages or whether the target addresses come from another source, such as the contacted server.
The analysed sample did not do anything for a few minutes but then it used ransomware, a GVU Trojan, to lock the computer.
If that wasn't bad enough for the victim, this malware also sends out emails pretending to contain news in the style of a spam bot, as described above, and thus tries to lure additional victims into the trap.
The attackers have chosen another event to promote their spam campaign. Besides the alleged news regarding the Boston Marathon, reports about the explosion in a fertility plant in Texas are now used to lure victims.
The emails sent do not essentially differ from the ones sent before - only the subject lines changed. Here is a selection of the subject lines we currently see:
The structure of the URLs displayed remains the same. In addition to http :// IP-Adresse/news.html we now also see http :// IP-Adresse/texas.html.
The appearance of the website opened is identical to the one mentioned above. Obviously, the videos were edited to display the events in Texas and the source of the Java applet also varies.