Thursday, April 27, 2017
Home / Malware / Bogus ‘Citi Account Alert’ spam leading to Black Hole Exploit Kit

Bogus ‘Citi Account Alert’ spam leading to Black Hole Exploit Kit

Cyber criminals are currently mass mailing hundreds of thousands of emails impersonating Citi, using two different email templates. When clicked, the links in the malevolent emails lead to the client-side exploits serviced by the latest version of the Black Hole Exploit Kit.

Webroot completed an analysis of the malicious sites being spammed,

Sample spamvertised compromised URLS used in the campaign:
hxxp://franctelnetwork.com/components/com_ag_google_analytics2/citialertservice.html
hxxp://ghostdeal.com/components/com_ag_google_analytics2/citialertservice.html
hxxp://thesmsway.com/components/com_ag_google_analytics2/citialertservice.html
hxxp://911pcs.com/components/com_ag_google_analytics2/alert-service-citibank.html
hxxp://rjewelryd.com/components/com_ag_google_analytics2/alert-service-citibank.html
hxxp://softwarehit.com/components/com_ag_google_analytics2/alert-service-citi-sign_in.html
hxxp://ceipfernandogavilan.com/components/com_ag_google_analytics2/alert-service-citi-sign_in.html
hxxp://troubleshootersacademy.com/components/com_ag_google_analytics2/citialert-sign_in.html

Sample client-side exploits serving URLs:
hxxp://eaglepointecondo.biz/detects/operation_alert_login.php – 59.57.247.185
Name Server: NS1.AMISHSHOPPE.NET – 209.140.18.37 – Email: [email protected]
Name Server: NS2.AMISHSHOPPE.NET – 211.27.42.138 – Email: [email protected]

hxxp://platinumbristol.net/detects/alert-service.php – 59.57.247.185
Name Server: NS1.AMISHSHOPPE.NET – 209.140.18.37 – Email: [email protected]
Name Server: NS2.AMISHSHOPPE.NET – 211.27.42.138 – Email: [email protected]

Upon successful client-side exploitation, the campaign drops MD5: b360fec7652688dc9215fd366530d40c – detected by 28 out of 45 antivirus scanners as Worm:Win32/Cridex.E.

Once executed, the sample performs the following activities:

  • Accesses Firefox’s Password Manager local database
  • Creates a thread in a remote process
  • Installs a program to run automatically at logon

Webroot also provided an example of the templates being used.

This attacks are likely to get worse as it gets nearer to the holiday season as many consumers are purchasing their gifts online.

About FastFlux

Owner of ZeroSecurity, interested in programming, malware analysis and penetration testing. If you would like to write for the ZeroSecurity team, please use the contact form above.

Check Also

New FastPOS malware targeting Point-of-Sale systems

Experts have disclosed a new category of malware, labeled “FastPOS,” that has the ability to quickly …