Boston bomb blast video spam - RedKit

April 17, 2013

The Dell SonicWALL Threats Research team has discovered a new malware spam campaign taking advantage of the recent Boston marathon bomb blast news. The e-mail messages contain a malicious URL that leads to a RedKit Exploit Kit hosting site which serves various exploits eventually infecting the victim machine with multiple malware families.

The spam campaign started late yesterday - April 16, 2013 and is active at the time of writing this Alert. We have captured more than 41,000 copies of e-mails from this spam attack up until now as seen below:

Infection Cycle:

An e-mail arrives using one of the above Subjects, pretending to contain URL of Boston marathon blast video. The e-mail message body contains a URL which leads to a HTML page containing six iframes, 5 of them point to legitimate YouTube videos and the last one points to a malicious RedKit exploit site as seen below:

If the user clicks the URL inside the e-mail, it will open the following page and trigger the RedKit exploit kit infection cycle.

During our analysis, we saw a malicious JAR applet getting served by the RedKit site which lead to the download of a new Tepfer variant. The Tepfer variant further downloads a new P2P Zbot variant and a Ransomware on the victim machine.

Network requests observed on the victim machine:

It drops the following malicious executables on the victim machine:

  • %Temp%alifna.exe [Detected as GAV: Zbot.USBV (Trojan)]
  • %Temp%coppe.exe [Detected as GAV: Zbot.KLRY (Trojan)]
  • %Temp%temp91.exe [Detected as GAV: Zbot.USBV (Trojan)]

It creates the following key in the Windows registry to persist infection on system reboot:

  • HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunSonyAgent: "%Temp%temp91.exe"

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Redkit.BS (Exploit)
  • GAV: Zbot.USBV (Trojan)
  • GAV: Zbot.KLRY (Trojan)