LinkedIn users, watch what you click on!

Over the past 24 hours, cybercriminals have launched yet another massive spam campaign, impersonating LinkedIn, in an attempt to trick its users into clicking on the malicious links found in the bogus “Invitation Notification” themed emails. Once they click on the links, users are automatically exposed to the client-side exploits served by the Black Hole Exploit Kit.

More details:

Sample screenshot of the spamvertised email:

Fake_LinkedIn_Invitation_Notification_Email_Spam_Malware_Exploits_Black_Hole_Exploit_Kit

Sample spamvertised URLs used in the campaign:
hxxp://vikasprint.ru/linkedrequest.html
hxxp://img.anibook.ru/linkedrequest.html
hxxp://spitnsawdust.co.uk/linkedrequest.html
hxxp://e-infoware.com/linkedrequest.html
hxxp://mouldingname.info/linkedrequest.html
hxxp://old.mlsit.ru/linkedrequest.html
hxxp://hytfgasses.com/linkedrequest.html
hxxp://dommotorov.ru/linkedrequest.html
hxxp://mislite.ru/linkedrequest.html
hxxp://img.anibook.ru/linkedrequest.html
hxxp://arabellatravel.ru/linkedrequest.html
hxxp://oldfinco.autolb.ru/linkedrequest.html

Sample client-side exploits serving URLs, all of them responding to 222.238.109.66:
hxxp://euronotedetector.net/detects/updated_led-concerns.php
hxxp://kendallvile.com/detects/exceptions_authority_distance_disturbing.php – Email: fxfoto@hotmail.com
hxxp://prepadav.com/detects/region_applied-depending.php – Email: bannerpick45@yahoo.com
hxxp://shininghill.net/detects/solved-surely-considerable.php – Email: fxfoto@hotmail.com
hxxp://teamrobotmusic.net/detects/bits_remember_confident.php

Responding to the same IP are also the following malicious domains, part of the campaign’s infrastructure:
seoseoonwe.com
alphabeticalwin.com
ehadnedrlop.com
bestwesttest.com
masterseoprodnew.com
cocolspottersqwery.com
africanbeat.net

Name servers used by these malicious domains:
Name server: ns1.http-page.net – 31.170.106.17 – Email: ezvalue@yahoo.com
Name server: ns2.http-page.net – 7.129.51.158 – Email: ezvalue@yahoo.com

Name Server: ns1.high-grades.com – 208.117.43.145
Name Server: ns2.high-grades.com – 92.121.9.25

Sample malicious payload dropping URL:
hxxp://shininghill.net/detects/solved-surely-considerable.php?vf=1o:31:1h:1l:2w&fe=33:1o:1g:1l:1m:1k:2v:1l:1o:32&n=1f&dw=w&qs=p

Upon successful client-side exploitation, the campaign drops MD5: fdc05614f56aca9421271887c1937f51 – detected by 30 out of 44 antivirus scanners as Trojan-Spy.Win32.Zbot.ihgm.

Upon execution, the same creates the following process on the affected hosts:
%AppData%Bytaayjdoly.exe

The following registry keys:
HKEY_CURRENT_USERSoftwareMicrosoftRekime

With the following values:
[HKEY_CURRENT_USERIdentities] -> Identity Login = 0x00098053
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] -> {3DFA1AE4-115C-AD7B-A6BA-A75086AF8442} = “”%AppData%Bytaayjdoly.exe
[HKEY_CURRENT_USERSoftwareMicrosoftRekime] -> 24e75bab = “la0ooHdmCjM=”; 28588825 = 0xA079AD85; 350g709 = 51 C5 79 A0 F5 4B 32 33 BC 54 E3 B8

As well as the following Mutexes:
Global{CB561546-E774-D5EA-8F92-61FCBA8C42EE}
Local{744F300D-C23F-6AF3-8F92-61FCBA8C42EE}
Global{5E9F7FDE-8DEC-4023-0508-B06D3016937F}
Global{5E9F7FDE-8DEC-4023-7109-B06D4417937F}
Global{5E9F7FDE-8DEC-4023-490A-B06D7C14937F}
Global{5E9F7FDE-8DEC-4023-610A-B06D5414937F}
Global{5E9F7FDE-8DEC-4023-8D0A-B06DB814937F}
Global{5E9F7FDE-8DEC-4023-990A-B06DAC14937F}
Global{5E9F7FDE-8DEC-4023-410B-B06D7415937F}
Global{5E9F7FDE-8DEC-4023-6D0B-B06D5815937F}
Global{5E9F7FDE-8DEC-4023-C50B-B06DF015937F}
Global{5E9F7FDE-8DEC-4023-210C-B06D1412937F}
Global{5E9F7FDE-8DEC-4023-610C-B06D5412937F}
Global{5E9F7FDE-8DEC-4023-790C-B06D4C12937F}
Global{5E9F7FDE-8DEC-4023-C90D-B06DFC13937F}
Global{5E9F7FDE-8DEC-4023-1D0E-B06D2810937F}
Global{5E9F7FDE-8DEC-4023-710E-B06D4410937F}
Global{5E9F7FDE-8DEC-4023-A108-B06D9416937F}
Global{5E9F7FDE-8DEC-4023-8D0B-B06DB815937F}
Global{5E9F7FDE-8DEC-4023-190C-B06D2C12937F}
Global{5E9F7FDE-8DEC-4023-090F-B06D3C11937F}
Global{5E9F7FDE-8DEC-4023-ED0F-B06DD811937F}
Global{5E370004-F236-408B-8F92-61FCBA8C42EE}
Global{5E9F7FDE-8DEC-4023-6D0C-B06D5812937F}
Global{EEE5022F-F01D-F059-8F92-61FCBA8C42EE}
Global{38E3341C-C62E-265F-8F92-61FCBA8C42EE}
Global{340FE32E-111C-2AB3-8F92-61FCBA8C42EE}
Global{340FE329-111B-2AB3-8F92-61FCBA8C42EE}
Local{55E9553D-A70F-4B55-8F92-61FCBA8C42EE}
Local{55E9553C-A70E-4B55-8F92-61FCBA8C42EE}

Once executed, the sample also attempts to establish multiple UDP connections with the following IPs:
177.1.100.2:11709
190.33.36.175:11404
213.109.254.122:29436
41.69.182.117:29817
64.219.114.114:13503
161.184.174.65:14545
93.177.174.72:10119
69.132.202.147:16149

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This