31 May 2013 06:15 AM
At Websense® Security Labs™ we recently spotted an interesting case of a phishing domain related to the imminent release of the Apple iOS7 Operating System.
As gossips circulate news in the wild about iOS7 after the D11 conference presented by Apple CEO Tim Cook, cybercriminals are setting up a foundation for phishing and malicious activities. The domain name was registered about 22 days ago (from the date of this analysis), as also reported by our ThreatSeeker® Intelligence Cloud:
At first glance, the host has no content other than an open directory, where we detected some interesting binary files:
While browsing through the content above, we opened the directory named "vl" and were immediately interested in the following result:
This is the control panel for the ransomware toolkit called "Silence Locker". In this case, we are viewing version 5, which is one of the latest released in 2013. As a ransomware toolkit, Silence Locker can generate a malicious file associated with familiar police enforcement pictures, based on the country of the potential victims. For example, in the following page the fake FBI Cyber Squad Investigation team is bound with a binary file that has been uploaded:
The other files hosted on the same directory are all detected by our ThreatSeeker Intelligence Cloud as follows:
After a brief analysis of the binaries above, we noticed that the AutoIT tool was used to package the malware. This conforms to the current trend of packaging malware to make detection more difficult. We continued our investigation by gathering some telemetry about the IP address that hosts this domain (ios7news.net). From what we discovered, it seems that this IP address is also used for other phishing domains, using the infrastructure below:
The domain "hxxp://gamingdaily.us" is most likely a phishing domain for a gaming news website that is also used to host the exploit kit BleedingLife. Here are some details:
In the first row, it's easy to spot the URL parameters that provide a malicious PDF file that exploits one of the most often-used PDF vulnerabilities (CVE-2010-0188).
It's also possible to detect other vulnerabilities used by this exploit kit, just by looking into the content:
The two red boxes show the java script code used to provide the optimal exploit, based on the victim's system configuration. The list of CVEs used by this exploit kit is reported here. For worldwide events, both IT news and rumors could be used by the attackers to leverage people's curiosity, as was done here. In this case, we can suppose (due to details such as the open directory access) that the attackers are going to use and configure that domain for malicious activities based on ransomware.