Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun   Aug »
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for July 18th, 2014




    A few months after the case of the missing Malaysia Airlines Flight 370, the world was shocked again with another tragic news involving the crash of Malaysia Airlines 777 (also known as MH17) over Ukraine that killed nearly 300 passengers and crew members. As with past incidents, cybercriminals are quick to take advantage of the said tragedy that occurred last July 17, 2014.

    During our investigation, just a few hours after Malaysia Airline tweeted at 23:36, July 17 “Malaysia Airlines has lost contact of MH17 from Amsterdam. The last known position was over Ukrainian airspace. More details to follow,” we came across some suspicious tweets written in Indonesian:

    07192014_tweets_01

    07192014_Tweets_02

    07172014_Tweets_03

    Figures 1-3: Screenshots of tweets pointing to malicious domains

    It seems that the URLs are used in a kind of spam where the most talked about topic/hashtag in Twitter is gathered so that it can be easily searched by users. Once clicked by users, their URL count increases. The.TK URLs resolve to the following IPs:

    • 72[dot]8[dot]190[dot]126
    • 72[dot]8[dot]190[dot]39

    Based on our analysis, these two IPs are verified to be webhosting/shared IP located in the US. The said IPs are mapped to multiple domains. Some of these domains are malicious while there are other legitimate normal domains hosting blogs.  We surmise that this spam is for gaining hits/page views on their sites or ads.

    On the other hand, the malicious domains associated with these IPs, are connected to a ZeuS variant detected as TSPY_ZBOT.VUH and SALITY malware. ZeuS/ZBOT are known information stealers while PE_SALITY is a malware family of file infectors that infect .SCR and .EXE files. Once systems are infected with this file infector, it can open their systems to other malware infections thus compromising their security.

    Cybercriminals always ride the bandwagon of tragic news and incidents. In the past, we’ve seen several scams and threats that leveraged news of typhoon Haiyan, the Boston marathon, and 2011 tsunami/earthquake in Japan among others. We expect that as soon as more details of the MH17 crash unfolds, cybercriminals will launch other attacks that may possibly lead to personal information theft and system infection. Users are highly recommended to remain vigilant for threats that could leverage this news.  Trend Micro protects users from such threats via its Smart Protection Network that blocks all-related malicious URLs and detects malicious files.

     With analysis from Jon Oliver,  Rhena Inocencio, Maersk Menrige, and Arabelle Ebora

    Update as of July 18, 2014, 4:05 P.M. PDT:

    The tweets in question used the hashtag #MH17 which was the top trending hashtag on Twitter yesterday.

    Update as of July 22, 2014, 12:29 P.M. PDT:

    We spotted a suspicious message on Facebook that also leverages the said tragic news. When unsuspecting users open the link, http://{BLOCKED}clip.com/MH17crash.php, it will point to sites with scam ads or free download of video installer. Trend Micro this detects as ADW_BRANTALL.  It also allows users to post the link on their Facebook even before they get to view the supposedly video. Note, however that this particular sample is not related to the ADW_BRANTALL that downloads MEVADE/SEFNIT as discussed in this paper. When users open this via mobile devices, it will only redirect to an advertising site.

    FB_img_01

    Figure 4. Screenshot of the Facebook post that takes advantage of the MH17 news

     

    phishing_fbpc_mh17

    Figure 5. Screenshot of the page that users see when they accessed the URL

     

    As of posting,Trend Micro has already informed Facebook and they have suspended all-related accounts.

     
    Posted in Bad Sites, Malware | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice