• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is Secure Access Service Edge (SASE)
      • What is Security Service Edge (SSE)
      • What is a Cloud Access Security Broker (CASB)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Security

A look at a "LinkedIn Spam mail, Blackhole, ZeroAccess" campaign

Author avatar of Dhia MahjoubDhia Mahjoub
Updated — October 15, 2020 • 4 minute read
View blog >

LinkedIn spam mail campaigns have been around for at least 3 years: you receive a bogus invitation to connect on LinkedIn leading to a compromised page which lands on an Exploit Kit-laden server that eventually drops malware on your machine. The past spam campaigns combined Blackhole Exploit with Cridex or Zeus malware as it was reported in [1] and well discussed in [2].

Last Monday, we witnessed the emergence of a new LinkedIn spam mail campaign as we see below (Thanks to @peterkruse for reporting it)

spammail

Exploitation chain

In this particular case, if you click the “Accept” button, you are redirected to hxxp://champagnefuif.klammehand.be/modules/wp-enter.php?xV72H17G11U7AT2AA, a compromised WordPress page and from there you land on hxxp://languagespreferably.biz/closest/i9jfuhioejskveohnuojfir.php, a Blackhole Exploit landing page. The exploit inspects your machine’s plugins for any vulnerabilities and, if successful, places a file named calc.exe on your machine, which is a ZeroAccess dropper. You just became part of the ZeroAccess botnet! The binary matches this VirusTotal signature.

In the figure below, we can see the spike in traffic on Monday Sep 2nd, when the spam campaign started.

language

Looking at the behavioral section of the VirusTotal report of the dropped ZeroAccess sample, we see these DNS requests:

j.maxmind.com (108.168.255.244)

www.google.com (173.194.45.83)

The bot looks up google.com to test for internet connectivity, and resolves maxmind.com so that it can call the geoip service with this HTTP request:

URL: http://j.maxmind.com/app/geoip.js

TYPE: GET

USER AGENT: None

The GeoIP callbacks to maxmind are a typical Sirefef/ZeroAccess trademark, because the malware needs to find out what country it is located in. ZeroAccess is known to be used to download other malware on an infected machine; once the malware detects where it is, it knows where to connect  next so it can download further payload (mostly Medfos malware).

In this campaign, ZeroAccess is dropped by a Blackhole version dubbed ”closest” which was first well described by MalwareMustDie in [3]. Similar spam campaigns such as those targeting Facebook and redirecting to Blackhole were observed to drop Trojan Zbot/Pony (Credential Stealer), MedFos (downloader) and Zero Access, as reported in [4].

ZeroAccess callback IPs

Once installed, ZeroAccess tries to connect to a peer-to-peer network to download plugin files to enrich the payload functionality. In the behavioral section of the VirusTotal report, we can see a list of supernode callback IPs the ZeroAccess sample tries to contact on UDP port 16464. Running the sample locally in a VM also produces a larger list of supernode callback IPs. Supernodes are the internet-facing nodes of the botnet that distribute files and IP lists to other nodes in the botnet. On the other hand, normal botnet nodes might be sitting behind NAT and can only communicate through the supernodes with the outside CnCs. We checked the larger list of 89 callback IPs, and we found out that a few of these IPs have hosted 17 Kelihos Fast flux domains (or subdomains) in the past, that we list here: abeeu.bobpawa.com, aqa.renuncam.nl, cx3r5.nigucgu.com, cych.zymofevy.me, dahadkyz.ru, davujuz.com, fcegrrtc.mapuhxaf.ru, flowsre.com, hsej0rr7.insomtab.nl, huznejex.ru, nenkudyf.ru, ogfonis.org, powerwik.ru, teeply.info, widerat.com, xexumyb.com, ximirsex.ru.

These domains have already been blocked a while ago, and reported for suspension or sinkholing.

The overlap between the IP pools of the ZeroAccess and Kelihos botnets is an indication that botnets are a commodity shared among criminal campaigns to speed up the spread of infections and information stealing. More good resources on ZeroAccees can be found in [5].

Discovering related domains with Security Graph

Starting from the landing domain languagespreferably.biz, and using a domain reputation algorithm applied on the SGraph DNS database, we uncover a large set of 200+ related new suspicious domains serving Blackhole Exploit kit, other Exploit kits, and other malicious campaigns (such as trojan CnC). We also cross check domain registration dates, and check DNS traffic spikes to these domains.

This constitutes a fast early detection system of Exploit-weaponized domains (or soon to be weaponized ones, or related new suspicious domains destined for other purposes). A lot of these EK landing domains are rather unstable on purpose. We observed that shortly after they are registered, these domains start resolving to an IP hosting an EK server, then they trigger a surge in DNS traffic for a few hours followed by a complete silence. Oftentimes, the domain stops serving the exploits or it just stops resolving. This is a clear indication that these domains are used in “hit and run” spam mail campaigns. A lot of these domains are also quickly sinkholed or suspended by registrars, hence the tendency of criminals to register these “throw-away” domains, swiftly use them, and move to a new set. We also observed examples of such domains that were registered a couple months ago and after their initial spike in activity have since gone silent. This could possibly be another trick to stay under the “radar,” evade suspension or sinkholing, and potentially come back later to be used in future malicious campaigns. In the figure below, we can see the surge in traffic for this Blackhole landing domain spotted very recently.

sample-traffic1

Furthermore, we can consult url databases such as VirusTotal, or urlquery to identify known active urls on these domains. With that, one can identify EK landing pages and eventually milk them for malware payloads for further analysis. These EK servers were seen to block certain IP ranges belonging to security companies or Tor proxies, therefore, other measures should be taken to circumvent these protective tricks and still be able to retrieve live payloads. This can be discussed in a future blog.

Below, we show a sample of some confirmed Exploit Kit or suspicious domains:
associatesbreath.biz
yellowgreenjackofalltrades.biz
harshnesspresentations.biz
languagespreferably.biz
topmanageaccessible.biz
powerred.biz
sharednonstop.biz
supermodelstomp.biz
wmpslewd.biz
broadcastcontentrich.org

Acknowledgments: Special thanks to all the great friends from MalwareMustDie (@RazorEQX and @VriesHd and more) for their valuable contribution to the discussion on ZeroAccess and discovery of the initial Blackhole landing domains.

Suggested Blogs

  • Cisco Umbrella Delivered Better Cybersecurity and 231% ROI February 21, 2023 2 minute read
  • Cisco Listed as a Representative Vendor in Gartner® Market Guide for Single-Vendor SASE January 26, 2023 3 minute read
  • How to Evaluate SSE Vendors: Questions to Ask, Pitfalls to Avoid June 23, 2022 5 minute read

Share this blog

FacebookTweetLinkedIn

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella