As documented time and again on this blog, cybercrooks are often sloppy or lazy enough to leave behind important clues about who and where they are. But from time to time, cheeky crooks will dream up a trap designed to look like they’re being sloppy when in fact they’re trying to trick security researchers into being sloppy and infecting their computers with malware.
According to Peter Kruse, a partner and cybercrime specialist with CSIS Security Group, that’s what happened late last month when a Twitter user “Paunchbighecker” started messaging security researchers on Twitter. Paunch the nickname of a Russian hacker who for the past few years has sold the wildly popular Blackhole exploit kit, a crimeware package designed to be stitched into hacked or malicious sites and foist browser exploits on visitors. The person behind Paunchbighecker Twitter account probably figured that invoking Paunch’s name and reputation would add to the allure of his scam.
The Paunchbighecker Twitter account appears to have been created on July 30 for the sole purpose of sending tweets to several security researchers, including this author, Mikko Hypponen of Finnish security firm F-Secure, French malware researcher Kafeine, Polish security researcher tachion24, and SecObsecurity. Strangely enough, the other Twitter account that received messages from this user belongs to Sauli Niinistö, the current president of Finland.
The link that Paunchbighecker sent to researchers displays what appears to be the back-end administrative panel for a Nuclear Pack exploit kit. In fact, the landing page was a fake merely made to look like a Nuclear pack statistics panel. Rather, embedded inside the page itself is a series of active Java exploits.
Update, 1:56 p.m.: Security researcher Kafeine said he does not believe this was an attack against security researchers, but rather an intentional leak of badguy credentials. Furthermore, Kafeine notes that visitors to the site link in the Twitter messages would have to take an additional step in order to infect their own computers.
Original story: Looking at a Virustotal automated analysis of the malware pushed by this exploit kit, it seems the hackers behind this ruse were trying to foist the ZeuS Trojan on unsuspecting (and unpatched) visitors. A separate Virustotal analysis shows that some components of this attack may have been very poorly detected by antivirus tools, if any of the recipients were incautious enough to have clicked through to the fake panel. Also, many of the domains used in this malware attack have long been associated with ZeuS Trojan activity. According to a reverse WHOIS lookup ordered from domaintools.com, the email address has been used to register more than 1,100 domains (CSV), including a large number with a very colorful history.
Assuming this is a trap, it would not be the first time malware purveyors have sought to trick security researchers with fake exploit pack administration panels. In 2010, noted botnet researcher Brett Stone-Gross wrote about another Zeus Trojan attack that hid behind a phony administrative exploit kit panel with fake victim statistics.