We recently spotted what seemed to be another spam campaign, yet a deeper investigation revealed something more sinister.

In this case, the chain of infection usually begins with a file named: “iodex.php”.

A simple google search for inurl:“iodex.php” returned the following results:

pic 1

Other files, including “lagins.php”, “foq.php” and “cigarettesdd.php” were spotted as well.
The cigarette motif is distinctive – both the headlines presented on Google and the content of the webpages relate to the topic.

The infected webpages also contain links referring to other related websites.

However, as you can see the domain names – in this case, clinicmateos.com and targetplus.cz – have nothing to do with smoking.

pic 2

This infected page contains an obfuscated JavaScript, which is untypically located at the top of the page above the opening HTML tag.
If the victim is referred to the webpage by Google, Yahoo, AOL or Bing, the JavaScript redirects the browser to www.npsmoking[.]com.

pic 3
   
pic 4

The webpage www.npsmoking[.]com looks like an online cigarette shop but is in fact a scam!

pic 5

Other infected webpages redirect victims to other scam URLs, all registered by the email address christjames@hotmail.com.
The full list of scam URLs appears at the end of this post.

At this point, the findings still lead us to believe that this is a spam campaign.
However, the investigation soon revealed that victims of this scam are redirected to the notorious Angler Exploit Kit Landing Page.9

In addition to redirecting to www.npsmoking[.]com, the infected webpages also contain an embedded flash file.
This file starts a redirection chain which ends with an Angler Exploit Kit Landing Page.
This redirection pattern is a well-known redirector to the Angler Exploit Kit, known as EITest.

fig 6

 

As demonstrated in Figure 7 below, the flash creates a GET request to a page that redirects the browser to a typical Angler Exploit Kit URL.

pic 7

An examination of the page content confirms that it is indeed an Angler Exploit Kit Landing Page.

pic 8
 

The landing page downloads a malicious executable file.
In this case, like many others, we identified the payload as TeslaCrypt ransomware (MD5: 20fa128ac755bbb494cab3bdcc0c293b).
According to VirusTotal, at the time of infection, the file has been classified as malicious by only three security vendors.

pic 9
  
pic 10
    
 
pic 11
 

Check Point Protections

Check Point protects its customers against all known variants of the threat at each stage of the infection chain. The protections relevant to this campaign are:

  • Anti-Virus
    • Angler Exploit Kit landing pages
    • TeslaCrypt hashes
    • TeslaCrypt download pages
  • Anti Bot
    • TeslaCrypt C&C domains
    • TeslaCrypt network signatures
      (Trojan-Ransom.Win32.TeslaCrypt.A-E; Trojan.Win32.Teslacrypt.A-B)
  • IPS
    • Angler Exploit Kit Redirection
    • Angler Exploit Kit Landing Page
    • Angler Exploit Kit Landing Page URL
    • Angler Exploit Kit Landing Page Patterns
  • SandBlast Threat Emulation
    • TeslaCrypt hash file has been identified by Threat Emulation blade as malicious

Domains registered to christjames@hotmail.com:

  • npsmoking[.]com
  • usacigscoupons[.]com
  • wholesaleusacigarettes[.]com
  • buyusacigs[.]com
  • onlinewholesalecigarettes[.]com
  • newportandmarlborosale[.]com
  • smokingscigarettes[.]com
  • cigarettesonshop[.]com
  • parliamentcigarettesonline[.]com
  • wholesalecheapcigarettes[.]com
  • cheapcigarettescoupons[.]com
  • cigarettesstoreonline[.]com
  • cigars-home[.]com
  • cigarettestypes[.]com
  • cheapusacigaretteswholesale[.]com
  • cigarettesforonline[.]com
  • bestcigarettes2014[.]com
  • usa-newports[.]com
  • sale-cigarettes[.]com
  • cigarettesnewports[.]com
  • shoptobaccoonline[.]com
  • onlinecheapcigarettestore[.]com
  • kentcigarettes[.]us
  • winstoncigarettes[.]us