Cybercriminals Hitchhike on the News of MH17 Crash

A few months after the case of the missing Malaysian Airlines Flight 370, the world was shocked again with another tragic news involving the crash of Malaysian Airlines 777 (also known as MH17) over Ukraine that killed nearly 300 passengers and crew members. As with past incidents, cybercriminals are quick to take advantage of the said tragedy that occurred last July 17, 2014.

During our investigation, just a few hours after Malaysian Airline tweeted at 23:36, July 17 “Malaysia Airlines has lost contact of MH17 from Amsterdam. The last known position was over Ukrainian airspace. More details to follow,” we came across some suspicious tweets written in Indonesian:

Figures 1-3: Screenshots of tweets pointing to malicious domains

It seems that the URLs are used in a kind of spam where the most talked about topic/hashtag in Twitter is gathered so that it can be easily searched by users. Once clicked by users, their URL count increases. The.TK URLs resolve to the following IPs:

72[dot]8[dot]190[dot]126
72[dot]8[dot]190[dot]39

Based on our analysis, these two IPs are verified to be webhosting/shared IP located in the US. The said IPs are mapped to multiple domains. Some of these domains are malicious while there are other legitimate normal domains hosting blogs. We surmise that this spam is for gaining hits/page views on their sites or ads.

On the other hand, the malicious domains associated with these IPs, are connected to a ZeuS variant detected as TSPY_ZBOT.VUH and SALITY malware. ZeuS/ZBOT are known information stealers while PE_SALITY is a malware family of file infectors that infect .SCR and .EXE files. Once systems are infected with this file infector, it can open their systems to other malware infections thus compromising their security.

Cybercriminals always ride the bandwagon of tragic news and incidents. In the past, we’ve seen several scams and threats that leveraged news of typhoon Haiyan, the Boston marathon, and 2011 tsunami/earthquake in Japan among others. We expect that as soon as more details of the MH17 crash unfolds, cybercriminals will launch other attacks that may possibly lead to personal information theft and system infection. Users are highly recommended to remain vigilant for threats that could leverage this news. Trend Micro protects users from such threats via its Smart Protection Network that blocks all-related malicious URLs and detects malicious files.

With analysis from Jon Oliver, Rhena Inocencio, Maersk Menrigue, and Arabelle Ebora

Update as of July 18, 2014, 4:05 P.M. PDT:

The tweets in question used the hashtag #MH17 which was the top trending hashtag on Twitter yesterday.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Cybercriminals Hitchhike on the News of MH17 Crash