BancorpSouth Customers are Blackhole Target
Early this morning we began seeing a massive influx of messages attempting to trick customers of BancorpSouth Bank into installing malware on their computers. BancorpSouth is a rather large company with somewhere between 250-300 locations throughout Alabama, Arkansas, Florida, Louisiana, Mississippi, Missouri, Tennessee and Texas. Despite Bancorp South’s ample footprint in these southern states, it is a bit odd to see such a large campaign targeting a relatively small target audience. The group responsible for sending these messages have been very focused in the past few weeks and are keeping thier social engineering tactics fresh. This could explain why they are targeting a smaller bank chain. At any rate we have been seeing a very large variety of social engineering tactics in previous iterations of this campaign over the past few weeks with the email sender and subject matter changing multiple times within a 24 hour period.
As many malicious email messages often do, these messages pose as a security related notice. They inform BancorpSouth customers that their password has expired and requires updating. Of course they provide you with a secure link aptly titled “our secure link for Expired Passwords”.
Here is a look at the message body:
Clicking this link begins a series of redirects which ultimately leads to the installation of malware via exploits provided by the ever-popular Blackhole toolkit. This one utilizes Java exploit Java/CVE-2012-0507.BB. This vulnerability is related to an issue with the deserialization of "AtomicReferenceArray" objects, which allows remote attackers to call, without proper "sandboxing", system level Java functions via the ClassLoader of a constructor that is being de-serialized. This means that the exploit is able to perform malicious actions that it would not normally have permission for. Once in place it behaves like your typical Trojan would, reading cookies and history, modifying browser proxy settings, modifying Browser network configurations, sleeping and waking, etc.. but it also checks to see if it is being run in a debugger. If the presence of a debugger is detected it will terminate itself. In addition, the senders appear to be utilizing fast flux to change the IP’s of where the payload is pulled down from.
This email campaign is rather large with these malicious links hosted by over 100 different domains currently. By 10 am we had quarantined just over 1 million of these messages.