Spamvertised ‘Scan from a Hewlett-Packard ScanJet’ emails lead to client-side exploits and malware

by


Security researchers from Webroot have intercepted a currently spamvertised malicious campaign, impersonating Hewlett Packard, and enticing end and corporate users into downloading and viewing a malicious .htm attachment.

More details:

Subject: Re: Scan from a Hewlett-Packard ScanJet [random number]
Message: Attached document was scanned and sent to you using a Hewlett-Packard NetJet 730918SL. SENT BY : ANISSA PAGES : 5 FILETYPE: .HTM [Internet Explorer File]
Original attachment: HP_Jet_26_P2184.zip
Malicious iFrame embedded within the .htm attachment: hxxp://superproomgh.ru:8080/navigator/jueoaritjuir.php

The malicious .htm has a very low detection rate, and is currently detected as JS/Kryptik.SA!tr and Mal/Iframe-AE.

Client-side exploits serving structure:
hxxp://superproomgh.ru:8080/navigator/jueoaritjuir.php
hxxp://superproomgh.ru:8080/navigator/fsytklfwiqbz.jar
hxxp://superproomgh.ru:8080/navigator/hmfngpdshsknblc.jar
hxxp://superproomgh.ru:8080/navigator/alisgtypezfq1.pdf

The client-side exploits serving domain superproomgh.ru is currenly fast-fluxed, namely it’s responding to multiple, dynamically changing IP addresses in an attempt by the cybercriminals behind the campaingn, to make it harder for vendors and researchers to take it down.

The campaign is attempting to exploit the “Libtiff integer overflow in Adobe Reader and Acrobat” vulnerability, also known as CVE-2010-0188 in an attempt to drop the following MD5 on the exploited hosts - MD5: 20de62566248864be3b0e413b332d731 currently detected as Win32:Sirefef-RV [Drp], Trojan.Generic.KDV.582649, HEUR:Trojan.Win32.Generic, or PWS-Zbot.gen.hv.

Webroot security researchers will continue monitoring this campaign to ensure that Webroot SecureAnywhere customers are protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Trackbacks

  1. [...] Spamvertised ‘Scan from a Hewlett-Packard ScanJet’ emails lead to client-side exploits and malwa… [...]

  2. [...] last time we intercepted and profiled a similar campaign, was in March 2012. Back then, the malicious domains were [...]

  3. [...] millions of emails attempting to trick end users into thinking that they’ve received a scanned document. Upon clicking on the links found in these emails, or viewing the malicious .html attachment, users [...]