Spamvertised ‘Pizzeria Order Details’ themed campaign serving client-side exploits and malware

by

Share this news now.

End and corporate users (and especially Pizza eaters), beware!

Cybercriminals are currently spamvertising hundreds of thousands of emails, impersonating FLORENTINO`s Pizzeria, and enticing  users into clicking on a client-side exploits and malware serving link in order to cancel a $169.90 order that they never really made.

More details:

Once the user clicks on the link, they will be redirected to a compromised site serving client-side exploits and ultimately dropping multiple malicious binaries on their hosts upon a successful infection.

Malicious URL: hxxp://oldsoccer.it/page1.htm?RANDOM_STRINGS

Client-side exploits used: CVE-2010-0188 and CVE-2012-0507

The malicious URL contains a tiny iFrame pointing to the fast-fluxed domain uiwewsecondary.ru:8080/internet/fpkrerflfvd.php where the client-side exploitation takes place.

The redirection chain is as  follows:

uiwewsecondary.ru:8080/internet/fpkrerflfvd.php -> uiwewsecondary.ru:8080/internet/itbzewhqgrkv.jar -> uiwewsecondary.ru:8080/internet/xrcnenbmdpfzfpx.jar ->uiwewsecondary.ru:8080/internet/kqbzaubpiqxnbn.pdf -> poluicenotgo.ru:8080/internet/at.php?i=8

The Russian domains are fast-fluxed by the cybercriminals in an attempt to make it harder for security researchers and vendors to take down their campaign. We’ve seen a similar fast-flux technique applied in the following  campaign – “Spamvertised ‘Your tax return appeal is declined’ emails serving client-side exploits and malware“.

Upon successful exploitation the campaign drops the following MD5 on the infected hosts: MD5: 03d874abaaca02b090372eee2d090dc0 detected as Trojan.Generic.KDV.602078; Troj/Agent-VSS.

What happens once the dropped MD5 executes? Basically, it phones back to the following domains/URLs:

  • dare2dreamz.com/pony/gate.php
  • cityweddingguide.com
  • dynolite.eu
  • abbott.u4ria.co.za
  • demircioglubilgisayar.com.tr

It also downloads more malicious binaries from the following compromised URLs:

  • dynolite.eu/7U0ASvP9/AZz.exe
  • abbott.u4ria.co.za/HGFg1RHz/MkiZMX.exe
  • demircioglubilgisayar.com.tr/qy3kMMxv/VgWqQm4k.exe

All the binaries are identical, and have the following MD5, MD5: 97d8f1fa11c86befa069845ffaf818db currently detected as TrojWare.Win32.Kryptik.ADXK by 7 out of 42 antivirus scanners.

Webroot SecureAnywhere customers are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Share this news now.

Trackbacks

  1. [...] Spamvertised ‘Pizzeria Order Details’ themed campaign serving client-side exploits and malware [...]

  2. [...] Spamvertised ‘Pizzeria Order Details’ themed campaign serving client-side exploits and m… – Despite the rise of APT (advanced persistent threat) campaigns, most commonly known as targeted attacks, cybercriminals are still purusing the massess. This mass marketing communication model can be best seen in the second most popular post for 2012, the fake ‘Pizzeria Order Details’ emails, that exposed pizza lovers to the client-side exploits served by the Black Hole Exploit Kit. [...]