Ongoing ‘LinkedIn Invitation’ themed campaign serving client-side exploits and malware

by


Remember the ‘LinkedIn Invitations’ themed malware campaign which I profiled in March, 2012?

A few hours, ago, the cybercriminals behind it launched another round of malicious emails to millions of end and corporate users.

More details:

Once the user clicks on the link (hxxp://hseclub.net/main.php?page=d72ac4be16dd8476), a client-side exploit, CVE-2010-1885 in particular, will attempt to drop the  following MD5 on the affected host, MD5: 66dfb48ddc624064d21d371507191ff0

Upon execution the sample attempts to connect to the following hosts:

  • janisjhnbdaklsjsad.ru:443 with user janisjhnbdaklsjsad.ru and password janisjhnbdaklsjsad.ru – 91.229.91.73, AS50939, SPACE-AS
  • sllflfjsnd784982ncbmvbjh434554b3.ru – 91.217.162.42, AS29568, COMTEL-AS
  • kamperazonsjdnjhffaaaae38.ru – 91.217.162.42, AS29568, COMTEL-AS
  • iiioioiiiiooii2iio1oi.ru – 91.217.162.42, AS29568, COMTEL-AS

Another malware with MD5: 4b1fce0f9a8abdcb7ac515d382c55013 is known to have used one of these C&C domains in the past, janisjhnbdaklsjsad.ru in particular.

Webroot SecureAnywhere users are protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Trackbacks

  1. [...] Remember the LinkedIn exploits and malware serving campaigns which I profiled in March, and May? [...]