June 15, 2012 By Dancho Danchev

Spamvertised ‘Your Paypal Ebay.com payment’ emails serving client-side exploits and malware

Remember the ‘Your Amazon.com order confirmation’ client-side exploits and malware serving campaign which I profiled earlier this week?

It appears that the gang behind it is back with another campaign, this time impersonating PayPal. For the time being, another round consisting of millions of malicious emails is circulating in the wild, enticing end and corporate users into clicking on malicious links found in the emails.

More details:

Screenshots of the spamvertised emails:

Upon clicking on the link, users are exposed to the following page:

In the background, the malicious script loads and performs several redirections until exposing the user to the malicious payload.

Sample compromised URls participating in the campaingn: hxxp://communityrootsfood.org/wp-content/themes/aesthete/post.htmlhxxp://kopma.stikom.edu/wp-content/themes/kopmaNewWordpress1000px/post.html

both of these URls redirect to hxxp://kidwingz.net/main.php?page=614411383eef8d97. Surprise, surprise, we’ve already seen this malicious URL in the ‘Your Amazon.com order confirmation’ client-side exploits and malware serving campaign profiled earlier this week.

Upon successful client-side exploitation, the campaign drops the following MD5, MD5: 49f91a1597bc4dd25d3d23302125dae7 – detected by 8 out of 42 antivirus scanners as PWS-Zbot.gen.xs; W32/Injector.AQSI

Upon execution, the sample creates a new file on the system – %AppData%KB00121600.exe – MD5: 49F91A1597BC4DD25D3D23302125DAE7 – detected by 27 out of 42 antivirus scanners as Trojan-Dropper.Win32.Dapato.bigc

It also phones back to the same C&C server used in the ‘Your Amazon.com order confirmation’ campaign, namely, hxxp://85.214.204.32:8080/zb/v_01_b/in/

Webroot SecureAnywhere users are proactively protected from this threat. We predict that we’re going to see more brands systematically impersonated by the same gang, in an attempt to serve malware through exploitation of client-side vulnerabilities.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button

Trackbacks

  1. […] is the second PayPal/eBay themed malicious campaigns that we’ve intercepted and profiled in recent months. We predict that due to the obvious high […]

  2. […] Spamvertised ‘Your Paypal Ebay.com payment’ emails serving client-side exploits and malware […]

true