Intuit themed ‘QuickBooks Update: Urgent’ emails lead to Black Hole exploit kit

by


It didn’t take long before the cybercriminals behind the recently profiled ‘Intuit Marketplace’ themed campaign resume impersonating Intuit, with a newly launched round consisting of millions of Intuit themed emails.

The theme this time? Convincing users that in order to access QuickBooks they would have to install the non-existent Intuit Security Tool. In reality though, clicking on the links points to a Black Hole exploit kit landing URL that ultimately drops malware on the affected hosts.

More details:

Screenshot of a sample spamvertised email:

Spamvertised malicious links: hxxp://kriskemp.com/intsec.html; hxxp://news-blogtv.ru/wp-content/uploads/fgallery/updint.html; hxxp://vedrunag.pangea.org/updint.html

Client-side exploits serving URL: hxxp://roadmateremove.org/main.php?page=9bb4aab85fa703f5 - 89.248.231.122; 208.91.197.27

Responding to 89.248.231.122 are also the following client-side exploits serving domains:
restoreairpowered.net
voodoopics.net
buildyoursafelist.net

Name servers part of the campaign’s infrastructure:
ns1.chemrox.net – 208.91.197.27; 173.234.9.17
ns2.chemrox.net – 7.25.179.23

Upon successful client-side exploitation, the campaign drops MD5: f621be555dc94a8a370940c92317d575 – detected by 33 out of 42 antivirus scanners as Trojan.Win32.Buzus.lzeq; Worm:Win32/Cridex.E.

Once executed, the sample phones back to 87.120.41.155:8080/mx5/B/in. We’ve already seen the same command and control IP used in the following previously profiled malicious campaigns:

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.