Intuit themed ‘QuickBooks Update: Urgent’ emails lead to Black Hole exploit kit

by

Share this news now.

It didn’t take long before the cybercriminals behind the recently profiled ‘Intuit Marketplace’ themed campaign resume impersonating Intuit, with a newly launched round consisting of millions of Intuit themed emails.

The theme this time? Convincing users that in order to access QuickBooks they would have to install the non-existent Intuit Security Tool. In reality though, clicking on the links points to a Black Hole exploit kit landing URL that ultimately drops malware on the affected hosts.

More details:

Screenshot of a sample spamvertised email:

Spamvertised malicious links: hxxp://kriskemp.com/intsec.html; hxxp://news-blogtv.ru/wp-content/uploads/fgallery/updint.html; hxxp://vedrunag.pangea.org/updint.html

Client-side exploits serving URL: hxxp://roadmateremove.org/main.php?page=9bb4aab85fa703f5 - 89.248.231.122; 208.91.197.27

Responding to 89.248.231.122 are also the following client-side exploits serving domains:
restoreairpowered.net
voodoopics.net
buildyoursafelist.net

Name servers part of the campaign’s infrastructure:
ns1.chemrox.net – 208.91.197.27; 173.234.9.17
ns2.chemrox.net – 7.25.179.23

Upon successful client-side exploitation, the campaign drops MD5: f621be555dc94a8a370940c92317d575 – detected by 33 out of 42 antivirus scanners as Trojan.Win32.Buzus.lzeq; Worm:Win32/Cridex.E.

Once executed, the sample phones back to 87.120.41.155:8080/mx5/B/in. We’ve already seen the same command and control IP used in the following previously profiled malicious campaigns:

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Share this news now.
Intuit themed 'QuickBooks Update: Urgent' emails lead to Black Hole exploit kit by