September 5, 2012Dancho Danchev By Dancho Danchev

Intuit themed ‘QuickBooks Update: Urgent’ emails lead to Black Hole exploit kit

It didn’t take long before the cybercriminals behind the recently profiled ‘Intuit Marketplace’ themed campaign resume impersonating Intuit, with a newly launched round consisting of millions of Intuit themed emails.

The theme this time? Convincing users that in order to access QuickBooks they would have to install the non-existent Intuit Security Tool. In reality though, clicking on the links points to a Black Hole exploit kit landing URL that ultimately drops malware on the affected hosts.

More details:

Screenshot of a sample spamvertised email:

Spamvertised malicious links: hxxp://; hxxp://; hxxp://

Client-side exploits serving URL: hxxp:// –;

Responding to are also the following client-side exploits serving domains:

Name servers part of the campaign’s infrastructure: –; –

Upon successful client-side exploitation, the campaign drops MD5: f621be555dc94a8a370940c92317d575 – detected by 33 out of 42 antivirus scanners as Trojan.Win32.Buzus.lzeq; Worm:Win32/Cridex.E.

Once executed, the sample phones back to We’ve already seen the same command and control IP used in the following previously profiled malicious campaigns:

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button