Over the past 24 hours, cybercriminals started spamvertising millions of emails impersonating the Federal Deposit Insurance Corporation (FDIC), in an attempt to trick businesses into installing a bogus and non-existent security tool promoted in the emails. Upon clicking on the links, users are exposed to the client-side exploits served by the Black Hole Exploit Kit.

More details:

Sample screenshot of the spamvertised FDIC impersonating email:

Once the user clicks on the malicious link, he’s exposed to the following bogus “Page loading…” page:

Screenshot of a sample Java script obfuscation:

Spamvertised malicious and compromised URLs: hxxp://jiuzehui.com/achsec.html; hxxp://www.incikolye.org/achsec.html; hxxp://luciledufresne.fr/secupd.html

Client-side exploits serving URL: hxxp://afgreenwich.net/main.php?page=0f123fe645ddf8d7 – 203.91.113.6 (AS24559)

We’ve already seen the same IP used in the recently profiled “Spamvertised ‘US Airways reservation confirmation’ themed emails serve exploits and malware” campaign. Clearly, the FDIC campaign is using the same malicious infrastructure as the US Airways themed campaign.

Client-side exploits served: CVE-2010-1885

Detection rate for a sample Java script redirector: MD5: b72226f67ec59f3c7a7f2b970f04272f – detected by 8 out of 42 antivirus scanners as JS:Trojan.Crypt.HM

Upon successful client-side exploitation, the campaign drops MD5: 3ce1ae2605aa800c205ef63a45ffdbfa – detected by 16 out of 42 antivirus scanners as Trojan-Ransom.Win32.Gimemo.aovu; W32.Cridex

Once executed, it attempts to phone back to 72.167.253.106:8080/mx/5/B/in (AS26496).

Responding to the same IP are also the following malicious command and control servers:
dentistbook.info
indianfirends.com
indianpolitics.com
insomniacporeed.ru

More malicious URLs are known to have responded to the the same IP in the past, for instance:
hxxp://outsourcingtoindiablog.com/look.html
hxxp://outsourcingtoindiablog.com/top.html
hxxp://outsourcingtoindiablog.com/stream.html
hxxp://indianfirends.com/main.php?s=homepage.index
hxxp://indianpolitics.org/main.php?s=homepage.index&ss=5
hxxp://sabdekho.com/signal.html

More MD5s are known to have phoned back to the same IP in the past, for instance: MD5: 97974153c25baf5826bf441a8ab187a6 – detected by 16 out of 42 antivirus scanners as Trojan.Win32.Jorik.Zbot.fxq; Gen:Variant.Zusy.17989, and MD5: 9069210d0758b34d8ef8679f712b48aa – detected by 6 out of 42 antivirus scanners as Trojan.Winlock.6049; W32/Cridex.R

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This