September 19, 2012 By Dancho Danchev

Cybercriminals impersonate FDIC, serve client-side exploits and malware

Over the past 24 hours, cybercriminals started spamvertising millions of emails impersonating the Federal Deposit Insurance Corporation (FDIC), in an attempt to trick businesses into installing a bogus and non-existent security tool promoted in the emails. Upon clicking on the links, users are exposed to the client-side exploits served by the Black Hole Exploit Kit.

More details:

Sample screenshot of the spamvertised FDIC impersonating email:

Once the user clicks on the malicious link, he’s exposed to the following bogus “Page loading…” page:

Screenshot of a sample Java script obfuscation:

Spamvertised malicious and compromised URLs: hxxp://jiuzehui.com/achsec.html; hxxp://www.incikolye.org/achsec.html; hxxp://luciledufresne.fr/secupd.html

Client-side exploits serving URL: hxxp://afgreenwich.net/main.php?page=0f123fe645ddf8d7 - 203.91.113.6 (AS24559)

We’ve already seen the same IP used in the recently profiled “Spamvertised ‘US Airways reservation confirmation’ themed emails serve exploits and malware” campaign. Clearly, the FDIC campaign is using the same malicious infrastructure as the US Airways themed campaign.

Client-side exploits served: CVE-2010-1885

Detection rate for a sample Java script redirector: MD5: b72226f67ec59f3c7a7f2b970f04272f – detected by 8 out of 42 antivirus scanners as JS:Trojan.Crypt.HM

Upon successful client-side exploitation, the campaign drops MD5: 3ce1ae2605aa800c205ef63a45ffdbfa – detected by 16 out of 42 antivirus scanners as Trojan-Ransom.Win32.Gimemo.aovu; W32.Cridex

Once executed, it attempts to phone back to 72.167.253.106:8080/mx/5/B/in (AS26496).

Responding to the same IP are also the following malicious command and control servers:
dentistbook.info
indianfirends.com
indianpolitics.com
insomniacporeed.ru

More malicious URLs are known to have responded to the the same IP in the past, for instance:
hxxp://outsourcingtoindiablog.com/look.html
hxxp://outsourcingtoindiablog.com/top.html
hxxp://outsourcingtoindiablog.com/stream.html
hxxp://indianfirends.com/main.php?s=homepage.index
hxxp://indianpolitics.org/main.php?s=homepage.index&ss=5
hxxp://sabdekho.com/signal.html

More MD5s are known to have phoned back to the same IP in the past, for instance: MD5: 97974153c25baf5826bf441a8ab187a6 – detected by 16 out of 42 antivirus scanners as Trojan.Win32.Jorik.Zbot.fxq; Gen:Variant.Zusy.17989, and MD5: 9069210d0758b34d8ef8679f712b48aa – detected by 6 out of 42 antivirus scanners as Trojan.Winlock.6049; W32/Cridex.R

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button

Trackbacks

  1. […] got a dozen spams today claiming to come from the FDIC.  Here are details on the exploit.  The spammers at least took the trouble to use the FDIC logo, but didn't bother to make the […]

  2. […] thinking that their ability to send Domestic Wire Transfers has been disabled. Impersonating the Federal Deposit Insurance Corporation (FDIC), the cybercriminals behind the campaign are potentially earning thousands of dollars in the process […]

true