November 30, 2012 By Dancho Danchev

Bogus ‘Intuit Software Order Confirmations’ lead to Black Hole Exploit Kit

Sticking to their well proven practice of systematically rotating impersonated brands, the cybercriminals behind a huge majority of the malicious campaigns that we’ve been profiling recently are once again impersonating Intuit in an attempt to trick its customers into clicking on links exposing them to the client-side exploits served by the Black Hole Exploit Kit.

More details:

Sample screenshot from the spamvertised email:

Sample spamvertised URL redirector: hxxp://www.mysnap.com.tw/sites/default/files/upload.htm?RANDOM_CHARACTERS

Client-side exploits serving URL: hxxp://moneymakergrow.ru:8080/forum/links/column.php

Malicious domain name reconnaissance:
moneymakergrow.ru – 202.180.221.186, AS24496; 203.80.16.81, AS24514; 207.126.57.208
Name server: ns1.moneymakergrow.ru – 62.76.178.233
Name server: ns2.moneymakergrow.ru – 132.248.49.112
Name server: ns3.moneymakergrow.ru – 84.22.100.108
Name server: ns4.moneymakergrow.ru – 65.99.223.24

The following malicious domains also respond to the same IPs:
limonadiksec.ru
geforceexlusive.ru
sonatanamore.ru
linkrdin.ru
lemonadiom.ru
peneloipin.ru
forumibiza.ru
donkihotik.ru
finitolaco.ru
controlleramo.ru
fionadix.ru

Although we couldn’t reproduce the client-side exploitation, we’ve already seen the majority of these malicious domains in previously profiled campaigns:

moneymakergrow.ru – seen in – “‘Copies of Missing EPLI Policies’ themed emails lead to Black Hole Exploit Kit
limonadiksec.ru – seen in – “‘Regarding your Friendster password’ themed emails lead to Black Hole exploit kit“; “‘Fwd: Scan from a Xerox W. Pro’ themed emails lead to Black Hole Exploit Kit
geforceexlusive.ru – seen in – “‘Fwd: Scan from a Xerox W. Pro’ themed emails lead to Black Hole Exploit Kit“; “‘Copies of Missing EPLI Policies’ themed emails lead to Black Hole Exploit Kit
sonatanamore.ru – seen in – “‘Regarding your Friendster password’ themed emails lead to Black Hole exploit kit“; “‘Fwd: Scan from a Xerox W. Pro’ themed emails lead to Black Hole Exploit Kit
linkrdin.ru – seen in – “‘Fwd: Scan from a Xerox W. Pro’ themed emails lead to Black Hole Exploit Kit“; “‘Copies of Missing EPLI Policies’ themed emails lead to Black Hole Exploit Kit“; “Cybercriminals spamvertise bogus ‘Microsoft License Orders’ serve client-side exploits and malware
lemonadiom.ru – seen in – “‘Fwd: Scan from a Xerox W. Pro’ themed emails lead to Black Hole Exploit Kit“; “‘Copies of Missing EPLI Policies’ themed emails lead to Black Hole Exploit Kit
peneloipin.ru – seen in – “‘Copies of Missing EPLI Policies’ themed emails lead to Black Hole Exploit Kit
forumibiza.ru – seen in – “‘Copies of Missing EPLI Policies’ themed emails lead to Black Hole Exploit Kit
finitolaco.ru – seen in – “‘Fwd: Scan from a Xerox W. Pro’ themed emails lead to Black Hole Exploit Kit
controlleramo.ru – seen in – “‘Copies of Missing EPLI Policies’ themed emails lead to Black Hole Exploit Kit“; “Multiple ‘Inter-company’ invoice themed campaigns serve malware and client-side exploits
fionadix.ru – seen in – “‘Copies of Missing EPLI Policies’ themed emails lead to Black Hole Exploit Kit

Name servers part of the campaign’s infrastructure:
ns1.limonadiksec.ru – 62.76.46.195
ns2.limonadiksec.ru – 87.120.41.155
ns3.limonadiksec.ru – 132.248.49.112
ns4.limonadiksec.ru – 91.194.122.8
ns5.limonadiksec.ru – 62.76.188.246
ns1.geforceexlusive.ru – 62.76.47.51
ns2.geforceexlusive.ru – 132.248.49.112
ns3.geforceexlusive.ru – 84.22.100.108
ns4.geforceexlusive.ru – 79.98.27.9
ns1.sonatanamore.ru – 62.76.47.51
ns2.sonatanamore.ru – 132.248.49.112
ns3.sonatanamore.ru – 84.22.100.108
ns1.linkrdin.ru – 85.143.166.170
ns2.linkrdin.ru – 132.248.49.112
ns3.linkrdin.ru – 84.22.100.108
ns4.linkrdin.ru – 79.98.27.9
ns1.lemonadiom.ru – 85.143.166.170
ns2.lemonadiom.ru – 132.248.49.112
ns3.lemonadiom.ru – 84.22.100.108
ns4.lemonadiom.ru – 213.251.171.30
ns1.peneloipin.ru – 62.76.186.190
ns2.peneloipin.ru – 132.248.49.112
ns3.peneloipin.ru – 84.22.100.108
ns4.peneloipin.ru – 65.99.223.24
ns1.forumibiza.ru – 62.76.186.190
ns2.forumibiza.ru – 84.22.100.108
ns3.forumibiza.ru – 50.22.102.132
ns4.forumibiza.ru – 213.251.171.30
ns1.donkihotik.ru – 62.76.186.190
ns2.donkihotik.ru – 84.22.100.108
ns3.donkihotik.ru – 50.22.102.132
ns4.donkihotik.ru – 213.251.171.30
ns1.finitolaco.ru – 85.143.166.170
ns2.finitolaco.ru – 132.248.49.112
ns3.finitolaco.ru – 84.22.100.108
ns4.finitolaco.ru – 213.251.171.30

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button
true