January 14, 2013 By Dancho Danchev

Fake ‘ADP Speedy Notifications’ lead to client-side exploits and malware

Over the past week, cybercriminals have resumed spamvertising fake “ADP Immediate Notifications” in an attempt to trick users into clicking on the malicious links found in the emails. The links point to the latest version of the Black Hole Exploit Kit, and consequently, exploit CVE-2013-0422, affecting the latest version of Java.

With no fix for this vulnerability currently available, users are advised  to disable Java immediately.

More details:

Sample screenshot of the spamvertised email:

Email_Spam_ADP_Speedy_Notification_Fake_Malware_Exploits_Black_Hole_Exploit_Kit

Sample compromised URLs participating in the campaign:
hxxp://tasteofindiabombaylounge.com/wp-content/plugins/znditibioux/chkpayroladp.html
hxxp://switchedonspeech.com/wp-content/plugins/zalyhvjiose/chkpayroladp.html
hxxp://accoformation.com/wp-content/plugins/zkgqchwvioo/chkpayroladp.html
hxxp://chevinaudio.com/wp-content/plugins/zeueeewovgu/chkpayroladp.html
hxxp://vilmatangalin.com/wp-content/plugins/zoaiecbxuce/chkpayroladp.html
hxxp://jscotti.com/wp-content/plugins/zekuopocogo/chkpayroladp.html
hxxp://chevinaudio.com/wp-content/plugins/zeueeewovgu/chkpayroladp.html
hxxp://trotzlabsusf.com/wp-content/plugins/ztyuugjoiie/chkpayroladp.html
hxxp://lose-weight-recipes.com/wp-content/plugins/zeffieyoyre/chkpayroladp.html
hxxp://chevinaudio.com/wp-content/plugins/zeueeewovgu/chkpayroladp.html
hxxp://peckerala.com/wp-content/plugins/zmjnaoomuwu/chkpayroladp.html
hxxp://ibrillantes.com/wp-content/plugins/zeejqmriief/chkpayroladp.html
hxxp://pailletdebesombes-architectes.com/wp-content/plugins/zhrxidlloea/payrolstatchk.html
hxxp://floridafirstinsurancefl.com/wp-content/plugins/zibeolboqnb/payrolstatchk.html
hxxp://40fingersband.com/wp-content/plugins/zqkeeonkjha/payrolstatchk.html
hxxp://centerlinkmedia.com/wp-content/plugins/zontouobbml/payrolstatchk.html
hxxp://lucilukis.com/wp-content/plugins/zqeibeatobd/payrolstatchk.html
hxxp://pailletdebesombes-architectes.com/wp-content/plugins/zhrxidlloea/payrolstatchk.html
hxxp://jiancerenzheng.com/wp-content/plugins/zoaisnusyoh/payrolstatchk.html
hxxp://usa-corporations.com/wp-content/plugins/zhoodeeoeqe/payrolstatchk.html
hxxp://fklawchambers.com/wp-content/plugins/zaoqxuuwrlb/payrolstatchk.html

Sample client-side exploits serving URL:
hxxp://tetraboro.net/detects/coming_lost-source.php

Sample malicious payload dropping URl:
hxxp://tetraboro.net/detects/coming_lost-source.php?huyq=1m:2v:1g:1o:1k&tfize=32&wodyva=33:1k:1o:1n:1f:1i:1m:1i:32:2w&jqrub=1n:1d:1g:1d:1h:1d:1f

Malicious domain name reconnaissance:
tetraboro.net – 222.238.109.66 – Email: bannerpick45@yahoo.com
Name Server: NS1.HOSTCLAM.NET – 50.115.163.10
Name Server: NS2.HOSTCLAM.NET – 90.167.194.23

Responding to 222.238.109.66 are also the following malicious campaigns part of the campaign:
royalwinnipegballet.net
advertizing9.com
eartworld.net
hotelrosaire.net

Upon successful client-side exploitation, the campaign drops MD5: 5a859e1eff1ee1576b61da658542380d – detected by 12 out of 46 antivirus scanners as Worm:Win32/Cridex.E.

The sample drops the following MD5 on the affected hosts:
MD5: 472d6e748b9f5b02700c55cfa3f7be1f – detected by 8 out of 46 antivirus scanners as PWS:Win32/Fareit

Once executed, it also phones back to the following command and control servers:
173.201.177.77
132.248.49.112
95.142.167.193
81.93.250.157

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button

Trackbacks

  1. […] campaign makes use of a healthy list of suspicious looking URLs that you can check out along with Danchev’s write-up. It’s fairly commonplace for social engineers to mimic ADP in their phishing campaigns because of […]

  2. […] campaign makes use of a healthy list of suspicious looking URLs that you can check out along with mpany’s payroll […]

  3. […] campaign makes use of a healthy list of suspicious looking URLs that you can check out along with Danchev’s write-up. It’s fairly commonplace for social engineers to mimic ADP in their phishing campaigns because of […]

  4. […] campaign makes use of a healthy list of suspicious looking URLs that you can check out along with Danchev’s write-up. It’s fairly commonplace for social engineers to mimic ADP in their phishing campaigns because of […]

true