Fake Intuit ‘Direct Deposit Service Informer’ themed emails lead to Black Hole Exploit Kit

by

Share this news now.

Cybercriminals are currently spamvertising tens of thousands of fake emails, impersonating Intuit, in an attempt to trick its customers and users into clicking on the malicious links found in the emails.

Once users click on any of the links, they’re exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit, which ultimately drops malware on the affected hosts.

More details:

Sample screenshot of the spamvertised email:

Fake_Intuit_Direct_Deposit_Service_Informer_Email_Spam_Exploits_Malware_Black_Hole_Exploit_Kit

Sample spamvertised URL:

hxxp://dom-servis39.ru/upload.htm

Sample client-side exploits serving URL:

hxxp://dopaminko.ru:8080/forum/links/column.php

Sample malicious payload dropping URL:

hxxp://dopaminko.ru:8080/forum/links/column.php?phfh=30:31:1n:1h:32&kcdbzmta=2v:1k:1m:32:33:1k:1k:31:1j:1o&zwp=1i&acmu=deisi&gimffbf=mnob

Malicious domain name reconnaissance:

dopaminko.ru – 212.112.207.15

Name server: ns1.dopaminko.ru – 62.76.185.169

Name server: ns2.dopaminko.ru – 41.168.5.140

Name server: ns3.dopaminko.ru – 42.121.116.38

Name server: ns4.dopaminko.ru – 110.164.58.250

Name server: ns5.dopaminko.ru – 210.71.250.131

More malicious domains are known to have responded to the same IP (212.112.207.15):

hxxp://danadala.ru:8080/forum/links/column.php

hxxp://dfudont.ru:8080/forum/links/column.php

hxxp://demoralization.ru:8080/forum/links/column.php

hxxp://dfudont.ru:8080/forum/links/column.php

Some of these domains also respond to the following IPs – 91.224.135.20; 46.175.224.21, with more malicious domains part of the campaign’s infrastructure hosted there:

dekamerionka.ru

danadala.ru

dmssmgf.ru

dmpsonthh.ru

demoralization.ru

disownon.ru

damagalko.ru

dozakialko.ru

dopaminko.ru

dumarianoko.ru

dfudont.ru

Name servers part of the campaign’s infrastructure:

Name server: ns1.danadala.ru – 62.76.185.169

Name server: ns2.danadala.ru – 41.168.5.140

Name server: ns3.danadala.ru – 42.121.116.38

Name server: ns4.danadala.ru – 110.164.58.250

Name server: ns5.danadala.ru – 210.71.250.131

Name server: ns1.dfudont.ru – 62.76.185.169

Name server: ns2.dfudont.ru – 41.168.5.140

Name server: ns3.dfudont.ru – 42.121.116.38

Name server: ns4.dfudont.ru – 110.164.58.250

Name server: ns5.dfudont.ru – 210.71.250.131

Name server: ns1.demoralization.ru – 62.76.186.24

Name server: ns2.demoralization.ru – 41.168.5.140

Name server: ns3.demoralization.ru – 42.121.116.38

Name server: ns4.demoralization.ru – 110.164.58.250

Name server: ns5.demoralization.ru – 210.71.250.131

Name server: ns1.dfudont.ru – 62.76.185.169

Name server: ns2.dfudont.ru – 41.168.5.140

Name server: ns3.dfudont.ru – 42.121.116.38

Name server: ns4.dfudont.ru – 110.164.58.250

Name server: ns5.dfudont.ru – 210.71.250.131

Upon successful client-side exploitation, the campaign drops MD5: 3c20e12ac4985720133703801906ae19 – detected by 16 out of 45 antivirus scanners as Worm:Win32/Cridex.E.

Once executed, the sample creates the following process on the affected hosts:

%AppData%KB00121600.exe

The following Registry Keys:

HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCFBDC89D4

HKEY_CURRENT_USERSoftwareMicrosoftWindows NTS25BC2D7B

As well as the following Mutexes:

LocalXMM00000508

LocalXMI00000508

LocalXMRFB119394

LocalXMM0000009C

LocalXMI0000009C

LocalXMM000000D8

LocalXMI000000D8

LocalXMM00000388

LocalXMI00000388

Upon execution, the sample phones back to the following C&C servers:

hxxp://188.165.33.54:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/

hxxp://174.142.68.239:8080/AJtw/UCyqrDAA/Ud+asDAA/

Not surprisingly, we’ve already seen the same pseudo-random C&C communication characters used in previously profiled posts at Webroot’s Threat Blog, indicating that these campaigns have been launched by the same malicious parties.

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Share this news now.