End and corporate users (and especially Pizza eaters), beware!

Cybercriminals are currently spamvertising hundreds of thousands of emails, impersonating FLORENTINO`s Pizzeria, and enticing  users into clicking on a client-side exploits and malware serving link in order to cancel a $169.90 order that they never really made.

More details:

Once the user clicks on the link, they will be redirected to a compromised site serving client-side exploits and ultimately dropping multiple malicious binaries on their hosts upon a successful infection.

Malicious URL: hxxp://oldsoccer.it/page1.htm?RANDOM_STRINGS

Client-side exploits used: CVE-2010-0188 and CVE-2012-0507

The malicious URL contains a tiny iFrame pointing to the fast-fluxed domain uiwewsecondary.ru:8080/internet/fpkrerflfvd.php where the client-side exploitation takes place.

The redirection chain is as  follows:

uiwewsecondary.ru:8080/internet/fpkrerflfvd.php -> uiwewsecondary.ru:8080/internet/itbzewhqgrkv.jar -> uiwewsecondary.ru:8080/internet/xrcnenbmdpfzfpx.jar ->uiwewsecondary.ru:8080/internet/kqbzaubpiqxnbn.pdf -> poluicenotgo.ru:8080/internet/at.php?i=8

The Russian domains are fast-fluxed by the cybercriminals in an attempt to make it harder for security researchers and vendors to take down their campaign. We’ve seen a similar fast-flux technique applied in the following  campaign – “Spamvertised ‘Your tax return appeal is declined’ emails serving client-side exploits and malware“.

Upon successful exploitation the campaign drops the following MD5 on the infected hosts: MD5: 03d874abaaca02b090372eee2d090dc0 detected as Trojan.Generic.KDV.602078; Troj/Agent-VSS.

What happens once the dropped MD5 executes? Basically, it phones back to the following domains/URLs:

  • dare2dreamz.com/pony/gate.php
  • cityweddingguide.com
  • dynolite.eu
  • abbott.u4ria.co.za
  • demircioglubilgisayar.com.tr

It also downloads more malicious binaries from the following compromised URLs:

  • dynolite.eu/7U0ASvP9/AZz.exe
  • abbott.u4ria.co.za/HGFg1RHz/MkiZMX.exe
  • demircioglubilgisayar.com.tr/qy3kMMxv/VgWqQm4k.exe

All the binaries are identical, and have the following MD5, MD5: 97d8f1fa11c86befa069845ffaf818db currently detected as TrojWare.Win32.Kryptik.ADXK by 7 out of 42 antivirus scanners.

Webroot SecureAnywhere customers are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This