June 15, 2012Dancho Danchev By Dancho Danchev

Spamvertised ‘Your Paypal Ebay.com payment’ emails serving client-side exploits and malware

Remember the ‘Your Amazon.com order confirmation’ client-side exploits and malware serving campaign which I profiled earlier this week?

It appears that the gang behind it is back with another campaign, this time impersonating PayPal. For the time being, another round consisting of millions of malicious emails is circulating in the wild, enticing end and corporate users into clicking on malicious links found in the emails.

More details:

Screenshots of the spamvertised emails:

Upon clicking on the link, users are exposed to the following page:

In the background, the malicious script loads and performs several redirections until exposing the user to the malicious payload.

Sample compromised URls participating in the campaingn: hxxp://communityrootsfood.org/wp-content/themes/aesthete/post.htmlhxxp://kopma.stikom.edu/wp-content/themes/kopmaNewWordpress1000px/post.html

both of these URls redirect to hxxp://kidwingz.net/main.php?page=614411383eef8d97. Surprise, surprise, we’ve already seen this malicious URL in the ‘Your Amazon.com order confirmation’ client-side exploits and malware serving campaign profiled earlier this week.

Upon successful client-side exploitation, the campaign drops the following MD5, MD5: 49f91a1597bc4dd25d3d23302125dae7 – detected by 8 out of 42 antivirus scanners as PWS-Zbot.gen.xs; W32/Injector.AQSI

Upon execution, the sample creates a new file on the system – %AppData%KB00121600.exe – MD5: 49F91A1597BC4DD25D3D23302125DAE7 – detected by 27 out of 42 antivirus scanners as Trojan-Dropper.Win32.Dapato.bigc

It also phones back to the same C&C server used in the ‘Your Amazon.com order confirmation’ campaign, namely, hxxp://85.214.204.32:8080/zb/v_01_b/in/

Webroot SecureAnywhere users are proactively protected from this threat. We predict that we’re going to see more brands systematically impersonated by the same gang, in an attempt to serve malware through exploitation of client-side vulnerabilities.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button

7 Responses to Spamvertised ‘Your Paypal Ebay.com payment’ emails serving client-side exploits and malware

  1. We have been seeing a lot of fake VERIZON WIRELESS emails. I remind people at work, hlver over the links to see if they are fake. The VERIZON emails look just like the ones I legitimately get from VERIZON.

  2. This is very interesting, You are a very skilled blogger.
    I’ve joined your rss feed and look forward to seeking more of your fantastic post. Also, I have shared your web site in my social networks!

  3. Pingback: Spamvertised ‘Your Ebay funds are cleared’ themed emails lead to Black Hole exploit kit « Webroot Threat Blog

  4. Pingback: Cybercriminals spamvertise PayPay themed ‘Notification of payment received’ emails, serve malware « Webroot Threat Blog

  5. Pingback: PayPal ‘Notification of payment received’ themed emails serve malware « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  6. Pingback: ‘PayPal Account Modified’ themed emails lead to Black Hole Exploit Kit « Webroot Threat Blog – Internet Security Threat Updates from Around the World

Leave a Reply

Your email address will not be published. Required fields are marked *

true