Reading Time: ~2 min.

Cybercriminals are currently spamvertising millions of emails impersonating the popular Craigslist site, in an attempt to trick users into clicking on client-side exploits and malware serving URLs courtesy of the Black Hole exploit kit.

More details:

Screenshot of the spamvertised email:

Spamvertised URls: hxxp://institut66.fr/genidpo.htmlhxxp://tomix.cal24.pl/lidcr.htmlhxxp://well-ship.com/genidpo.htmlhxxp://www.windscreen-wiper.com/lidcr.htmlhxxp://wzm1982.com.cn/lidcr.html; hxxp://iconnectzone.com/wp-includes/waral.html

Client-side exploits serving URL: hxxp://historyalmostany.org/main.php?page=ed0a25d616022c57 – 221.131.129.200

Upon clicking on the links, users are exposed to the following bogus “Page loading…” page: Client-side exploits served: CVE-2010-1885

Detection rate for a sample malicious Javascript redirection script with MD5: 89b7b3834aeee20658d04adccfe61438and detection rate for a sample malicious script found on a landing URL with MD5: 50e000b7d2d990951d4588c8e2147ceb

Upon successful client-side exploitation the campaign drops MD5: ffa297ff8f942dc65db5290311799bf6 detected by 3 out of 41 antivirus scanners as Trojan.PWS.Panda.2523; Malware.Cridex.

Once executed, the sample phones back to 87.204.199.100/mx5/in/ on port 8080.

Responding to 87.204.199.100 are the following command and control servers used in the malicious campaign:

nolwzyzsqkhjkqhomc.ru
eoicszuwkjskhvki.ru
mceglkuyhzvzjxbj.ru
wbgguucrbkrkjftn.ru
usepaxvulfdtnwiwwk.ru
sushfpappsbf.ru girlsnotcryz.ru
monashkanasene.ru
harmoniavslove.ru
huletydyshish.ru
piloramamoskow.ru
hamlovladivostok.ru
spbfotomontag.ru
forumenginesspb.ru
insomniacporeed.ru
ns1.inetgo.pl
ns2.inetgo.pl
psychoza.eu

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

Facebook Comments
Share This