Reading Time: ~3 min.

Over the past 24 hours, cybercriminals launched two consecutive massive email campaigns, impersonating Intui Payroll’s Direct Deposit Service system, in an attempt to trick end and corporate users into clicking on the malicious links found in the mails.

Upon clicking on any of links found in the emails, users are exposed to the client-side exploits served by the latest version of the Black Hole exploit kit.

More details:

Sample screenshot of the first spamvertised campaign:

Upon clicking on the links found in the malicious emails, users are exposed to the following bogus “Page loading…” screen:

Screenshots of the second spamvertised campaign:

Sample spamvertised compromised URLs:
hxxp://www.partypromgowns.com/wp-content/plugins/zaddmuruxhm/prdiqbss.html
hxxp://whitfordmedical.co.nz/wp-content/plugins/zoaddiyefar/prdiqbss.html
hxxp://hanvietroll.com/components/com_ag_google_analytics2/itordernote.html
hxxp://aprst.com/components/com_ag_google_analytics2/croconfrm.html

Sample client-side exploit serving URLs:
hxxp://art-london.net/detects/stones-instruction_think.php
hxxp://buycelluleans.com/detects/groups_him.php
hxxp://buycelluleans.com/detects/groups_him.php?zgdljis=3833043409&lkaqagg=0636060a350838350b06&pfat=03&ayna=rapcdmse&zvyhcimn=yecbbs
hxxp://art-london.net/detects/stones-instruction_think.php?lwkmvtb=3533020635&qbstxmw=43&cvsd=0b0a33350a0735020405&stbdtv=0a000300040002

Both of these malicious domains use to respond to 183.81.133.121; 195.198.124.60; 203.91.113.6. More malicious domains part of the campaign’s infrastructure are known to have responded to the same IPs, for instance, buzziskin.netaddsmozy.netbuycelluleans.comindice-acores.net. The campaign used to rely on the following name servers: ns1.zikula-support.comns2.zikula-support.com

Sample client-side exploits served: CVE-2010-0188

Upon successful client-side exploitation, the campaign drops MD5: 5723f92abf257101be20100e5de1cf6f and MD5: 06c6544f554ea892e86b6c2cb6a1700c on the affected hosts.

Related analysis of malicious campaigns impersonating Intuit:

Detection rate, MD5: 5723f92abf257101be20100e5de1cf6f – detected by 17 out of 43 antivirus scanners as Gen:Variant.Kazy.96378; Worm.Win32.Cridex.js, MD5: 06c6544f554ea892e86b6c2cb6a1700c – detected by 26 out of 43 antivirus scanners as Trojan.Win32.Buzus.mecu; Worm:Win32/Cridex.B

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

Facebook Comments
Share This