{"id":8295,"date":"2012-10-18T12:00:20","date_gmt":"2012-10-18T18:00:20","guid":{"rendered":"http:\/\/blog.webroot.com\/?p=8295"},"modified":"2018-10-05T11:33:08","modified_gmt":"2018-10-05T17:33:08","slug":"intuit-payroll-confirmation-inquiry-themed-emails-lead-to-the-black-hole-exploit-kit","status":"publish","type":"post","link":"https://www.webroot.com/blog/2012\/10\/18\/intuit-payroll-confirmation-inquiry-themed-emails-lead-to-the-black-hole-exploit-kit\/","title":{"rendered":"‘Intuit Payroll Confirmation inquiry’ themed emails lead to the Black Hole exploit kit"},"content":{"rendered":"

Over the past 24 hours, cybercriminals launched two consecutive massive email campaigns, impersonating Intui Payroll’s Direct Deposit Service system, in an attempt to trick end and corporate users into clicking on the malicious links found in the mails.<\/p>\n

Upon clicking on any of links found in the emails, users are exposed to the client-side exploits served by the latest version of the Black Hole exploit kit.<\/p>\n

More details:<\/p>\n

<\/p>\n

Sample screenshot of the first spamvertised campaign:<\/strong><\/p>\n

\"\"<\/a><\/p>\n

Upon clicking on the links found in the malicious emails, users are exposed to the following bogus “Page loading…” screen:<\/strong><\/p>\n

\"\"<\/a><\/p>\n

Screenshots of the second spamvertised campaign:<\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

Sample spamvertised compromised URLs:<\/strong>
\nhxxp:\/\/www.partypromgowns.com\/wp-content\/plugins\/zaddmuruxhm\/prdiqbss.html<\/em>
\nhxxp:\/\/whitfordmedical.co.nz\/wp-content\/plugins\/zoaddiyefar\/prdiqbss.html<\/em>
\nhxxp:\/\/hanvietroll.com\/components\/com_ag_google_analytics2\/itordernote.html<\/em>
\nhxxp:\/\/aprst.com\/components\/com_ag_google_analytics2\/croconfrm.html<\/em><\/p>\n

Sample client-side exploit serving URLs:<\/strong>
\nhxxp:\/\/art-london.net\/detects\/stones-instruction_think.php<\/em>
\nhxxp:\/\/buycelluleans.com\/detects\/groups_him.php<\/em>
\nhxxp:\/\/buycelluleans.com\/detects\/groups_him.php?zgdljis=3833043409&lkaqagg=0636060a350838350b06&pfat=03&ayna=rapcdmse&zvyhcimn=yecbbs<\/em>
\nhxxp:\/\/art-london.net\/detects\/stones-instruction_think.php?lwkmvtb=3533020635&qbstxmw=43&cvsd=0b0a33350a0735020405&stbdtv=0a000300040002<\/em><\/p>\n

Both of these malicious domains use to respond to\u00a0183.81.133.121<\/strong>; 195.198.124.60<\/strong>; 203.91.113.6<\/strong>. More malicious domains part of the campaign’s infrastructure are known to have responded to the same IPs, for instance,\u00a0buzziskin.net<\/strong>;\u00a0addsmozy.net<\/strong>;\u00a0buycelluleans.com<\/strong>;\u00a0indice-acores.net<\/strong>. The campaign used to rely on the following name servers:\u00a0ns1.zikula-support.com<\/strong>;\u00a0ns2.zikula-support.com<\/strong><\/p>\n

Sample client-side exploits served:<\/strong>\u00a0CVE-2010-0188<\/em><\/a><\/p>\n

Upon successful client-side exploitation, the campaign drops MD5: 5723f92abf257101be20100e5de1cf6f<\/strong><\/a> and MD5: 06c6544f554ea892e86b6c2cb6a1700c<\/strong><\/a> on the affected hosts.<\/p>\n

Related analysis of malicious campaigns impersonating Intuit:<\/strong><\/p>\n