{"id":8820,"date":"2012-11-26T12:00:36","date_gmt":"2012-11-26T19:00:36","guid":{"rendered":"http:\/\/blog.webroot.com\/?p=8820"},"modified":"2018-10-05T11:51:39","modified_gmt":"2018-10-05T17:51:39","slug":"multiple-inter-company-invoice-themed-campaigns-serve-malware-and-client-side-exploits","status":"publish","type":"post","link":"https://www.webroot.com/blog/2012\/11\/26\/multiple-inter-company-invoice-themed-campaigns-serve-malware-and-client-side-exploits\/","title":{"rendered":"Multiple ‘Inter-company’ invoice themed campaigns serve malware and client-side exploits"},"content":{"rendered":"

Over the past few weeks, cybercriminals have been persistently spamvertising ‘Inter-company invoice’ themed emails, in an attempt to trick users into viewing the malicious .html attachment, or unpack and execute the malicious binary found in the attached archives. Upon clicking on the link, users are exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit<\/strong><\/a>.<\/p>\n

More details: Sample screenshot of the spamvertised email:<\/strong><\/p>\n

\"\"<\/a><\/p>\n

Client-side exploits serving URL:<\/strong> hxxp:\/\/controlleramo.ru:8080\/forum\/links\/column.php<\/em><\/p>\n

Malicious payload dropping URL<\/strong>: hxxp:\/\/controlleramo.ru:8080\/forum\/links\/column.php?hljhtc=33:2v:1h:2w:1m&uqsgtl=3h&hzwtug=2v:1k:1m:32:33:1k:1k:31:1j:1o&ttr=1n:1d:1g:1d:1h:1d:1f<\/em><\/p>\n

Sample client-side exploits served:<\/strong> CVE-2010-0188<\/em><\/a><\/p>\n

Malicious domain name reconnaissance:<\/strong>
\ncontrolleramo.ru
\nName server: ns1.controlleramo.ru<\/strong> – 62.76.186.190
\nName server: ns2.controlleramo.ru<\/strong> – 132.248.49.112
\nName server: ns3.controlleramo.ru<\/strong> – 84.22.100.108
\nName server: ns4.controlleramo.ru<\/strong> – 65.99.223.24<\/p>\n

We’ve already seen the same domain used in another malicious attack –\u00a0“\u2018Copies of Missing EPLI Policies\u2019 themed emails lead to Black Hole Exploit Kit<\/strong><\/a>“, indicating that they’ve been both launched by the same party.<\/p>\n

Upon successful client-side exploitation the campaign drops MD5: de48416449621ecd62b116cc41aa5bcc<\/strong><\/a> – detected by 30 out of 44 antivirus scanners as Worm:Win32\/Cridex.E.<\/p>\n

The first sample obtained from the attached archive, MD5: 03f5311ef1b9f7f09f6e13ff9599f367<\/strong><\/a>– is detected by 40 out of 44 antivirus scanners as Worm:Win32\/Cridex.E.\u00a0Upon execution the sample phones back to 95.142.167.193:8080\/mx\/5\/A\/in\/\u00a0<\/strong>(AS29169). We’ve seen another malware campaign also phoning back to the same IP – “\u2018Regarding your\u00a0Friendster password\u2019 themed emails lead to Black Hole exploit kit<\/strong><\/a>“.<\/p>\n

More MD5s are known to have phoned back to it as well:
\nMD5: cf6f40f1ce37fd8edefc447f68a88e1f<\/strong><\/a> – detected by 34 out of 41 antivirus scanners as VirTool:Win32\/CeeInject
\nMD5: 2d2358dc42cd1abe0beda21b6db3a61c<\/strong><\/a> – detected by 27 out of 42 antivirus scanners as HEUR:Trojan.Win32.Generic
\nMD5: d4153d2c325d729c82fd8a96a94435f2<\/strong><\/a> – detected by 39 out of 44 antivirus scanners as Worm:Win32\/Cridex.E
\nMD5: e6f66ce084b9cc2f3f2f8c35b1636ab8<\/strong><\/a> – detected by 21 out of 42 antivirus scanners as VirTool:Win32\/Obfuscator.ZA
\nMD5: 45992c5b7fb455a0e15466a1e8a8c0f0<\/strong><\/a> – detected by 38 out of 44 antivirus scanners as Worm:Win32\/Cridex.G
\nMD5: d5de95df9a69bef997c21f9be9b0fc88<\/strong><\/a> – detected by 37 out of 42 antivirus scanners as Trojan-Ransom.Win32.Birele.uhu
\nMD5: 56a35fa27f04131f86f0cd44bd8480c3<\/strong><\/a> – detected by 32 out of 40 antivirus scanners as Worm:Win32\/Cridex.E
\nMD5: de05549b469984316e0ec99a1bfe843a<\/strong><\/a> – detected by 39 out of 44 antivirus scanners as Trojan-Ransom.Win32.PornoAsset.akna
\nMD5: 7b9f0a74820a00b34cc57e7c02d1492c<\/strong><\/a> – detected by 39 out of 44 antivirus scanners as Worm:Win32\/Cridex.E<\/p>\n

The second sample obtained from yet another spamvertised archive with\u00a0MD5: 3a8ce3d72b60b105783d74dbc65c37a6<\/strong><\/a> – is detected by 37 out of 44 antivirus scanners as Worm:Win32\/Cridex.E.\u00a0Upon execution it phones back to the following URL: 188.40.0.138:8080\/AJtw\/UCyqrDAA\/Ud+asDAA<\/strong> (AS24940, HETZNER-AS).<\/p>\n

We’ve already seen malware analyzed in previous campaigns phoning back to the same URL, indicating that these campaigns have been launched by the same party – “Cybercriminals spamvertise bogus \u2018Microsoft License Orders\u2019 serve client-side exploits and malware<\/strong><\/a>“; “Spamvertised \u2018US Airways reservation confirmation\u2019 themed emails serve exploits and malware<\/strong><\/a>“.<\/p>\n

Webroot SecureAnywhere<\/strong><\/a>\u00a0users are proactively protected from these threats.<\/p>\n

You can find more about Dancho Danchev at his\u00a0LinkedIn Profile<\/strong><\/a>. You can also\u00a0follow him on \u00a0Twitter<\/strong><\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

Over the past few weeks, cybercriminals have been persistently spamvertising ‘Inter-company invoice’ themed emails, in an attempt to trick users into viewing the malicious .html attachment, or unpack and execute the malicious binary found in the attached archives. Upon clicking on the link, users are exposed to the client-side exploits served by the latest version […]<\/p>\n","protected":false},"author":65,"featured_media":17048,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[12559,12557,10897,6183,5811,5801,3871,5803,6187,6177,12407,11733,11729,12389,6189,12437,11735,11731,5813,11745],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/8820"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=8820"}],"version-history":[{"count":2,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/8820\/revisions"}],"predecessor-version":[{"id":25533,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/8820\/revisions\/25533"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17048"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=8820"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=8820"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=8820"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=8820"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}