Remember the ‘Your Amazon.com order confirmation’ client-side exploits and malware serving campaign which I profiled earlier this week?
It appears that the gang behind it is back with another campaign, this time impersonating PayPal. For the time being, another round consisting of millions of malicious emails is circulating in the wild, enticing end and corporate users into clicking on malicious links found in the emails.
More details:
Screenshots of the spamvertised emails:
Upon clicking on the link, users are exposed to the following page:
In the background, the malicious script loads and performs several redirections until exposing the user to the malicious payload.
Sample compromised URls participating in the campaingn: hxxp://communityrootsfood.org/wp-content/themes/aesthete/post.html; hxxp://kopma.stikom.edu/wp-content/themes/kopmaNewWordpress1000px/post.html
both of these URls redirect to hxxp://kidwingz.net/main.php?page=614411383eef8d97. Surprise, surprise, we’ve already seen this malicious URL in the ‘Your Amazon.com order confirmation’ client-side exploits and malware serving campaign profiled earlier this week.
Upon successful client-side exploitation, the campaign drops the following MD5, MD5: 49f91a1597bc4dd25d3d23302125dae7 – detected by 8 out of 42 antivirus scanners as PWS-Zbot.gen.xs; W32/Injector.AQSI
Upon execution, the sample creates a new file on the system – %AppData%KB00121600.exe – MD5: 49F91A1597BC4DD25D3D23302125DAE7 – detected by 27 out of 42 antivirus scanners as Trojan-Dropper.Win32.Dapato.bigc
It also phones back to the same C&C server used in the ‘Your Amazon.com order confirmation’ campaign, namely, hxxp://85.214.204.32:8080/zb/v_01_b/in/
Webroot SecureAnywhere users are proactively protected from this threat. We predict that we’re going to see more brands systematically impersonated by the same gang, in an attempt to serve malware through exploitation of client-side vulnerabilities.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.
We have been seeing a lot of fake VERIZON WIRELESS emails. I remind people at work, hlver over the links to see if they are fake. The VERIZON emails look just like the ones I legitimately get from VERIZON.
This is very interesting, You are a very skilled blogger.
I’ve joined your rss feed and look forward to seeking more of your fantastic post. Also, I have shared your web site in my social networks!
Not a problem!
We use WordPress for everything related to our Threat Blog.
It seems as though it is a debate that many people have chimed in about.
http://dp2web.blogspot.com/2014/07/wordpress-vs-blogengine-technology.html
Warm Regards,
Josh P.
Webroot Community Support