Cybercriminals have recently launched yet another massive spam campaign, impersonating a rather popular brand used in a decent percentage of social engineering driven email campaigns – the BBB (Better Business Bureau).
Once users click on any of the links in the malicious emails, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit kit.
More details:
Sample screenshot of the spamvertised email:
Sample compromised URLs used in the campaign:
hxxp://favemobile.com/wp-content/plugins/zxchhxeoige/betterbusinessrp.html
hxxp://gaming-blogger.com/wp-content/plugins/zokkbualhxe/betterbusinessrp.html
hxxp://gofastco.com/wp-content/plugins/zaoouodkpnx/betterbusinessrp.html
hxxp://williamusmanjr.com/wp-content/plugins/zpihwsvwaeo/betterbusinessrp.html
Sample client-side exploits serving URL:
hxxp://tv-usib.com/detects/property-mass-dollar_figure.php
Malicious domain name reconnaissance:
tv-usib.com – 59.57.247.185 – Email: twine.tour1@yahoo.com
Name Server: NS1.AMISHSHOPPE.NET – Email: solaradvent@yahoo.com
Name Server: NS2.AMISHSHOPPE.NET – Email: solaradvent@yahoo.com
Responding to 59.57.247.185 are also the following malicious domains, part of the campaign’s infrastructure:
africanbeat.net
akbmag.com
atsushitani.com
barcwealth.com
bmsavingsn.com – ACTIVE phishing campaign
eaglepointecondo.biz
eaglepointecondo.info
eaglepointecondo.org
hfeitu.net
incinteractive.net
labpr.com
lloydsbts-offshore.com
sessionid0147239047829578349578239077.pl
winterskyserf.ru
We’ve already seen the same name servers used in the previously profiled “Fake ‘Citi Account Alert’ themed emails lead to Black Hole Exploit Kit“; “Spamvertised ‘Your Recent eBill from Verizon Wireless’ themed emails serve client-side exploits and malware” campaigns.
Upon successful client-side exploitation, the campaign drops MD5: 2646f13db754654aff315ff9da9fa911 – detected by 30 out of 46 antivirus scanners as Worm:Win32/Cridex.E.
Upon execution, the sample phones back to:
94.73.129.120:8080/rxrt0CA/hIvhA/K66fEB/
Webroot SecureAnywhere users are proactively protected from these threats.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.
