Cybercriminals are currently spamvertising tens of thousands of fake emails, impersonating Intuit, in an attempt to trick its customers and users into clicking on the malicious links found in the emails.
Once users click on any of the links, they’re exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit, which ultimately drops malware on the affected hosts.
More details:
Sample screenshot of the spamvertised email:
Sample spamvertised URL:
hxxp://dom-servis39.ru/upload.htm
Sample client-side exploits serving URL:
hxxp://dopaminko.ru:8080/forum/links/column.php
Sample malicious payload dropping URL:
hxxp://dopaminko.ru:8080/forum/links/column.php?phfh=30:31:1n:1h:32&kcdbzmta=2v:1k:1m:32:33:1k:1k:31:1j:1o&zwp=1i&acmu=deisi&gimffbf=mnob
Malicious domain name reconnaissance:
dopaminko.ru – 212.112.207.15
Name server: ns1.dopaminko.ru – 62.76.185.169
Name server: ns2.dopaminko.ru – 41.168.5.140
Name server: ns3.dopaminko.ru – 42.121.116.38
Name server: ns4.dopaminko.ru – 110.164.58.250
Name server: ns5.dopaminko.ru – 210.71.250.131
More malicious domains are known to have responded to the same IP (212.112.207.15):
hxxp://danadala.ru:8080/forum/links/column.php
hxxp://dfudont.ru:8080/forum/links/column.php
hxxp://demoralization.ru:8080/forum/links/column.php
hxxp://dfudont.ru:8080/forum/links/column.php
Some of these domains also respond to the following IPs – 91.224.135.20; 46.175.224.21, with more malicious domains part of the campaign’s infrastructure hosted there:
dekamerionka.ru
danadala.ru
dmssmgf.ru
dmpsonthh.ru
demoralization.ru
disownon.ru
damagalko.ru
dozakialko.ru
dopaminko.ru
dumarianoko.ru
dfudont.ru
Name servers part of the campaign’s infrastructure:
Name server: ns1.danadala.ru – 62.76.185.169
Name server: ns2.danadala.ru – 41.168.5.140
Name server: ns3.danadala.ru – 42.121.116.38
Name server: ns4.danadala.ru – 110.164.58.250
Name server: ns5.danadala.ru – 210.71.250.131
Name server: ns1.dfudont.ru – 62.76.185.169
Name server: ns2.dfudont.ru – 41.168.5.140
Name server: ns3.dfudont.ru – 42.121.116.38
Name server: ns4.dfudont.ru – 110.164.58.250
Name server: ns5.dfudont.ru – 210.71.250.131
Name server: ns1.demoralization.ru – 62.76.186.24
Name server: ns2.demoralization.ru – 41.168.5.140
Name server: ns3.demoralization.ru – 42.121.116.38
Name server: ns4.demoralization.ru – 110.164.58.250
Name server: ns5.demoralization.ru – 210.71.250.131
Name server: ns1.dfudont.ru – 62.76.185.169
Name server: ns2.dfudont.ru – 41.168.5.140
Name server: ns3.dfudont.ru – 42.121.116.38
Name server: ns4.dfudont.ru – 110.164.58.250
Name server: ns5.dfudont.ru – 210.71.250.131
Upon successful client-side exploitation, the campaign drops MD5: 3c20e12ac4985720133703801906ae19 – detected by 16 out of 45 antivirus scanners as Worm:Win32/Cridex.E.
Once executed, the sample creates the following process on the affected hosts:
%AppData%KB00121600.exe
The following Registry Keys:
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCFBDC89D4
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTS25BC2D7B
As well as the following Mutexes:
LocalXMM00000508
LocalXMI00000508
LocalXMRFB119394
LocalXMM0000009C
LocalXMI0000009C
LocalXMM000000D8
LocalXMI000000D8
LocalXMM00000388
LocalXMI00000388
Upon execution, the sample phones back to the following C&C servers:
hxxp://188.165.33.54:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/
hxxp://174.142.68.239:8080/AJtw/UCyqrDAA/Ud+asDAA/
Not surprisingly, we’ve already seen the same pseudo-random C&C communication characters used in previously profiled posts at Webroot’s Threat Blog, indicating that these campaigns have been launched by the same malicious parties.
Webroot SecureAnywhere users are proactively protected from these threats.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.
