Remember the ‘LinkedIn Invitations’ themed malware campaign which I profiled in March, 2012?
A few hours, ago, the cybercriminals behind it launched another round of malicious emails to millions of end and corporate users.
More details:
Once the user clicks on the link (hxxp://hseclub.net/main.php?page=d72ac4be16dd8476), a client-side exploit, CVE-2010-1885 in particular, will attempt to drop the following MD5 on the affected host, MD5: 66dfb48ddc624064d21d371507191ff0
Upon execution the sample attempts to connect to the following hosts:
- janisjhnbdaklsjsad.ru:443 with user janisjhnbdaklsjsad.ru and password janisjhnbdaklsjsad.ru – 91.229.91.73, AS50939, SPACE-AS
- sllflfjsnd784982ncbmvbjh434554b3.ru – 91.217.162.42, AS29568, COMTEL-AS
- kamperazonsjdnjhffaaaae38.ru – 91.217.162.42, AS29568, COMTEL-AS
- iiioioiiiiooii2iio1oi.ru – 91.217.162.42, AS29568, COMTEL-AS
Another malware with MD5: 4b1fce0f9a8abdcb7ac515d382c55013 is known to have used one of these C&C domains in the past, janisjhnbdaklsjsad.ru in particular.
Webroot SecureAnywhere users are protected from this threat.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.
