Remember the IRS (Internal Revenue Service) themed malicious campaign profiled at Webroot’s Threat Blog earlier this month?
Over the past 24 hours, the cybercriminals behind the campaign resumed mass mailing of the same IRS email template, exposing millions of users to the threats posed by the social engineering driven campaign.
More details:
Sample screenshot of the spamvertised email:
Upon clicking on the link, users are exposed to the following bogus “Page loading…” page:
Spamvertised malicious URLs hosted on compromised hosts: hxxp://feterouge.info/wp-content/plugins/rejrev.html; hxxp://jasnoiglasno.com/wp- content/plugins/zooexojfeix/intrev.html; hxxp://businesspromotesolutions.com/admin/irser.html; hxxp://www.aquitato.net/v3/wp-content/plugins/zvncekcolnx/revnse.html; hxxp://atdcindia.com/COFFEE/revnse.html; hxxp://xerby.com/irsrev.html; hxxp://myoushinji.com/irsrev.html; hxxp://room-4-dessert.com/heb/wp-
content/plugins/zeoebikeoou/irser.html; hxxp://evrootdelka.tom.ru/txpo.html; hxxp://wholefoodmall.9138.8008202191.com/txpo.html
Detection rate for a sample java script redirection: MD5: 8c5ee1902b4429ce303530f37115854a – detected by 1 out of 41 antivirus scanners as Mal/Iframe-W
Sample exploits serving landing URls: hxxp://immigrationunix.pro/main.php?page=28677a727aff0456; hxxp://bikeslam.net/main.php?page=8b89c7278770dfd7; hxxp://market-panel.net/main.php?page=8b89c7278770dfd7; hxxp://steampoweredprobability.pro/main.php?page=e55871a71c789475; hxxp://wireframeglee.info/main.php?page=39630332cf486f5a; hxxp://wireframeglee.info/main.php?page=39630332cf486f5a; hxxp://allhugedeals.net/main.php?page=ca16f7c53056850e
Sample exploits served: CVE-2010-0188; CVE-2010-1885
Upon successful client-side exploitation, the campaign drops MD5: 42307705ad637c615a6ed5fbf1e755d1 – detected by 34 out of 42 antivirus scanners as Trojan.Win32.Yakes.ansm; Trojan:Win32/Coremhead, MD5: 027b7e4f2a34ccea32ffe38c35a20903 – detected by 20 out of 42 antivirus scanners as Worm:Win32/Cridex.E; Trojan- Dropper.Win32.Dapato.bpqt, MD5: 29cd72608b456c87d91809132401379d – detected by 20 out of 42 antivirus scanners as Trojan.Dropper.Agent.VJQ, MD5: cc7ce4552794d3e4c28e8986bec469c2 – detected by 34 out of 42 antivirus scanners as Trojan.Win32.Yakes.aonc; Trojan:Win32/Malagent, MD5: b8e0ffb6591f6ab556575e4d65e9fed1 – detected by 1 out of 28 antivirus scanners as Trojan-PSW.Win32.Tepfer.babg.
Upon execution, the samples phone back to 192.5.5.241:8080/mx5/B/in; 87.120.41.155:8080/mx5/B/in. We’ve already seen malware phoning back to the same IP (87.120.41.155) in the recently profiled “Cybercriminals spamvertise bogus greeting cards, serve exploits and malware“, and the “Spamvertised ‘Fwd: Scan from a Hewlett-Packard ScanJet’ emails lead to Black Hole exploit kit” campaign.
Responding to 87.120.41.155 are the following malicious domains and command and control servers:
horoshovsebudet.ru
kamarovoskorlovo.ru
serebrokakzoloto.ru
cojsdhfhhlsl.ru
geekstuffmag.com
vzhpiaswhqlswkji.ru
insomniacporeed.ru
We’ll continue monitoring the development of the campaign.
Webroot SecureAnywhere users are proactively protected from these threats.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.
