Over the past 24 hours, cybercriminals have spamvertised millions of emails impersonating Intuit Market, in an attempt to trick end and corporate users into clicking on the malicious links found in the emails.
Upon clicking on them, users are exposed to the client-side exploits served by the Black Hole web malware exploitation kit.
More details:
Sample screenshot of the spamvertised email:
Spamvertised malicious iFrame domains: hxxp://kolmykiaonline.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c; hxxp://anapoli.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c
Client-side exploits served: CVE-2010-1885; CVE-2010-0188
Upon successful client-side exploitation the campaign drops MD5: aea6d9be93a6f64357b96db96e9c7e10 – detected by 20 out of 42 antivirus scanners as Trojan-Dropper.Win32.Dapato.bpqu; Worm:Win32/Cridex.E, and MD5: 7fe4d2e52b6f3f22b2f168e8384a757e – detected by 28 out of 42 antivirus scanners as Trojan.Win32.Buzus.lxwt; Worm:Win32/Cridex.E
Name servers part of the campaign’s infrastructure:
kolmykiaonline.ru – 50.56.92.47; 203.80.16.81
ns1.kolmykiaonline.ru – 85.143.166.186
ns2.kolmykiaonline.ru – 132.248.49.112
ns3.kolmykiaonline.ru – 87.120.41.155
anapoli.ru – 50.56.92.47; 190.120.228.92; 203.80.16.81
ns1.anapoli.ru – 85.143.166.186
ns2.anapoli.ru – 203.172.140.202
ns3.anapoli.ru – 87.120.41.155
ns4.anapoli.ru – 173.224.208.60
ns5.anapoli.ru – 132.248.49.112
We’ve already seen the same IPs and command and control servers used in the recently profiled “Spamvertised ‘Fwd: Scan from a Hewlett-Packard ScanJet’ emails lead to Black Hole exploit kit” campaign. Based on this fact, we can conclude that these campaigns are operated by the same cybercriminal/gang of cybercriminals.
The last time we profiled an Intuit themed malicious campaign, was in July 2012.
Webroot SecureAnywhere users are proactively protected from these threats.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.
