It didn’t take long before the cybercriminals behind the recently profiled ‘Intuit Marketplace’ themed campaign resume impersonating Intuit, with a newly launched round consisting of millions of Intuit themed emails.
The theme this time? Convincing users that in order to access QuickBooks they would have to install the non-existent Intuit Security Tool. In reality though, clicking on the links points to a Black Hole exploit kit landing URL that ultimately drops malware on the affected hosts.
More details:
Screenshot of a sample spamvertised email:
Spamvertised malicious links: hxxp://kriskemp.com/intsec.html; hxxp://news-blogtv.ru/wp-content/uploads/fgallery/updint.html; hxxp://vedrunag.pangea.org/updint.html
Client-side exploits serving URL: hxxp://roadmateremove.org/main.php?page=9bb4aab85fa703f5 – 89.248.231.122; 208.91.197.27
Responding to 89.248.231.122 are also the following client-side exploits serving domains:
restoreairpowered.net
voodoopics.net
buildyoursafelist.net
Name servers part of the campaign’s infrastructure:
ns1.chemrox.net – 208.91.197.27; 173.234.9.17
ns2.chemrox.net – 7.25.179.23
Upon successful client-side exploitation, the campaign drops MD5: f621be555dc94a8a370940c92317d575 – detected by 33 out of 42 antivirus scanners as Trojan.Win32.Buzus.lzeq; Worm:Win32/Cridex.E.
Once executed, the sample phones back to 87.120.41.155:8080/mx5/B/in. We’ve already seen the same command and control IP used in the following previously profiled malicious campaigns:
- Spamvertised ‘Fwd: Scan from a Hewlett-Packard ScanJet’ emails lead to Black Hole exploit kit
- Cybercriminals impersonate Intuit Market, mass mail millions of exploits and malware serving emails
- Cybercriminals spamvertise bogus greeting cards, serve exploits and malware
- Spamvertised ‘Federal Tax Payment Rejected’ themed emails lead to Black Hole exploit kit
Webroot SecureAnywhere users are proactively protected from these threats.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.
