Remember the ‘LinkedIn Invitations’ themed malware campaign which I profiled in March, 2012?

A few hours, ago, the cybercriminals behind it launched another round of malicious emails to millions of end and corporate users.

More details:

Once the user clicks on the link (hxxp://hseclub.net/main.php?page=d72ac4be16dd8476), a client-side exploit, CVE-2010-1885 in particular, will attempt to drop the  following MD5 on the affected host, MD5: 66dfb48ddc624064d21d371507191ff0

Upon execution the sample attempts to connect to the following hosts:

  • janisjhnbdaklsjsad.ru:443 with user janisjhnbdaklsjsad.ru and password janisjhnbdaklsjsad.ru – 91.229.91.73, AS50939, SPACE-AS
  • sllflfjsnd784982ncbmvbjh434554b3.ru – 91.217.162.42, AS29568, COMTEL-AS
  • kamperazonsjdnjhffaaaae38.ru – 91.217.162.42, AS29568, COMTEL-AS
  • iiioioiiiiooii2iio1oi.ru – 91.217.162.42, AS29568, COMTEL-AS

Another malware with MD5: 4b1fce0f9a8abdcb7ac515d382c55013 is known to have used one of these C&C domains in the past, janisjhnbdaklsjsad.ru in particular.

Webroot SecureAnywhere users are protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This