By Dancho Danchev
Remember the ‘LinkedIn Invitations’ themed malware campaign which I profiled in March, 2012?
A few hours, ago, the cybercriminals behind it launched another round of malicious emails to millions of end and corporate users.
Once the user clicks on the link (hxxp://hseclub.net/main.php?page=d72ac4be16dd8476), a client-side exploit, CVE-2010-1885 in particular, will attempt to drop the following MD5 on the affected host, MD5: 66dfb48ddc624064d21d371507191ff0
Upon execution the sample attempts to connect to the following hosts:
- janisjhnbdaklsjsad.ru:443 with user janisjhnbdaklsjsad.ru and password janisjhnbdaklsjsad.ru – 22.214.171.124, AS50939, SPACE-AS
- sllflfjsnd784982ncbmvbjh434554b3.ru – 126.96.36.199, AS29568, COMTEL-AS
- kamperazonsjdnjhffaaaae38.ru – 188.8.131.52, AS29568, COMTEL-AS
- iiioioiiiiooii2iio1oi.ru – 184.108.40.206, AS29568, COMTEL-AS
Another malware with MD5: 4b1fce0f9a8abdcb7ac515d382c55013 is known to have used one of these C&C domains in the past, janisjhnbdaklsjsad.ru in particular.
Webroot SecureAnywhere users are protected from this threat.