By Dancho Danchev
Cybercriminals are currently spamvertising millions of emails impersonating Intuit, in an attempt to trick end and corporate users into clicking on the malicious links found in the emails.
The emails pretend to be coming from Intuit’s PaymentNetwork and acknowledge the arrival of an incoming payment. In reality though, they redirect users to a Black Hole exploit kit landing URLs where client-side exploits are served, and ultimately malware is dropped on the infected hosts.
Screenshot of the spamvertised Intuit themed malicious email:
Upon clicking on the links found in the email, users are exposed to the following bogus “Page loading…” page:
Spamvertised URLs: hxxp://sklep.kosmetyki-nel.pl/intpmt.html; hxxp://kuzeybebe.com/o3whbp0G/index.html; hxxp://senzor.rs/prolintu.html
Client-side exploits serving URLs: hxxp://126.96.36.199/view.php?s=2acc7093df3a2945; hxxp://proamd-inc.com/main.php?page=8cb1f95c85bce71b; hxxp://thaidescribed.com/main.php?page=8cb1f95c85bce71b
Client-side exploits served: CVE-2010-1885
Upon successful client-side exploitation, the campaign drops MD5: 4462c5b3556c5cab5d90955b3faa19a8 on the exploited hosts. The sample is detected by 29 out of 41 antivirus scanners as Worm.Win32.Cridex.fb; Worm:Win32/Cridex.B
Upon execution, the sample phones back to renderingoptimization.info – 188.8.131.52, Email: firstname.lastname@example.org on port 443.
Webroot SecureAnywhere users are proactively protected from the client-side exploitation.