By Dancho Danchev
Over the past 24 hours, cybercriminals have spamvertised millions of emails impersonating Intuit Market, in an attempt to trick end and corporate users into clicking on the malicious links found in the emails.
Upon clicking on them, users are exposed to the client-side exploits served by the Black Hole web malware exploitation kit.
Sample screenshot of the spamvertised email:
Spamvertised malicious iFrame domains: hxxp://kolmykiaonline.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c; hxxp://anapoli.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c
Upon successful client-side exploitation the campaign drops MD5: aea6d9be93a6f64357b96db96e9c7e10 – detected by 20 out of 42 antivirus scanners as Trojan-Dropper.Win32.Dapato.bpqu; Worm:Win32/Cridex.E, and MD5: 7fe4d2e52b6f3f22b2f168e8384a757e – detected by 28 out of 42 antivirus scanners as Trojan.Win32.Buzus.lxwt; Worm:Win32/Cridex.E
Name servers part of the campaign’s infrastructure:
kolmykiaonline.ru – 184.108.40.206; 220.127.116.11
ns1.kolmykiaonline.ru – 18.104.22.168
ns2.kolmykiaonline.ru – 22.214.171.124
ns3.kolmykiaonline.ru – 126.96.36.199
anapoli.ru – 188.8.131.52; 184.108.40.206; 220.127.116.11
ns1.anapoli.ru – 18.104.22.168
ns2.anapoli.ru – 22.214.171.124
ns3.anapoli.ru – 126.96.36.199
ns4.anapoli.ru – 188.8.131.52
ns5.anapoli.ru – 184.108.40.206
We’ve already seen the same IPs and command and control servers used in the recently profiled “Spamvertised ‘Fwd: Scan from a Hewlett-Packard ScanJet’ emails lead to Black Hole exploit kit” campaign. Based on this fact, we can conclude that these campaigns are operated by the same cybercriminal/gang of cybercriminals.
The last time we profiled an Intuit themed malicious campaign, was in July 2012.
Webroot SecureAnywhere users are proactively protected from these threats.