It didn’t take long before the cybercriminals behind the recently profiled ‘Intuit Marketplace’ themed campaign resume impersonating Intuit, with a newly launched round consisting of millions of Intuit themed emails.

The theme this time? Convincing users that in order to access QuickBooks they would have to install the non-existent Intuit Security Tool. In reality though, clicking on the links points to a Black Hole exploit kit landing URL that ultimately drops malware on the affected hosts.

More details:

Screenshot of a sample spamvertised email:

Spamvertised malicious links: hxxp://kriskemp.com/intsec.html; hxxp://news-blogtv.ru/wp-content/uploads/fgallery/updint.html; hxxp://vedrunag.pangea.org/updint.html

Client-side exploits serving URL: hxxp://roadmateremove.org/main.php?page=9bb4aab85fa703f5 – 89.248.231.122; 208.91.197.27

Responding to 89.248.231.122 are also the following client-side exploits serving domains:
restoreairpowered.net
voodoopics.net
buildyoursafelist.net

Name servers part of the campaign’s infrastructure:
ns1.chemrox.net – 208.91.197.27; 173.234.9.17
ns2.chemrox.net – 7.25.179.23

Upon successful client-side exploitation, the campaign drops MD5: f621be555dc94a8a370940c92317d575 – detected by 33 out of 42 antivirus scanners as Trojan.Win32.Buzus.lzeq; Worm:Win32/Cridex.E.

Once executed, the sample phones back to 87.120.41.155:8080/mx5/B/in. We’ve already seen the same command and control IP used in the following previously profiled malicious campaigns:

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This