By Dancho Danchev
Over the past 24 hours, cybercriminals started spamvertising millions of emails impersonating the Federal Deposit Insurance Corporation (FDIC), in an attempt to trick businesses into installing a bogus and non-existent security tool promoted in the emails. Upon clicking on the links, users are exposed to the client-side exploits served by the Black Hole Exploit Kit.
Sample screenshot of the spamvertised FDIC impersonating email:
Once the user clicks on the malicious link, he’s exposed to the following bogus “Page loading…” page:
Screenshot of a sample Java script obfuscation:
Spamvertised malicious and compromised URLs: hxxp://jiuzehui.com/achsec.html; hxxp://www.incikolye.org/achsec.html; hxxp://luciledufresne.fr/secupd.html
Client-side exploits serving URL: hxxp://afgreenwich.net/main.php?page=0f123fe645ddf8d7 - 188.8.131.52 (AS24559)
We’ve already seen the same IP used in the recently profiled “Spamvertised ‘US Airways reservation confirmation’ themed emails serve exploits and malware” campaign. Clearly, the FDIC campaign is using the same malicious infrastructure as the US Airways themed campaign.
Client-side exploits served: CVE-2010-1885
Detection rate for a sample Java script redirector: MD5: b72226f67ec59f3c7a7f2b970f04272f – detected by 8 out of 42 antivirus scanners as JS:Trojan.Crypt.HM
Upon successful client-side exploitation, the campaign drops MD5: 3ce1ae2605aa800c205ef63a45ffdbfa – detected by 16 out of 42 antivirus scanners as Trojan-Ransom.Win32.Gimemo.aovu; W32.Cridex
Once executed, it attempts to phone back to 184.108.40.206:8080/mx/5/B/in (AS26496).
Responding to the same IP are also the following malicious command and control servers:
More malicious URLs are known to have responded to the the same IP in the past, for instance:
More MD5s are known to have phoned back to the same IP in the past, for instance: MD5: 97974153c25baf5826bf441a8ab187a6 – detected by 16 out of 42 antivirus scanners as Trojan.Win32.Jorik.Zbot.fxq; Gen:Variant.Zusy.17989, and MD5: 9069210d0758b34d8ef8679f712b48aa – detected by 6 out of 42 antivirus scanners as Trojan.Winlock.6049; W32/Cridex.R
Webroot SecureAnywhere users are proactively protected from these threats.