By Dancho Danchev
Cybercriminals are currently spamvertising millions of emails impersonating Discover, in an attempt to trick cardholders into clicking on the client-side exploits serving URLs found in the malicious emails. Upon clicking on the links, users are exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit.
Sample screenshot of the spamvertised email:
Sample compromised URLs used in the campaign: hxxp://www.alacinc.org.nz/impdiscm.html; hxxp://viajesybuceo.es/impdiscm.html; hxxp://www.akncorporation.com/impdiscm.html; hxxp://www.smoc.tw/impdiscm.html; hxxp://www.mofty.net/impdiscm.html; hxxp://akweb.nl/webcalendar/includes/impdiscm.html; hxxp://fullhome.net/discinfo.html
Client-side exploits serving URLs: hxxp://netgear-india.net/detects/discover-important_message.php; hxxp://netgear-india.net/detects/discover-important_message.php?qejbu=360a070b03&tfy=35&xio=34023705350a050a0b38&wcxa=02000200020002; hxxp://teamscapabilitieswhich.org/detects/discover-important_message.php
Upon loading, these URLs attempt to exploit CVE-2010-0188 by dropping a malicious PDF file on the affected host, which then drops the actual malware upon successful client-side exploitation.
Sample detection rate for the dropped malware: MD5: 80601551f1c83ee326b3094e468c6b42 – detected by 4 out of 44 antivirus scanners as UDS:DangerousObject.Multi.Generic
Upon execution, the sample phones back to 188.8.131.52:8080/AJtw/UCyqrDAA/Ud+asDAA, AS21574
Client-side exploits serving domain reconnaissance:
teamscapabilitieswhich.org responds to 184.108.40.206, AS2519 – Email: firstname.lastname@example.org
Name Server: NS1.CHELSEAFUN.NET – 220.127.116.11
Name Server: NS2.CHELSEAFUN.NET – 18.104.22.168
netgear-india.net – 22.214.171.124, AS2519
Name Server: NS1.TOPPAUDIO.COM - 126.96.36.199
Name Server: NS2.TOPPAUDIO.COM - 188.8.131.52
The same name servers (NS1.TOPPAUDIO.COM; NS2.TOPPAUDIO.COM) were also used in the recently profiled “BofA ‘Online Banking Passcode Reset’ themed emails serve client-side exploits and malware“; “‘ADP Immediate Notification’ themed emails lead to Black Hole Exploit Kit“, indicating a connection between these campaigns.
Responding to the same IP (184.108.40.206) are also the following malicious domains part of the campaign’s infrastructure:
We’ve also seen (steamedboasting.info) used in the recently profiled “‘ADP Immediate Notification’ themed emails lead to Black Hole Exploit Kit” campaign, indicating that these campaigns are operated by the same cybercriminal/gang of cybercriminals.
Webroot SecureAnywhere users are proactively protected from these threats.