By Dancho Danchev
Over the past few weeks, cybercriminals have been persistently spamvertising ‘Inter-company invoice’ themed emails, in an attempt to trick users into viewing the malicious .html attachment, or unpack and execute the malicious binary found in the attached archives. Upon clicking on the link, users are exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit.
More details: Sample screenshot of the spamvertised email:
Client-side exploits serving URL: hxxp://controlleramo.ru:8080/forum/links/column.php
Malicious payload dropping URL: hxxp://controlleramo.ru:8080/forum/links/column.php?hljhtc=33:2v:1h:2w:1m&uqsgtl=3h&hzwtug=2v:1k:1m:32:33:1k:1k:31:1j:1o&ttr=1n:1d:1g:1d:1h:1d:1f
Sample client-side exploits served: CVE-2010-0188
Malicious domain name reconnaissance:
Name server: ns1.controlleramo.ru – 184.108.40.206
Name server: ns2.controlleramo.ru – 220.127.116.11
Name server: ns3.controlleramo.ru – 18.104.22.168
Name server: ns4.controlleramo.ru – 22.214.171.124
We’ve already seen the same domain used in another malicious attack - ”‘Copies of Missing EPLI Policies’ themed emails lead to Black Hole Exploit Kit“, indicating that they’ve been both launched by the same party.
Upon successful client-side exploitation the campaign drops MD5: de48416449621ecd62b116cc41aa5bcc – detected by 30 out of 44 antivirus scanners as Worm:Win32/Cridex.E.
The first sample obtained from the attached archive, MD5: 03f5311ef1b9f7f09f6e13ff9599f367- is detected by 40 out of 44 antivirus scanners as Worm:Win32/Cridex.E. Upon execution the sample phones back to 126.96.36.199:8080/mx/5/A/in/ (AS29169). We’ve seen another malware campaign also phoning back to the same IP – “‘Regarding your Friendster password’ themed emails lead to Black Hole exploit kit“.
More MD5s are known to have phoned back to it as well:
MD5: cf6f40f1ce37fd8edefc447f68a88e1f – detected by 34 out of 41 antivirus scanners as VirTool:Win32/CeeInject
MD5: 2d2358dc42cd1abe0beda21b6db3a61c – detected by 27 out of 42 antivirus scanners as HEUR:Trojan.Win32.Generic
MD5: d4153d2c325d729c82fd8a96a94435f2 – detected by 39 out of 44 antivirus scanners as Worm:Win32/Cridex.E
MD5: e6f66ce084b9cc2f3f2f8c35b1636ab8 – detected by 21 out of 42 antivirus scanners as VirTool:Win32/Obfuscator.ZA
MD5: 45992c5b7fb455a0e15466a1e8a8c0f0 – detected by 38 out of 44 antivirus scanners as Worm:Win32/Cridex.G
MD5: d5de95df9a69bef997c21f9be9b0fc88 – detected by 37 out of 42 antivirus scanners as Trojan-Ransom.Win32.Birele.uhu
MD5: 56a35fa27f04131f86f0cd44bd8480c3 – detected by 32 out of 40 antivirus scanners as Worm:Win32/Cridex.E
MD5: de05549b469984316e0ec99a1bfe843a – detected by 39 out of 44 antivirus scanners as Trojan-Ransom.Win32.PornoAsset.akna
MD5: 7b9f0a74820a00b34cc57e7c02d1492c – detected by 39 out of 44 antivirus scanners as Worm:Win32/Cridex.E
The second sample obtained from yet another spamvertised archive with MD5: 3a8ce3d72b60b105783d74dbc65c37a6 – is detected by 37 out of 44 antivirus scanners as Worm:Win32/Cridex.E. Upon execution it phones back to the following URL: 188.8.131.52:8080/AJtw/UCyqrDAA/Ud+asDAA (AS24940, HETZNER-AS).
We’ve already seen malware analyzed in previous campaigns phoning back to the same URL, indicating that these campaigns have been launched by the same party – “Cybercriminals spamvertise bogus ‘Microsoft License Orders’ serve client-side exploits and malware“; “Spamvertised ‘US Airways reservation confirmation’ themed emails serve exploits and malware“.
Webroot SecureAnywhere users are proactively protected from these threats.