By Dancho Danchev

Over the past week, cybercriminals have resumed spamvertising fake “ADP Immediate Notifications” in an attempt to trick users into clicking on the malicious links found in the emails. The links point to the latest version of the Black Hole Exploit Kit, and consequently, exploit CVE-2013-0422, affecting the latest version of Java.

With no fix for this vulnerability currently available, users are advised  to disable Java immediately.

More details:

Sample screenshot of the spamvertised email:

Sample compromised URLs participating in the campaign:
hxxp://tasteofindiabombaylounge.com/wp-content/plugins/znditibioux/chkpayroladp.html
hxxp://switchedonspeech.com/wp-content/plugins/zalyhvjiose/chkpayroladp.html
hxxp://accoformation.com/wp-content/plugins/zkgqchwvioo/chkpayroladp.html
hxxp://chevinaudio.com/wp-content/plugins/zeueeewovgu/chkpayroladp.html
hxxp://vilmatangalin.com/wp-content/plugins/zoaiecbxuce/chkpayroladp.html
hxxp://jscotti.com/wp-content/plugins/zekuopocogo/chkpayroladp.html
hxxp://chevinaudio.com/wp-content/plugins/zeueeewovgu/chkpayroladp.html
hxxp://trotzlabsusf.com/wp-content/plugins/ztyuugjoiie/chkpayroladp.html
hxxp://lose-weight-recipes.com/wp-content/plugins/zeffieyoyre/chkpayroladp.html
hxxp://chevinaudio.com/wp-content/plugins/zeueeewovgu/chkpayroladp.html
hxxp://peckerala.com/wp-content/plugins/zmjnaoomuwu/chkpayroladp.html
hxxp://ibrillantes.com/wp-content/plugins/zeejqmriief/chkpayroladp.html
hxxp://pailletdebesombes-architectes.com/wp-content/plugins/zhrxidlloea/payrolstatchk.html
hxxp://floridafirstinsurancefl.com/wp-content/plugins/zibeolboqnb/payrolstatchk.html
hxxp://40fingersband.com/wp-content/plugins/zqkeeonkjha/payrolstatchk.html
hxxp://centerlinkmedia.com/wp-content/plugins/zontouobbml/payrolstatchk.html
hxxp://lucilukis.com/wp-content/plugins/zqeibeatobd/payrolstatchk.html
hxxp://pailletdebesombes-architectes.com/wp-content/plugins/zhrxidlloea/payrolstatchk.html
hxxp://jiancerenzheng.com/wp-content/plugins/zoaisnusyoh/payrolstatchk.html
hxxp://usa-corporations.com/wp-content/plugins/zhoodeeoeqe/payrolstatchk.html
hxxp://fklawchambers.com/wp-content/plugins/zaoqxuuwrlb/payrolstatchk.html

Sample client-side exploits serving URL:
hxxp://tetraboro.net/detects/coming_lost-source.php

Sample malicious payload dropping URl:
hxxp://tetraboro.net/detects/coming_lost-source.php?huyq=1m:2v:1g:1o:1k&tfize=32&wodyva=33:1k:1o:1n:1f:1i:1m:1i:32:2w&jqrub=1n:1d:1g:1d:1h:1d:1f

Malicious domain name reconnaissance:
tetraboro.net – 222.238.109.66 – Email: bannerpick45@yahoo.com
Name Server: NS1.HOSTCLAM.NET – 50.115.163.10
Name Server: NS2.HOSTCLAM.NET – 90.167.194.23

Responding to 222.238.109.66 are also the following malicious campaigns part of the campaign:
royalwinnipegballet.net
advertizing9.com
eartworld.net
hotelrosaire.net

Upon successful client-side exploitation, the campaign drops MD5: 5a859e1eff1ee1576b61da658542380d – detected by 12 out of 46 antivirus scanners as Worm:Win32/Cridex.E.

The sample drops the following MD5 on the affected hosts:
MD5: 472d6e748b9f5b02700c55cfa3f7be1f – detected by 8 out of 46 antivirus scanners as PWS:Win32/Fareit

Once executed, it also phones back to the following command and control servers:
173.201.177.77
132.248.49.112
95.142.167.193
81.93.250.157

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.