By Dancho Danchev

Cybercriminals are currently spamvertising tens of thousands of fake emails, impersonating Intuit, in an attempt to trick its customers and users into clicking on the malicious links found in the emails.

Once users click on any of the links, they’re exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit, which ultimately drops malware on the affected hosts.

More details:

Sample screenshot of the spamvertised email:

Sample spamvertised URL:

hxxp://dom-servis39.ru/upload.htm

Sample client-side exploits serving URL:

hxxp://dopaminko.ru:8080/forum/links/column.php

Sample malicious payload dropping URL:

hxxp://dopaminko.ru:8080/forum/links/column.php?phfh=30:31:1n:1h:32&kcdbzmta=2v:1k:1m:32:33:1k:1k:31:1j:1o&zwp=1i&acmu=deisi&gimffbf=mnob

Malicious domain name reconnaissance:

dopaminko.ru – 212.112.207.15

Name server: ns1.dopaminko.ru – 62.76.185.169

Name server: ns2.dopaminko.ru – 41.168.5.140

Name server: ns3.dopaminko.ru – 42.121.116.38

Name server: ns4.dopaminko.ru – 110.164.58.250

Name server: ns5.dopaminko.ru – 210.71.250.131

More malicious domains are known to have responded to the same IP (212.112.207.15):

hxxp://danadala.ru:8080/forum/links/column.php

hxxp://dfudont.ru:8080/forum/links/column.php

hxxp://demoralization.ru:8080/forum/links/column.php

hxxp://dfudont.ru:8080/forum/links/column.php

Some of these domains also respond to the following IPs – 91.224.135.20; 46.175.224.21, with more malicious domains part of the campaign’s infrastructure hosted there:

dekamerionka.ru

danadala.ru

dmssmgf.ru

dmpsonthh.ru

demoralization.ru

disownon.ru

damagalko.ru

dozakialko.ru

dopaminko.ru

dumarianoko.ru

dfudont.ru

Name servers part of the campaign’s infrastructure:

Name server: ns1.danadala.ru – 62.76.185.169

Name server: ns2.danadala.ru – 41.168.5.140

Name server: ns3.danadala.ru – 42.121.116.38

Name server: ns4.danadala.ru – 110.164.58.250

Name server: ns5.danadala.ru – 210.71.250.131

Name server: ns1.dfudont.ru – 62.76.185.169

Name server: ns2.dfudont.ru – 41.168.5.140

Name server: ns3.dfudont.ru – 42.121.116.38

Name server: ns4.dfudont.ru – 110.164.58.250

Name server: ns5.dfudont.ru – 210.71.250.131

Name server: ns1.demoralization.ru – 62.76.186.24

Name server: ns2.demoralization.ru – 41.168.5.140

Name server: ns3.demoralization.ru – 42.121.116.38

Name server: ns4.demoralization.ru – 110.164.58.250

Name server: ns5.demoralization.ru – 210.71.250.131

Name server: ns1.dfudont.ru – 62.76.185.169

Name server: ns2.dfudont.ru – 41.168.5.140

Name server: ns3.dfudont.ru – 42.121.116.38

Name server: ns4.dfudont.ru – 110.164.58.250

Name server: ns5.dfudont.ru – 210.71.250.131

Upon successful client-side exploitation, the campaign drops MD5: 3c20e12ac4985720133703801906ae19 – detected by 16 out of 45 antivirus scanners as Worm:Win32/Cridex.E.

Once executed, the sample creates the following process on the affected hosts:

%AppData%\KB00121600.exe

The following Registry Keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CFBDC89D4

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S25BC2D7B

As well as the following Mutexes:

Local\XMM00000508

Local\XMI00000508

Local\XMRFB119394

Local\XMM0000009C

Local\XMI0000009C

Local\XMM000000D8

Local\XMI000000D8

Local\XMM00000388

Local\XMI00000388

Upon execution, the sample phones back to the following C&C servers:

hxxp://188.165.33.54:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/

hxxp://174.142.68.239:8080/AJtw/UCyqrDAA/Ud+asDAA/

Not surprisingly, we’ve already seen the same pseudo-random C&C communication characters used in previously profiled posts at Webroot’s Threat Blog, indicating that these campaigns have been launched by the same malicious parties.

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.