Spamvertised ‘Scan from a Hewlett-Packard ScanJet’ emails lead to client-side exploits and malware


By Dancho Danchev

Security researchers from Webroot have intercepted a currently spamvertised malicious campaign, impersonating Hewlett Packard, and enticing end and corporate users into downloading and viewing a malicious .htm attachment.

More details:

Subject: Re: Scan from a Hewlett-Packard ScanJet [random number]
Message: Attached document was scanned and sent to you using a Hewlett-Packard NetJet 730918SL. SENT BY : ANISSA PAGES : 5 FILETYPE: .HTM [Internet Explorer File]
Original attachment: HP_Jet_26_P2184.zip
Malicious iFrame embedded within the .htm attachment: hxxp://superproomgh.ru:8080/navigator/jueoaritjuir.php

The malicious .htm has a very low detection rate, and is currently detected as JS/Kryptik.SA!tr and Mal/Iframe-AE.

Client-side exploits serving structure:
hxxp://superproomgh.ru:8080/navigator/jueoaritjuir.php
hxxp://superproomgh.ru:8080/navigator/fsytklfwiqbz.jar
hxxp://superproomgh.ru:8080/navigator/hmfngpdshsknblc.jar
hxxp://superproomgh.ru:8080/navigator/alisgtypezfq1.pdf

The client-side exploits serving domain superproomgh.ru is currenly fast-fluxed, namely it’s responding to multiple, dynamically changing IP addresses in an attempt by the cybercriminals behind the campaingn, to make it harder for vendors and researchers to take it down.

The campaign is attempting to exploit the “Libtiff integer overflow in Adobe Reader and Acrobat” vulnerability, also known as CVE-2010-0188 in an attempt to drop the following MD5 on the exploited hosts – MD5: 20de62566248864be3b0e413b332d731 currently detected as Win32:Sirefef-RV [Drp], Trojan.Generic.KDV.582649, HEUR:Trojan.Win32.Generic, or PWS-Zbot.gen.hv.

Webroot security researchers will continue monitoring this campaign to ensure that Webroot SecureAnywhere customers are protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

3 thoughts on “Spamvertised ‘Scan from a Hewlett-Packard ScanJet’ emails lead to client-side exploits and malware

  1. Pingback: Spamvertised ‘Your Amazon.com order confirmation’ emails serving client-side exploits and malware « Webroot Threat Blog

  2. Pingback: Spamvertised ‘Fwd: Scan from a Hewlett-Packard ScanJet’ emails lead to Black Hole exploit kit « Webroot Threat Blog

  3. Pingback: ‘Fwd: Scan from a Xerox W. Pro’ themed emails lead to Black Hole Exploit Kit « Webroot Threat Blog – Internet Security Threat Updates from Around the World

Join the Conversation

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s