By Dancho Danchev
Remember the ‘Your Amazon.com order confirmation’ client-side exploits and malware serving campaign which I profiled earlier this week?
It appears that the gang behind it is back with another campaign, this time impersonating PayPal. For the time being, another round consisting of millions of malicious emails is circulating in the wild, enticing end and corporate users into clicking on malicious links found in the emails.
Screenshots of the spamvertised emails:
Upon clicking on the link, users are exposed to the following page:
In the background, the malicious script loads and performs several redirections until exposing the user to the malicious payload.
Sample compromised URls participating in the campaingn: hxxp://communityrootsfood.org/wp-content/themes/aesthete/post.html; hxxp://kopma.stikom.edu/wp-content/themes/kopmaNewWordpress1000px/post.html
both of these URls redirect to hxxp://kidwingz.net/main.php?page=614411383eef8d97. Surprise, surprise, we’ve already seen this malicious URL in the ‘Your Amazon.com order confirmation’ client-side exploits and malware serving campaign profiled earlier this week.
Upon successful client-side exploitation, the campaign drops the following MD5, MD5: 49f91a1597bc4dd25d3d23302125dae7 – detected by 8 out of 42 antivirus scanners as PWS-Zbot.gen.xs; W32/Injector.AQSI
Upon execution, the sample creates a new file on the system – %AppData%\KB00121600.exe – MD5: 49F91A1597BC4DD25D3D23302125DAE7 – detected by 27 out of 42 antivirus scanners as Trojan-Dropper.Win32.Dapato.bigc
It also phones back to the same C&C server used in the ‘Your Amazon.com order confirmation’ campaign, namely, hxxp://220.127.116.11:8080/zb/v_01_b/in/
Webroot SecureAnywhere users are proactively protected from this threat. We predict that we’re going to see more brands systematically impersonated by the same gang, in an attempt to serve malware through exploitation of client-side vulnerabilities.