By Dancho Danchev
It didn’t take long before the cybercriminals behind the recently profiled ‘Intuit Marketplace’ themed campaign resume impersonating Intuit, with a newly launched round consisting of millions of Intuit themed emails.
The theme this time? Convincing users that in order to access QuickBooks they would have to install the non-existent Intuit Security Tool. In reality though, clicking on the links points to a Black Hole exploit kit landing URL that ultimately drops malware on the affected hosts.
Screenshot of a sample spamvertised email:
Spamvertised malicious links: hxxp://kriskemp.com/intsec.html; hxxp://news-blogtv.ru/wp-content/uploads/fgallery/updint.html; hxxp://vedrunag.pangea.org/updint.html
Client-side exploits serving URL: hxxp://roadmateremove.org/main.php?page=9bb4aab85fa703f5 – 18.104.22.168; 22.214.171.124
Responding to 126.96.36.199 are also the following client-side exploits serving domains:
Name servers part of the campaign’s infrastructure:
ns1.chemrox.net – 188.8.131.52; 184.108.40.206
ns2.chemrox.net – 220.127.116.11
Upon successful client-side exploitation, the campaign drops MD5: f621be555dc94a8a370940c92317d575 – detected by 33 out of 42 antivirus scanners as Trojan.Win32.Buzus.lzeq; Worm:Win32/Cridex.E.
Once executed, the sample phones back to 18.104.22.168:8080/mx5/B/in. We’ve already seen the same command and control IP used in the following previously profiled malicious campaigns:
- Spamvertised ‘Fwd: Scan from a Hewlett-Packard ScanJet’ emails lead to Black Hole exploit kit
- Cybercriminals impersonate Intuit Market, mass mail millions of exploits and malware serving emails
- Cybercriminals spamvertise bogus greeting cards, serve exploits and malware
- Spamvertised ‘Federal Tax Payment Rejected’ themed emails lead to Black Hole exploit kit
Webroot SecureAnywhere users are proactively protected from these threats.