By Dancho Danchev
Cybercriminals are currently spamvertising millions of emails, impersonating Friendster, in an attempt to trick its current and prospective users into clicking on a malicious link found in the email.
Upon clicking on the link, users are exposed to the client-side exploits served by the latest version of the Black Hole exploit kit.
Sample screenshot of the spamvertised email:
Sample screenshot of the obfuscated Java script loading the malicious iFrame:
Malicious URL: hxxp://sonatanamore.ru:8080/forum/links/column.php
Client-side exploits serving URL: hxxp://sonatanamore.ru:8080/forum/links/column.php?iqtxfe=3533020635&smr=3307093 738070736060b&grrhh=03&ndgywdt=nyurdae&aquotd=uox
Client-side exploits served: CVE-2010-0188
sonatanamore.ru used to respond to the following IPs – 126.96.36.199; 188.8.131.52; 184.108.40.206; 220.127.116.11
Responding to the same IPs are also the following malicious domains:
Sample detection rate for the malicious iFrame loading script: friedster.html – MD5: c444036179aa371aebf9bae3e7cc5eef – detected by 12 out of 42 antivirus scanners as Exploit.JS.Blacole; Trojan.JS.Iframe.acn
Upon successful client-side exploitation, the campaign drops MD5: 8fa93035ba01238dd7a55c378d1c2e40 on the affected host, currently detected by 24 out of 43 antivirus scanners as Trojan-Ransom.Win32.PornoAsset.aeuz; Worm:Win32/Cridex.E
Upon execution, the sample phones back to 18.104.22.168:8080/mx/5/A/in.
Sample screenshot of the spamvertised campaign:
Clearly, both campaigns have been launched by the same cybercriminal/gang of cybercriminals.
Webroot SecureAnywhere users are proactively protected from these threats.