Fake ‘ADP Speedy Notifications’ lead to client-side exploits and malware


By Dancho Danchev

Over the past week, cybercriminals have resumed spamvertising fake “ADP Immediate Notifications” in an attempt to trick users into clicking on the malicious links found in the emails. The links point to the latest version of the Black Hole Exploit Kit, and consequently, exploit CVE-2013-0422, affecting the latest version of Java.

With no fix for this vulnerability currently available, users are advised  to disable Java immediately.

More details:

Sample screenshot of the spamvertised email:

Email_Spam_ADP_Speedy_Notification_Fake_Malware_Exploits_Black_Hole_Exploit_Kit

Sample compromised URLs participating in the campaign:
hxxp://tasteofindiabombaylounge.com/wp-content/plugins/znditibioux/chkpayroladp.html
hxxp://switchedonspeech.com/wp-content/plugins/zalyhvjiose/chkpayroladp.html
hxxp://accoformation.com/wp-content/plugins/zkgqchwvioo/chkpayroladp.html
hxxp://chevinaudio.com/wp-content/plugins/zeueeewovgu/chkpayroladp.html
hxxp://vilmatangalin.com/wp-content/plugins/zoaiecbxuce/chkpayroladp.html
hxxp://jscotti.com/wp-content/plugins/zekuopocogo/chkpayroladp.html
hxxp://chevinaudio.com/wp-content/plugins/zeueeewovgu/chkpayroladp.html
hxxp://trotzlabsusf.com/wp-content/plugins/ztyuugjoiie/chkpayroladp.html
hxxp://lose-weight-recipes.com/wp-content/plugins/zeffieyoyre/chkpayroladp.html
hxxp://chevinaudio.com/wp-content/plugins/zeueeewovgu/chkpayroladp.html
hxxp://peckerala.com/wp-content/plugins/zmjnaoomuwu/chkpayroladp.html
hxxp://ibrillantes.com/wp-content/plugins/zeejqmriief/chkpayroladp.html
hxxp://pailletdebesombes-architectes.com/wp-content/plugins/zhrxidlloea/payrolstatchk.html
hxxp://floridafirstinsurancefl.com/wp-content/plugins/zibeolboqnb/payrolstatchk.html
hxxp://40fingersband.com/wp-content/plugins/zqkeeonkjha/payrolstatchk.html
hxxp://centerlinkmedia.com/wp-content/plugins/zontouobbml/payrolstatchk.html
hxxp://lucilukis.com/wp-content/plugins/zqeibeatobd/payrolstatchk.html
hxxp://pailletdebesombes-architectes.com/wp-content/plugins/zhrxidlloea/payrolstatchk.html
hxxp://jiancerenzheng.com/wp-content/plugins/zoaisnusyoh/payrolstatchk.html
hxxp://usa-corporations.com/wp-content/plugins/zhoodeeoeqe/payrolstatchk.html
hxxp://fklawchambers.com/wp-content/plugins/zaoqxuuwrlb/payrolstatchk.html

Sample client-side exploits serving URL:
hxxp://tetraboro.net/detects/coming_lost-source.php

Sample malicious payload dropping URl:
hxxp://tetraboro.net/detects/coming_lost-source.php?huyq=1m:2v:1g:1o:1k&tfize=32&wodyva=33:1k:1o:1n:1f:1i:1m:1i:32:2w&jqrub=1n:1d:1g:1d:1h:1d:1f

Malicious domain name reconnaissance:
tetraboro.net – 222.238.109.66 – Email: bannerpick45@yahoo.com
Name Server: NS1.HOSTCLAM.NET – 50.115.163.10
Name Server: NS2.HOSTCLAM.NET – 90.167.194.23

Responding to 222.238.109.66 are also the following malicious campaigns part of the campaign:
royalwinnipegballet.net
advertizing9.com
eartworld.net
hotelrosaire.net

Upon successful client-side exploitation, the campaign drops MD5: 5a859e1eff1ee1576b61da658542380d – detected by 12 out of 46 antivirus scanners as Worm:Win32/Cridex.E.

The sample drops the following MD5 on the affected hosts:
MD5: 472d6e748b9f5b02700c55cfa3f7be1f – detected by 8 out of 46 antivirus scanners as PWS:Win32/Fareit

Once executed, it also phones back to the following command and control servers:
173.201.177.77
132.248.49.112
95.142.167.193
81.93.250.157

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

8 thoughts on “Fake ‘ADP Speedy Notifications’ lead to client-side exploits and malware

  1. Pingback: ADP-Themed Phishing Emails Lead to Blackhole Sites | Security-Vision

  2. Pingback: Episode 826 – Scrape-DNS, Java Patched But Not Fixed, ADP-Themed Phishing Campaign, Security Vendor Could Be Next Target | InfoSec Daily

  3. Pingback: ADP-Themed Phishing Emails Lead to Blackhole Sites

  4. Pingback: Bogus ‘Your Paypal Transaction Confirmation’ themed emails lead to Black Hole Exploit Kit « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  5. Pingback: Fake ‘FedEx Online Billing – Invoice Prepared to be Paid’ themed emails lead to Black Hole Exploit Kit « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  6. Pingback: ‘Your Kindle e-book Amazon receipt’ themed emails lead to Black Hole Exploit Kit « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  7. Pingback: Fake “You’ve blocked/disabled your Facebook account’ themed emails serve client-side exploits and malware « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  8. Pingback: ADP-Themed Phishing Emails Lead to Blackhole Sites | Threatpost

Join the Conversation

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s