The WebsenseR ThreatSeekerR Network has been tracking an ongoing malicious email campaign in which a recipient is asked to click a link to check a bill mistakenly received by another user. We have been monitoring campaigns of thousands of emails similar to this one for a while now and notice that the Phoenix Exploit Kit is used. The campaign starts with the following email:
An analysis of the embedded link leads to a URL with the content shown below:
This obfuscation leads to a Phoenix Exploit Kit infrastructure. We can confirm that the past few days have seen an increase in the use of the Phoenix Exploit Kit, following a period of widespread activities based on the Black Hole Exploit Kit. By de-obfuscating the JavaScript code above we can retrieve the landing page for the web site to which a user is redirected:
The code pictured above de-obfuscates to the following URL:
hxxxp://monikabestolucci.ru:8801/html/yveveqduclirb1.php
The Websense ThreatSeeker Network has also detected this URL as a domain used in a Fast Flux botnet.
The proof that this is a Fast Flux botnet can be found by retrieving the DNS record of the domain monikabestolucci.ru, which our analysis reveals is associated with the following IP addresses:
These IP addresses are located in the following countries:
When we analyze the malicious files generated by the above URL code, we recognize the exploiting vectors used in the Phoenix Exploit Kit. Specifically, we detect a SWF file with the exploit code for the CVE-2011-0611 vulnerability and a Java archive file containing the code for the widespread CVE-2011-3544 Java vulnerability.
Our analysis also shows that the Phoenix Exploit Kit has been used to spread a variant of the Trojan infostealer Cridex.B (MD5 7231d781cd29a086dc4d06fd5d72b6f3).
Websense customers are protected from these threats by ACETM, our Advanced Classification Engine.
Leave a reply
