The Latest in IT Security

Phoenix, Phoenix, I need help!

26
Jan
2012

The WebsenseR ThreatSeekerR Network has been tracking an ongoing malicious email campaign in which a recipient is asked to click a link to check a bill mistakenly received by another user.  We have been monitoring campaigns of thousands of emails similar to this one for a while now and notice that the Phoenix Exploit Kit is used. The campaign starts with the following email:


An analysis of the embedded link leads to a URL with the content shown below:



This obfuscation leads to a Phoenix Exploit Kit infrastructure. We can confirm that the past few days have seen an increase in the use of the Phoenix Exploit Kit, following a period of widespread activities based on the Black Hole Exploit Kit. By de-obfuscating the JavaScript code above we can retrieve the landing page for the web site to which a user is redirected:


The code pictured above de-obfuscates to the following URL:

hxxxp://monikabestolucci.ru:8801/html/yveveqduclirb1.php

The Websense ThreatSeeker Network has also detected this URL as a domain used in a Fast Flux botnet.

The proof that this is a Fast Flux botnet can be found by retrieving the DNS record of the domain monikabestolucci.ru, which our analysis reveals is associated with the following IP addresses:




These IP addresses are located in the following countries:

When we analyze the malicious files generated by the above URL code, we recognize the exploiting vectors used in the Phoenix Exploit Kit. Specifically, we detect a SWF file with the exploit code for the CVE-2011-0611 vulnerability and a Java archive file containing the code for the widespread CVE-2011-3544  Java vulnerability.

Our analysis also shows that the Phoenix Exploit Kit has been used to spread a variant of the Trojan infostealer Cridex.B (MD5 7231d781cd29a086dc4d06fd5d72b6f3).


Websense customers are protected from these threats by ACETM, our Advanced Classification Engine.

Leave a reply


Categories

SUNDAY, FEBRUARY 05, 2023
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments