Recently, after the successful intrusion of linked-in network by attackers, phishers also started exploiting the trust of users by sending phishing emails with embedded malicious links. The linked-in is on bit roll nowadays by attackers but it is always good to analyze the phishing attack. Our team received the phished linked-in emails. Of-course if you are in malware analysis field you are always targeted one or the other way. It happens. Let's discuss the exploit in action in this phishing attack. The users receive following email as presented in the figure below:
The users who received this email are presented below:
The malicious links accompanied with this email are presented as:
The deobfuscated script is available here - http://pastebin.com/yDjQRD0u. Some of the interesting code has been shown below, the rest you can scratch on the pastebin.
On successful, deobfuscation, we observed that
1. The script is fingerprinting plugins, OS, User-agent and other information
2. The malicious domain is running BlackHole BEP.
3. We accessed certain set of files on the domain, one of which is shown below
So, the BlackHole is still on fire but attackers now using modular way of serving exploit. There are other interesting information that we found during analysis but not presenting here. If something more interesting comes up, we will update it here.
Hot to be secure?
1. Update plugins to the latest version.
2. Think twice before your click.
Be secure !