Tuesday, August 28, 2012

Intuit Phishing Campaign - Mighty BlackHole in Action

Intuit phishing campaign has been started today. The structure and concept of the attack is the same as discussed earlier. Let's dissect the details of this campaign. The email comes to your inbox in the format as presented below:

The accompanied link is : hxxp://numerodedicato.altervista.org/blog/wp-content/uploads/fgallery/updint.html. On visiting the link, the user finds a webpage with a following layout:

The message looks interesting. The webpage is executing another JavaScript to load content from another third-party domain. The details of this deobfuscated script are present here: http://pastebin.com/MVCH8M3N

The obfuscation provided us with an iframe that is downloading content from the following URL: hxxp://roadmateremove.org/main.php?page=9bb4aab85fa703f5

The obfuscated plugin script is herehttp://pastebin.com/biZnVwMD
The deobfuscated plugin script is here :  http://pastebin.com/hsKKn6EP

Many of the AV engines shows this website as benign. But, this domain hosting a BH exploit Pack. Let's see further:

On deobfuscation we get an applet code as follows:

Something seems suspicious, with Pre.jar file here. Further, the request to this link : hxxp://roadmateremove.org/data/hhcp.php?c=8896e loads the iframe for the plugin detection code. On successful verification and fingerprinting the Pre.jar file is served on the vulnerable systems. A quick check on virus-total only provides a reference to Blackhole exploit.

Check: https://www.virustotal.com/file/65ac3d0ef75cad088c80bcb238fe6206c42866a8e73676f5b5dd6b235871f874/analysis/1346173365/

Definitely a Java exploit in action.

This analysis is based on a specific link accompanied with this sample. The embedded links might change with other phishing emails.

Be Secure.