Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Phoenix, Phoenix, I need help!

View all posts > 

Phoenix, Phoenix, I need help!

Posted: 26 Jan 2012 03:30 AM | Gianluca Giuliani | no comments


The Websense® ThreatSeeker® Network has been tracking an ongoing malicious email campaign in which a recipient is asked to click a link to check a bill mistakenly received by another user.  We have been monitoring campaigns of thousands of emails similar to this one for a while now and notice that the Phoenix Exploit Kit is used. The campaign starts with the following email:


 

An analysis of the embedded link leads to a URL with the content shown below:

 



This obfuscation leads to a Phoenix Exploit Kit infrastructure. We can confirm that the past few days have seen an increase in the use of the Phoenix Exploit Kit, following a period of widespread activities based on the Black Hole Exploit Kit. By de-obfuscating the JavaScript code above we can retrieve the landing page for the web site to which a user is redirected:


 

The code pictured above de-obfuscates to the following URL:

hxxxp://monikabestolucci.ru:8801/html/yveveqduclirb1.php

 

The Websense ThreatSeeker Network has also detected this URL as a domain used in a Fast Flux botnet.

 

 

The proof that this is a Fast Flux botnet can be found by retrieving the DNS record of the domain monikabestolucci.ru, which our analysis reveals is associated with the following IP addresses:




These IP addresses are located in the following countries:

 

When we analyze the malicious files generated by the above URL code, we recognize the exploiting vectors used in the Phoenix Exploit Kit. Specifically, we detect a SWF file with the exploit code for the CVE-2011-0611 vulnerability and a Java archive file containing the code for the widespread CVE-2011-3544 Java vulnerability.

 

Our analysis also shows that the Phoenix Exploit Kit has been used to spread a variant of the Trojan infostealer Cridex.B (MD5 7231d781cd29a086dc4d06fd5d72b6f3).


 

Websense customers are protected from these threats by ACETM, our Advanced Classification Engine.



Leave a Comment

(required)  

Email address: (required)