The Websense® ThreatSeeker® Network has been tracking an ongoing malicious email campaign in which a recipient is asked to click a link to check a bill mistakenly received by another user. We have been monitoring campaigns of thousands of emails similar to this one for a while now and notice that the Phoenix Exploit Kit is used. The campaign starts with the following email:
An analysis of the embedded link leads to a URL with the content shown below:
The code pictured above de-obfuscates to the following URL:
The Websense ThreatSeeker Network has also detected this URL as a domain used in a Fast Flux botnet.
The proof that this is a Fast Flux botnet can be found by retrieving the DNS record of the domain monikabestolucci.ru, which our analysis reveals is associated with the following IP addresses:
These IP addresses are located in the following countries:
When we analyze the malicious files generated by the above URL code, we recognize the exploiting vectors used in the Phoenix Exploit Kit. Specifically, we detect a SWF file with the exploit code for the CVE-2011-0611 vulnerability and a Java archive file containing the code for the widespread CVE-2011-3544 Java vulnerability.
Our analysis also shows that the Phoenix Exploit Kit has been used to spread a variant of the Trojan infostealer Cridex.B (MD5 7231d781cd29a086dc4d06fd5d72b6f3).
Websense customers are protected from these threats by ACETM, our Advanced Classification Engine.