Tag Archives: java applet exploit

Spam “Your Bill Me Later notice” leads to Incognito exploit kit

Users have reported another malicious email message with subject “Your Bill Me Later notice” that states you have made a payment over the phone of $60.12 to Bill Me Later website. The email body is full of HREF links that point to a lot of malicious URLs, view a screenshot of the email message:

Your Bill Me Later notice

Email header details:

Received: from server.serverhk.net (69-164-193-60.magicnic.com [69.164.193.60])
Received: from [200.76.191.2] (helo=askokay.com) by server.serverhk.net with esmtpsa
Received: from [192.245.26.33] by m1.gns.snv.thisdomainl.com with SMTP; Wed, 16 May 2012 21:04:47 +1000
Received: from [68.117.211.36] by mailout.endmonthnow.com with NNFMP; Wed, 16 May 2012 20:54:02 +1000
Date: Wed, 16 May 2012 20:50:24 +1000
From: "Advera" askokay@askokay.com
Subject: Your Bill Me Later notice

The malicious extracted URLs are:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
hxxp:// www. studiobarsotti .it /3oXGcu61/index.html
hxxp:// www. eventosabsolue .com /qh8xhoi8/index.html
hxxp:// foxpublicidade .com .br /foRzthoD/index.html
hxxp:// www. studiobarsotti .it /GRYYEt3L/index.html
hxxp:// 76.12.158 .176 /3oXGcu61/index.html
hxxp:// 76.12.158 .176 /yWyXU9NU/index.html
hxxp:// www. eventosabsolue .com /ZmUaukzG/index.html
hxxp:// ewaleczek. cal24 .pl /5CY4dSwa/index.html
hxxp:// www. eventosabsolue .com /h03NraKE/index.html
hxxp:// foxpublicidade. com .br/yWyXU9NU/index.html
hxxp:// www. hso. co. jp/yWyXU9NU/index.html
hxxp:// zajacpiotr. hostit .pl /yWyXU9NU/index.html
hxxp:// zajacpiotr. hostit. pl /smWHegmd/index.html
hxxp:// ftp.joblines .sk /ri8ZKUip/index.html
hxxp:// www. sacmilani. com. ar /uvoNJPhk/index.html
hxxp:// foxpublicidade. com. br /smWHegmd/index.html
hxxp:// www. studiobarsotti .it /hTVbWtV1/index.html
hxxp:// jahu. com. br /FW3s2g0r/index.html
hxxp:// onecursos .com .br /foRzthoD/index.html
hxxp:// www. studiobarsotti .it /GRYYEt3L/index.html
hxxp:// www. studiobarsotti .it /yWyXU9NU/index.html
hxxp:// www. kayafamily .it /ZmUaukzG/index.html

Using URL Dump we can dump the HTML content:

Dumped HTML Content

From the dumped data, we can see it is the Incognito exploit kit.

Extacted malicious URLs:

hxxp:// bigdeal . my/ZyYJZ7F0/js.js

The malicious URLs redirect users to another malicious URL:

hxxp:// 69.163.34. 134 /showthread.php?t=977334ca118fcb8c

If we use URL Dump and we set the user-agent to Java, when we dump the content of the new malicious URL we can see it recognises from the user-agent that the user is using Java and the exploit tries to serve the infected Java applet:

Dumped Data