Blog

Rajib Singha
New Common Vulnerabilities and Exposure (CVE) in Spammer’s toolkit
June 3, 2016

New CVE in Spammer’s toolkit

The Quick Heal Malware Intelligence Reporting System has made a recent observation about a CVE (Common Vulnerabilities and Exposures) known as CVE-2015-2545 being actively used in an online spam campaign.

The campaign begins with targeted users receiving a spam email with an attached malicious document. Below are some common attachment names used in this spam campaign:

  • Proforma Order.doc
  • Confirmed_orders.doc
  • Covering letter.doc
  • Payment_Advise.doc
  • Purchase Order.doc
  • TIANJIN_LIGHT_IMPORT_EXPORT.doc
  • Outstanding_Acc-40493.doc

Spammers trick users into opening the attached document which contains the exploit code for CVE-2015-2545. Once the document is opened, it exploits the vulnerability present in unpatched versions of Microsoft Office.

This vulnerability was patched by Microsoft in September 2015. Users who haven’t applied Microsoft security updates for this vulnerablity are at a risk of this exploit.

By exploiting Microsoft Office software, spammers execute malicious code on the victim’s machine and can download and execute malware payload.

Some URLs found for payload download in this campaign include:

  • hxxp://cozeh.com/.css/mun.exe
  • hxxp://hmarques.lusitanium.com/Image/PonyOrder_1C0.exe
  • hxxp://bunandbar.com/.css/maha.exe
  • hxxp://bunandbar.com/.css/joe.exe
  • hxxp://bunandbar.com/.css/cyprus.exe

Download this PDF to read the complete report:

PDF icon

 

 

 

 

ACKNOWLEDGEMENT

  • Manish Sardiwal
  • Pavankumar Chaudhari

– Vulnerability Analysis & Research Team

 

 

 

Have something to add to this story? Share it in the comments.

Rajib Singha
About Rajib Singha
Rajib is a Physics graduate and a technology enthusiast. Besides having a keen interest in the latest gadgets, he is also into IT security and all that it...
Articles by Rajib Singha »

No Comments, Be The First!

Your email address will not be published.

CAPTCHA Image