New Common Vulnerabilities and Exposure (CVE) in Spammer’s toolkit

  • 26
    Shares

The Quick Heal Malware Intelligence Reporting System has made a recent observation about a CVE (Common Vulnerabilities and Exposures) known as CVE-2015-2545 being actively used in an online spam campaign.

The campaign begins with targeted users receiving a spam email with an attached malicious document. Below are some common attachment names used in this spam campaign:

  • Proforma Order.doc
  • Confirmed_orders.doc
  • Covering letter.doc
  • Payment_Advise.doc
  • Purchase Order.doc
  • TIANJIN_LIGHT_IMPORT_EXPORT.doc
  • Outstanding_Acc-40493.doc

Spammers trick users into opening the attached document which contains the exploit code for CVE-2015-2545. Once the document is opened, it exploits the vulnerability present in unpatched versions of Microsoft Office.

This vulnerability was patched by Microsoft in September 2015. Users who haven’t applied Microsoft security updates for this vulnerablity are at a risk of this exploit.

By exploiting Microsoft Office software, spammers execute malicious code on the victim’s machine and can download and execute malware payload.

Some URLs found for payload download in this campaign include:

  • hxxp://cozeh.com/.css/mun.exe
  • hxxp://hmarques.lusitanium.com/Image/PonyOrder_1C0.exe
  • hxxp://bunandbar.com/.css/maha.exe
  • hxxp://bunandbar.com/.css/joe.exe
  • hxxp://bunandbar.com/.css/cyprus.exe

Download this PDF to read the complete report:

PDF icon

 

 

 

 

ACKNOWLEDGEMENT

  • Manish Sardiwal
  • Pavankumar Chaudhari

– Vulnerability Analysis & Research Team

 

 

 

Rajiv Singha

Rajiv Singha


No Comments, Be The First!

Your email address will not be published.

CAPTCHA Image