Blog
Rajiv Singha

New Common Vulnerabilities and Exposure (CVE) in Spammer’s toolkit

June 3, 2016
  • 26
    Shares
0
Estimated reading time: 1 minute

The Quick Heal Malware Intelligence Reporting System has made a recent observation about a CVE (Common Vulnerabilities and Exposures) known as CVE-2015-2545 being actively used in an online spam campaign.

The campaign begins with targeted users receiving a spam email with an attached malicious document. Below are some common attachment names used in this spam campaign:

  • Proforma Order.doc
  • Confirmed_orders.doc
  • Covering letter.doc
  • Payment_Advise.doc
  • Purchase Order.doc
  • TIANJIN_LIGHT_IMPORT_EXPORT.doc
  • Outstanding_Acc-40493.doc

Spammers trick users into opening the attached document which contains the exploit code for CVE-2015-2545. Once the document is opened, it exploits the vulnerability present in unpatched versions of Microsoft Office.

This vulnerability was patched by Microsoft in September 2015. Users who haven’t applied Microsoft security updates for this vulnerablity are at a risk of this exploit.

By exploiting Microsoft Office software, spammers execute malicious code on the victim’s machine and can download and execute malware payload.

Some URLs found for payload download in this campaign include:

  • hxxp://cozeh.com/.css/mun.exe
  • hxxp://hmarques.lusitanium.com/Image/PonyOrder_1C0.exe
  • hxxp://bunandbar.com/.css/maha.exe
  • hxxp://bunandbar.com/.css/joe.exe
  • hxxp://bunandbar.com/.css/cyprus.exe

Download this PDF to read the complete report:

PDF icon

 

 

 

 

ACKNOWLEDGEMENT

  • Manish Sardiwal
  • Pavankumar Chaudhari

– Vulnerability Analysis & Research Team

 

 

 

  • 26
    Shares

Have something to add to this story? Share it in the comments.

Rajiv Singha
About Rajiv Singha
Rajiv is an IT security news junkie and a computer security blogger at Quick Heal. He is passionate about promoting cybersecurity awareness, content and digital...
Articles by Rajiv Singha »

No Comments, Be The First!

Your email address will not be published.

CAPTCHA Image