New Common Vulnerabilities and Exposure (CVE) in Spammer’s toolkit
The Quick Heal Malware Intelligence Reporting System has made a recent observation about a CVE (Common Vulnerabilities and Exposures) known as CVE-2015-2545 being actively used in an online spam campaign.
The campaign begins with targeted users receiving a spam email with an attached malicious document. Below are some common attachment names used in this spam campaign:
- Proforma Order.doc
- Confirmed_orders.doc
- Covering letter.doc
- Payment_Advise.doc
- Purchase Order.doc
- TIANJIN_LIGHT_IMPORT_EXPORT.doc
- Outstanding_Acc-40493.doc
Spammers trick users into opening the attached document which contains the exploit code for CVE-2015-2545. Once the document is opened, it exploits the vulnerability present in unpatched versions of Microsoft Office.
This vulnerability was patched by Microsoft in September 2015. Users who haven’t applied Microsoft security updates for this vulnerablity are at a risk of this exploit.
By exploiting Microsoft Office software, spammers execute malicious code on the victim’s machine and can download and execute malware payload.
Some URLs found for payload download in this campaign include:
- hxxp://cozeh.com/.css/mun.exe
- hxxp://hmarques.lusitanium.com/Image/PonyOrder_1C0.exe
- hxxp://bunandbar.com/.css/maha.exe
- hxxp://bunandbar.com/.css/joe.exe
- hxxp://bunandbar.com/.css/cyprus.exe
Download this PDF to read the complete report:
ACKNOWLEDGEMENT
- Manish Sardiwal
- Pavankumar Chaudhari
– Vulnerability Analysis & Research Team
No Comments, Be The First!