Phoenix, Phoenix, I need help!

The Websense® ThreatSeeker® Network has been tracking an ongoing malicious email campaign in which a recipient is asked to click a link to check a bill mistakenly received by another user.  We have been monitoring campaigns of thousands of emails similar to this one for a while now and notice that the Phoenix Exploit Kit is used. The campaign starts with the following email:

An analysis of the embedded link leads to a URL with the content shown below: 

This obfuscation leads to a Phoenix Exploit Kit infrastructure. We can confirm that the past few days have seen an increase in the use of the Phoenix Exploit Kit, following a period of widespread activities based on the Black Hole Exploit Kit. By de-obfuscating the JavaScript code above we can retrieve the landing page for the web site to which a user is redirected:

The code pictured above de-obfuscates to the following URL:

hxxxp://monikabestolucci.ru:8801/html/yveveqduclirb1.php

The Websense ThreatSeeker Network has also detected this URL as a domain used in a Fast Flux botnet. 

The proof that this is a Fast Flux botnet can be found by retrieving the DNS record of the domain monikabestolucci.ru, which our analysis reveals is associated with the following IP addresses:

These IP addresses are located in the following countries:

When we analyze the malicious files generated by the above URL code, we recognize the exploiting vectors used in thePhoenix Exploit Kit. Specifically, we detect a SWF file with the exploit code for the CVE-2011-0611 vulnerability and a Java archive file containing the code for the widespread CVE-2011-3544 Java vulnerability.

Our analysis also shows that the Phoenix Exploit Kit has been used to spread a variant of the Trojan infostealer Cridex.B (MD5 7231d781cd29a086dc4d06fd5d72b6f3).

Websense customers are protected from these threats by ACE, our Advanced Classification Engine.