Cybercriminals newest spamvertised malware campaign is brand-jacking Verizon Wireless in an attempt to trick end users into clicking on the malicious links embedded in the email.
It’s being launched by the same cybercriminals that launched last week’s “Malicious USPS-themed emails circulating in the wild” campaign, as both campaigns share the same directory/exploit-serving structure.
The MD5 is using the following dropzone for sending back the intercepted accounting data from the infected PCs - hxxp://220.127.116.11:8080/pony/gate.php Now where have we seen this IP before? In last week’s “Spamvertised LinkedIn notifications serving client-side exploits and malware” malware campaign where 18.104.22.168 was serving client-side exploits through the BlackHole web malware exploitation kit.
The MD5 also attempts to contact the following dropzones is 22.214.171.124 is unavailable:
It also downloads a copy of the ZeuS crimeware, using the following MD5: 86A548CADA5636B4A8ED7DE5F654FF96
Webroot security researchers will continue monitoring the campaign, to ensure that Webroot SecureAnywhere customers are protected from this ongoing threat.