Cybercriminals are currently spamvertising millions of emails impersonating the Windstream Corporation, in an attempt to trick end and corporate users into clicking on links found in the malicious email.
Screenshot of a sample malicious email used by the cybercriminals:
Spamvertised URL: hxxp://madaboutleisure.wsini.com/Ua8ndKkr/index.html?s=883&lid=2325&elq=11f7b1b5179f45b09737bdf10d0fe61f
Redirects to: hxxp://220.127.116.11/search.php?q=fa16f5d3def51288 (responding to mx39.diplomaconnection.org), AS20454, ASN-HIGHHO
Client-side exploits served: CVE-2010-1885
Redirection chain for the client-side exploit: hxxp://madaboutleisure.wsini.com/Ua8ndKkr/index.html?s=883&lid=2325&elq=11f7b1b5179f45b09737bdf10d0fe61 ->
hxxp://icanquit.co.uk/wvGCntXp/js.js -> hxxp://18.104.22.168/search.php?q=fa16f5d3def51288 -> hxxp://22.214.171.124/Set.jar -> hxxp://126.96.36.199/data/ap2.phpi
Upon successful exploitation, two executables are dropped on the infected hosts, MD5: 088ff8b667d3e6a6f968ad6b41aa4fb0 and MD5: 1b1bbf726902beb3b25d11fbdc58720f – detected by 11 out of 42 antivirus scanners as Worm:Win32/Gamarue.I; Gen:Variant.Kazy.72780.
Webroot SecureAnywhere users are proactively protected from this threat.