Spamvertised ‘Your UPS delivery tracking’ emails serving client-side exploits and malware

by


Cybercriminals are currently spamvertising millions of emails impersonating United Parcel Service (UPS) in an attempt to trick end and corporate users into clicking on exploits and malware serving links found in the malicious emails. What exploits are they using? How widespread is the campaign? Is it an isolated incident, or is the campaign linked to more malicious activity?

More details:

Screenshots of the spamvertised campaign:

Upon clicking on the link, users are exposed to the following bogus page displaying additional information about the package:

Sample spamvertised malicious URLs: hxxp://andreascookies.com/deliv.htmlhxxp://selcoelectrical.co.uk/deliv.htmlhxxp://nepa.com.np/deliv.htmlhxxp://it-agency-job-opportunities.com//track.htmlhxxp://agarcia.tv/wp-content/uploads/fgallery/track.htmlhxxp://samsung40lcdtvlnt4061f.uwcblog.com/spss.html

Detection rate for the client-side exploit serving page: devil.html – MD5: f9a47465f88bb76d1987fba6ffc72db7 – detected by 2 out of 42 antivirus scanners as JS/Obfuscus.AACB!tr; HEUR:Trojan.Script.Generic

Client-side exploitation chain: hxxp://savecoralz.net/main.php?page=2a709dab1e660eaf -> hxxp://savecoralz.net/Set.jar

Second client-side exploitation chain seen in the same campaign: hxxp://abilenepaint.net/main.php?page=c3c45bf60719e629 -> hxxp://abilenepaint.net/Half.jar

Upon clicking on the link, the campaign is serving client-side exploits using the Black Hole web malware exploitation kit, and in this particular campaign it’s attempting to exploit CVE-2010-1885 and CVE-2012-0507.

Once the client-side exploitation takes place, the campaign drops MD5: 202d24597758dc5f190bf63527712af0 – detected by 2 out of 42 antivirus scanners as Trojan/Win32.Hrup; Suspicious.Cloud.5

Info on the client-side exploit serving domain: savecoralz.net – 109.164.221.176; 46.162.27.165; name servers: NS1.GRAPECOMPUTERS.NET; NS2.GRAPECOMPUTERS.NET – Email: clinicadelta@aol.com

The following malware-serving domains are also using the same name servers:
synergyledlighting.net
stafffire.net
thai4me.com
energirans.net
hapturing.net
housespect.net
synetworks.net
110hobart.com
perikanzas.com
abc-spain.net
migdaliasbistro.net
themeparkoupons.net
icemed.net
sony-zeus.net
mynourigen.net
georgekinsman.net
ekotastic.net
torsax.net
popzulu.net
arizonacentennialmens.com

Info on the second client-side exploits serving domain observed in the campaign: abilenepaint.net – 79.142.67.135 (known to have also responding to 109.169.86.139 (stafffire.net) – Email: ezvalu@live.com Name servers: ns1.asiazmile.net, ns2.asiazmile.net

More domains known to be using the same name servers as abilenepaint.net
stafffire.net
alamedapaint.net
asiazmile.net

Client-side exploitation chain: hxxp://abilenepaint.net/main.php?page=c3c45bf60719e629 -> hxxp://abilenepaint.net/Half.jar

Upon successful client-side exploitation the second malicious URL drops MD5: 5e187c293a563968dd026fae02194cfa, detected by 3 out of 42 antivirus scanners as PAK_Generic.001. Upon execution it creates the following file:

%AppData%KB00121600.exe – MD5: 5E187C293A563968DD026FAE02194CFA - detected by 3 out of 42 antivirus scanners as PAK_Generic.001

Upon execution, the sample phones back to 123.49.61.59/zb/v_01_b/in on port 8080. Another sample is known to have phoned back to the same URL, namely, MD5: 108F10F0921F2B4FCA87FE6E620D21EF which phones back to:

hxxp://123.49.61.59:8080/zb/v_01_a/in/
hxxp://91.121.103.143:8080/zb/v_01_a/.upd/u2006a.exe

u2006a.exe has a MD5 of MD5: c5fcee018e9b80a2574d98189684ba2a, and is detected by 4 out of 42 antivirus scanners as Worm.Win32.AutoRun.dtaf.

This is the second UPS themed campaign that we’ve intercepted during June, 2012. In the first campaign, the cybercriminals used malicious .html attachments compared to directly linking to exploits and malware serving sites like we’ve seen in the latest campaign.

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Trackbacks

  1. [...] Spamvertised ‘Your UPS delivery tracking’ emails serving client-side exploits and malware [...]

  2. [...] Spamvertised ‘Your UPS delivery tracking’ emails serving client-side exploits and malware [...]

  3. [...] seen in – “Spamvertised ‘Your UPS delivery tracking’ emails serving client-side exploits and malwar…“; “BofA ‘Online Banking Passcode Reset’ themed emails serve client-side exploits [...]

  4. [...] themed emails, serve client-side exploits and malware“ stafffire.net – seen in “Spamvertised ‘Your UPS delivery tracking’ emails serving client-side exploits and malware“; “BofA ‘Online Banking Passcode Reset’ themed emails serve client-side exploits [...]