Spamvertised American Airlines themed emails lead to Black Hole exploit kit

by

Share this news now.

American Airlines customers, watch where you click! Cybercriminals are currently spamvertising millions of emails impersonating the company in an attempt to trick end and corporate users into clicking on the malicious links found in the spamvertised email.

Upon execution, the campaign redirects users to a Black Hole exploit kit landing URL, where client-side exploits are served against outdated third-party software and browser plugins.

More details:

Screenshots of a sample spamvertised email:

Once users click on any of the links in the spamvertised email, they are exposed to the following fake “Page loading…” page:

Spamvertised URLs: hxxp://luxify.net/wp-admin/aair.html redirects to -> hxxp://princess-sales.net/main.php?page=7e45713861176c6b (203.237.211.223) or hxxp://ghanarpower.net/main.php?page=8c6c59becaa0da07 (203.237.211.223)

Upon successful client-side exploitation of CVE-2010-1885, the Black Hole exploit kit drops the following MD5 on infected hosts: MD5: c70d309171d9844f331081b3c3d80ff

Detection rate: Detected by 25 out of 42 antivirus scanners as Trojan.Generic.KDV.664936; Worm:Win32/Cridex.E

Upon execution, the sample phones back to 210.56.23.100:8080/za/v_01_b/in/

Responding to 210.56.23.100, AS7590, COMSATS Commission on Science and Technology for Sustainable Development in the South, are the following command and control servers:

cpojkjfhotzpod.ru
upjachkajasamns.ru
cruoinaikklaoifpa.ru
sumgankorobanns.ru
fedikankamolns.ru
ciontooabgooppoa.ru
caskjfhlkaspsfg.ru
csoaspfdpojuasfn.ru
amanarenapussyns.ru
cparabnormapoopdsf.ru
cjhsdvbfbczuet.ru
caoodntkioaojdf.ru
clkjshdflhhshdf.ru
zolindarkksokns.ru
cnnvcnsaoljfrut.ru
cruikdfoknaofa.ru
cjiahkhklflals.ru
dinamitbtzusons.ru
cjjasjjikooppfkja.ru
ckjsfhlasla.ru
kroshkidlahlebans.ru
ckjhasbybnhdjf.ru
xspisokdomenidgmens.ru
dkijhsdkjfhsdf.ru
dhjikjsdhfkksjud.ru
dsakhfgkallsjfd.ru
dphsgdfisgdfsdf.ru
dkjhfkjsjadsjjfj.ru
debiudlasduisioa.ru
dpasssjiufjkaksss.ru
doorpsjjaklskfjak.ru
dnvfodooshdkfhha.ru
xstriokeneboleeodgons.ru
dpaoisosfdhaopasasd.ru
rushsjhdhfjsldif.su
dkjhasjllasllalaa.ru
puidhfhhaoadans.su
somaniksuper.ru
superproomgh.ru
samsonikonyou.ru
phfhshdjsjdppns.su
dhjhgfkjsldkjdj.ru
poosdfhhsppsdns.su
insomniacporeed.ru

The name servers infrastructure of these domains is parked at the following IPs 94.63.147.96; 171.25.190.249; 188.116.32.177

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Share this news now.
Spamvertised American Airlines themed emails lead to Black Hole exploit kit by

Trackbacks

  1. [...] execution the sample phones back to a well known command and control server - 87.204.199.100/mx5/B/in/ which we’ve already seen in several previously profiled [...]

  2. [...] Once executed, the sample phones back to hxxp://87.204.199.100:8080/mx5/B/in/. We’ve already seen the same command and control served used in several malware-serving campaigns, namely, the Craigslist spam campaign, the PayPal spam campaign, the eBay spam campaign, and the American Airlines themed spam campaign. [...]

  3. [...] The second sample phones back to 87.204.199.100:8080/mx5/B/in/ not surprisingly, we’ve already seen this command and control server used in numerous profiled campaigns, such as, for instance, the AT&T Billing Center impersonation one, the Craigslist spam campaign, the PayPal spam campaign, the eBay spam campaign, and the American Airlines themed spam campaign. [...]

  4. [...] The last time we came across this IP (210.56.23.100), was in July 2012′s analysis of yet another malicious campaign, this time impersonating American Airlines. [...]

  5. [...] Your Transaction is Aborted’ themed emails serve client-side exploits and malware“; “Spamvertised American Airlines themed emails lead to Black Hole exploit kit” malicious campaigns, indicating that these have all been launched by the same [...]