August 21, 2012 By Dancho Danchev

Cybercriminals spamvertise bogus greeting cards, serve exploits and malware

Think you’ve received an online greeting card from 123greetings.com? Think twice!

Over the past couple of days, cybercriminals have spamvertised millions of emails impersonating the popular e-card service 123greetings.com in an attempt to trick end and corporate users into clicking on client-side exploits and malware serving links, courtesy of the Black Hole web malware exploitation kit.

What’s so special about this campaign? Can we connect it to previously spamvertised campaigns profiled at Webroot’s Threat Blog? Let’s find out.

More details:

Screenshot of the spamvertised email:

Upon clicking on any of the links found in the malicious emails, users are exposed to the following bogus “Page loading…” page:

Obfuscated java script redirection:

Spamvertised malicious URLs: hxxp://bjflm.cn/postc.html; hxxp://minihotel74.com/pcard.html; hxxp://wowgame.net.cn/pcard.html; hxxp://phototula.ru/postc.html; hxxp://joanjoy.com/postc.htmlhxxp://akrepilaclama.org/wp-content/plugins/akismet/greet.html; hxxp://vinointhevalley.com/wp-content/plugins/akismet/greet.html

Client-side exploits serving URLs: hxxp://remindingwands.org/main.php?page=861097b084221fd8 – 78.87.123.114; hxxp://voicecontroldevotes.info/main.php?page=6df8994172330e77; hxxp://immigrationunix.pro/main.php?page=28677a727aff0456

Client-side exploits served: CVE-2010-1885

Upon sucessful exploitation, the campaign drops MD5: 42307705ad637c615a6ed5fbf1e755d1 – detected by 25 out of 42 antivirus scanners as Trojan.Win32.Yakes.ansm; Mal/Katusha-I.

Upon successful execution, the sample phones back to 87.120.41.155:8080/mx5/B/in

More MD5s are known to have phoned back to the same command and control server, such as for instance:

MD5: b11421acddbfc94544482d1846ba6d97
MD5: 4e0053fe00b65627c07dc8c85c85a351
MD5: 90d1b3367e97f384af029b0f1674f7ff
MD5: d2be252de958b7435279c6e8f270de4e

87.120.41.155 is actually a name server offering DNS resolving services to related malicious and command and control servers part of the campaign such as:
spb-koalitia.ru
onerussiaboard.ru
mysqlfordummys.ru
online-gaminatore.ru
leprisoruim.ru
switched-games.ru
ipadvssonyx.ru
online-cammunity.ru
zenedin-zidane.ru
porschedesignrussia.ru

Associated malicious name servers part of the campaign’s infrastructure:
ns1.spb-koalitia.ru – 62.76.190.208
ns2.spb-koalitia.ru – 203.172.140.202
ns3.spb-koalitia.ru – 87.120.41.155
ns4.spb-koalitia.ru – 173.224.208.60
ns5.spb-koalitia.ru – 62.76.188.138

ns1.onerussiaboard.ru – 62.76.190.208
ns2.onerussiaboard.ru – 203.172.140.202
ns3.onerussiaboard.ru – 87.120.41.155
ns4.onerussiaboard.ru – 173.224.208.60
ns5.onerussiaboard.ru – 62.76.188.138

ns1.mysqlfordummys.ru – 62.76.190.208
ns2.mysqlfordummys.ru – 203.172.140.202
ns3.mysqlfordummys.ru – 87.120.41.155
ns4.mysqlfordummys.ru – 173.224.208.60
ns5.mysqlfordummys.ru – 62.76.188.138

ns1.online-gaminatore.ru – 62.213.64.161
ns2.online-gaminatore.ru – 85.143.166.243
ns3.online-gaminatore.ru – 41.66.137.155
ns4.online-gaminatore.ru – 184.106.189.124
ns5.online-gaminatore.ru – 203.172.140.202
ns6.online-gaminatore.ru – 87.120.41.155

ns1.leprisoruim.ru – 62.76.190.208
ns2.leprisoruim.ru – 203.172.140.202
ns3.leprisoruim.ru – 87.120.41.155
ns4.leprisoruim.ru – 173.224.208.60
ns5.leprisoruim.ru – 62.76.188.138

ns1.switched-games.ru – 62.213.64.161
ns2.switched-games.ru – 85.143.166.243
ns3.switched-games.ru – 41.66.137.155
ns4.switched-games.ru – 184.106.189.124
ns5.switched-games.ru – 203.172.140.202
ns6.switched-games.ru – 87.120.41.155

ns1.ipadvssonyx.ru => 62.76.190.208
ns2.ipadvssonyx.ru => 203.172.140.202
ns3.ipadvssonyx.ru => 87.120.41.155
ns4.ipadvssonyx.ru => 173.224.208.60
ns5.ipadvssonyx.ru => 62.76.188.138

ns1.online-cammunity.ru – 62.76.190.208
ns2.online-cammunity.ru – 203.172.140.202
ns3.online-cammunity.ru – 87.120.41.155
ns4.online-cammunity.ru – 173.224.208.60
ns5.online-cammunity.ru – 62.76.188.138

ns1.zenedin-zidane.ru – 62.213.64.161
ns2.zenedin-zidane.ru – 85.143.166.243
ns3.zenedin-zidane.ru – 41.66.137.155
ns4.zenedin-zidane.ru – 184.106.189.124
ns5.zenedin-zidane.ru – 203.172.140.202
ns6.zenedin-zidane.ru – 87.120.41.155

ns1.porschedesignrussia.ru – 62.213.64.161
ns2.porschedesignrussia.ru – 85.143.166.243
ns3.porschedesignrussia.ru – 41.66.137.155
ns4.porschedesignrussia.ru – 184.106.189.124
ns5.porschedesignrussia.ru – 203.172.140.202
ns6.porschedesignrussia.ru – 87.120.41.155

Related client-side exploits and malware serving URLs spamvertised in the same campaign, also drop MD5: cd0aac6df71fa28d4564406a24f7e1a2 – detected by 28 out of 42 antivirus scanners as Gen:Variant.Zusy.15382; P2P-Worm.Win32.Palevo.fbvx

The second sample phones back to 87.204.199.100:8080/mx5/B/in/ not surprisingly, we’ve already seen this command and control server used in numerous profiled campaigns, such as, for instance, the AT&T Billing Center impersonation one, the Craigslist spam campaign, the PayPal spam campaign, the eBay spam campaign, and the American Airlines themed spam campaign.

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button
0 comments

Trackbacks

  1. […] already seen malware phoning back to the same IP (87.120.41.155) in the recently profiled “Cybercriminals spamvertise bogus greeting cards, serve exploits and malware“, and the “Spamvertised ‘Fwd: Scan from a Hewlett-Packard ScanJet’ emails […]

  2. […] In fact, we already seen another campaign using the same command and control server, namely, the malicious spam campaign impersonating 123greetings.com. Clearly, both of these campaigns are launched by the same cybercriminal/gang of […]

  3. […] Cybercriminals spamvertise bogus greeting cards, serve exploits and malware […]

  4. […] Remember the recently profiled 123greetings.com themed malicious campaign? […]

  5. […] the old fashion way this year.  To find out more information about e-card attacks, check out a Webroot blog post by Dancho Danchev and/or a great article about e-card scams posted by […]

true