Spamvertised ‘Fwd: Scan from a Hewlett-Packard ScanJet’ emails lead to Black Hole exploit kit

by

Share this news now.

Over the last couple of hours, cybercriminals have started spamvertising millions of emails pretending to be coming from HP ScanJet scanner, in an attempt to trick end and and corporate users into downloading and viewing the malicious .html attachment.

Upon viewing, the document loads the invisible iFrame script, ultimately redirecting the user to a landing URL courtesy of the Black Hole web malware exploitation kit.

More details:

The ongoing spam campaign is using both, zip attachments containing a malicious executable, and a malicious iFrame loading .html file. Let’s take a closer look at the dynamics behind the campaigns.

Spamvertised subject: Scan from a Hewlett-Packard ScanJet #[random number]

Client-side exploits serving URls: hxxp://mirdymas.ru:8080/forum/showthread.php?page=5fa58bce769e5c2chxxp://anapoli.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c

Client-side exploits served: CVE-2010-0188CVE-2010-1885

Detection rate for a sample malicious .html attachment: MD5: 2e12ae0e2472bcd43e4f08e82faaf561 - detected by 16 out of 42 antivirus scanners as Trojan-Clicker.JS.Iframe.gr; Trojan:JS/BlacoleRef.W

Detection rate for a sample spamvertised malicious .zip archive: MD5: 41f6cd9df05fa7d880061651235d50e0 - detected by 30 out of 41 antivirus scanners as Trojan-Ransom.Win32.PornoAsset!IK; TrojanDownloader.Win32.Deliver.st.

Upon successful client-side exploitation, the campaign drops MD5: 4e0053fe00b65627c07dc8c85c85a351 – detected by 31 out of 42 antivirus scanners as Trojan.Generic.KDV.696365; Trojan.Win32.Yakes.antc; and MD5: 7fe4d2e52b6f3f22b2f168e8384a757e – detected by 28 out of 42 antivirus scanners as Trojan.Win32.Buzus.lxwt; Worm:Win32/Cridex.E.

Once executed, the samples phones back to 87.120.41.155:8080/mx5/in. In fact, we already seen another campaign using the same command and control server, namely, the malicious spam campaign impersonating 123greetings.com. Clearly, both of these campaigns are launched by the same cybercriminal/gang of cybercriminals.

Now let’s take a deeper look into the malicious Black Hole exploit kit landing URLs.

anapoli.ru – 50.56.92.47; 190.120.228.92; 203.80.16.81

Name servers part of the campaign’s infrastructure:
ns1.anapoli.ru – 85.143.166.186
ns2.anapoli.ru – 203.172.140.202
ns3.anapoli.ru – 87.120.41.155
ns4.anapoli.ru – 173.224.208.60
ns5.anapoli.ru – 132.248.49.112

Responding to the same IPs are the following malicious domains and command and control servers:
penelopochka.ru
sergikgorec.ru
kolmykiaonline.ru
mskoblastionline.ru
panalki.ru
flumifrator2unix.ru

mirdymas.ru – 71.89.140.153; 46.51.218.71; 203.80.16.81

Name servers part of the campaign’s infrastructure:
ns1.mirdymas.ru – 85.143.166.186
ns2.mirdymas.ru – 203.172.140.202
ns3.mirdymas.ru – 87.120.41.155
ns4.mirdymas.ru – 173.224.208.60
ns5.mirdymas.ru – 132.248.49.112

Responding to 71.89.140.153 are also the following malicious domains and command and control servers:
gorysevera.ru
pussyriotss.ru
spb-koalitia.ru
ashanrestaurant.ru
panamamoskow.ru
onerussiaboard.ru

We’ve already seen some of these domains in the recently profiled spam campaign that was impersonating 123greetings.com in an attempt to trick end and corporate users into clicking on exploits and malware serving links.

Related name servers used in the campaign’s infrastructure:

gorysevera.ru
ns1.gorysevera.ru – 62.76.190.208
ns2.gorysevera.ru – 203.172.140.202
ns3.gorysevera.ru – 87.120.41.155
ns4.gorysevera.ru – 173.224.208.60
ns5.gorysevera.ru – 132.248.49.112

pussyriotss.ru
ns1.pussyriotss.ru – 62.76.190.208
ns2.pussyriotss.ru – 203.172.140.202
ns3.pussyriotss.ru – 87.120.41.155
ns4.pussyriotss.ru – 173.224.208.60
ns5.pussyriotss.ru – 62.76.188.138

spb-koalitia.ru
ns1.spb-koalitia.ru – 62.76.190.208
ns2.spb-koalitia.ru – 203.172.140.202
ns3.spb-koalitia.ru – 87.120.41.155
ns4.spb-koalitia.ru – 173.224.208.60
ns5.spb-koalitia.ru – 62.76.188.138

ashanrestaurant.ru
ns1.ashanrestaurant.ru – 62.76.190.208
ns2.ashanrestaurant.ru – 203.172.140.202
ns3.ashanrestaurant.ru – 87.120.41.155
ns4.ashanrestaurant.ru – 173.224.208.60
ns5.ashanrestaurant.ru – 132.248.49.112

panamamoskow.ru
ns1.panamamoskow.ru – 62.76.190.208
ns2.panamamoskow.ru – 203.172.140.202
ns3.panamamoskow.ru – 87.120.41.155
ns4.panamamoskow.ru – 173.224.208.60
ns5.panamamoskow.ru – 62.76.188.138

onerussiaboard.ru
ns1.onerussiaboard.ru – 62.76.190.208
ns2.onerussiaboard.ru – 203.172.140.202
ns3.onerussiaboard.ru – 87.120.41.155
ns4.onerussiaboard.ru – 173.224.208.60
ns5.onerussiaboard.ru – 62.76.188.138

The last time we intercepted and profiled a similar campaign, was in March 2012. Back then, the malicious domains were fast-fluxed.

We’ll continue monitoring the development of the campaign, and update this post as soon as new developments emerge.

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Share this news now.

Trackbacks

  1. [...] AND TRENDS FROM OUR INTERNET SECURITY EXPERTS « Beware of Fake Adobe Flash Apps Spamvertised ‘Fwd: Scan from a Hewlett-Packard ScanJet’ emails lead to Black Hole exploi… [...]

  2. [...] same IPs and command and control servers used in the recently profiled “Spamvertised ‘Fwd: Scan from a Hewlett-Packard ScanJet’ emails lead to Black Hole exploit kit” campaign. Based on this fact, we can conclude that these campaigns are operated by the same [...]

  3. [...] already seen these domains and IPs used in previously profiled campaigns such as the “Spamvertised ‘Fwd: Scan from a Hewlett-Packard ScanJet’ emails lead to Black Hole exploit kit“, and the “Cybercriminals impersonate Intuit Market, mass mail millions of exploits and [...]

  4. [...] Spamvertised ‘Fwd: Scan from a Hewlett-Packard ScanJet’ emails lead to Black Hole exploit kit [...]

  5. [...] Spamvertised ‘Fwd: Scan from a Hewlett-Packard ScanJet’ emails lead to Black Hole exploit kit [...]

  6. [...] a periodic basis, malicious cybercriminals spamvertise millions of emails attempting to trick end users into thinking that they’ve received a scanned document. Upon [...]