‘Copies of Missing EPLI Policies’ themed emails lead to Black Hole Exploit Kit


Share this news now.

Attempting to achieve a higher click-through rate for their exploits and malware serving malicious campaign, cybercriminals are currently spamvertising millions of emails attempting to trick users into thinking they’ve become part of a private conversation about missing EPLI policies.

In reality, clicking on any of the links in the oddly formulated email will expose them to the client-side exploits served by the latest version of the Black Hole Exploit Kit.

More details:

Sample screenshot of the spamvertised email:

Sample spamvertised and compromised URLs used in the campaign: hxxp://visage.ie/catalog/infourl.htm; hxxp://www.dace.nul.usb.ve/infourl.htm; hxxp://www.radclivecumchackmore.org.uk/drupal/sites/default/files/infourl.htm; hxxp://www.sgsoluciones.com.ar/sites/default/files/infourl.htm; hxxp://www.mv-ettlingenweier.de/sites/default/files/infourl.htm; hxxp://lanhaituandui.com/infourl.htm; hxxp://www.mv-ettlingenweier.de/sites/default/files/infourl.htm; hxxp://www.radclivecumchackmore.org.uk/drupal/sites/default/files/infourl.htm; hxxp://erotictrust.info/sites/all/themes/infourl.htm; hxxp://www.cardissa.fr/sites/default/files/infourl.htm; hxxp://mercurycube.com/infourl.htm; hxxp://www.fest-for-alle.dk/infourl.htm; hxxp://www.catriders.com/infourl.htm

Sample client-side exploits serving URL: hxxp://monacofrm.ru:8080/forum/links/column.php

Malicious domain name reconnaissance:
monacofrm.ru –, AS24496;, AS24514;, AS40676
Name server: ns1.monacofrm.ru –
Name server: ns2.monacofrm.ru –
Name server: ns3.monacofrm.ru –
Name server: ns4.monacofrm.ru –

The following malicious domains also respond to these IPs:

We’ve already seen lemonadiom.ru in another malicious campaign – “‘Fwd: Scan from a Xerox W. Pro’ themed emails lead to Black Hole Exploit Kit“, as well as linkrdin.ru in the following malicious campaigns: “Fwd: Scan from a Xerox W. Pro’ themed emails lead to Black Hole Exploit Kit“; “Cybercriminals spamvertise bogus ‘Microsoft License Orders’ serve client-side exploits and malware“. Clearly, these campaigns are operated by the same cybercriminal/gang of cybercriminals.

Sample detection rate for the javascript redirector: MD5: 65077fafa6632a43015320272c6a5776 – detected by 10 out of 44 antivirus scanners as Mal/JSRedir-M

Sample detection rate for a live client-side exploit: hxxp://monacofrm.ru:8080/forum/data/spn2.jar – SHANIKA.jar – MD5: d44ffa6065298d8b87900a7b9b16a494 – detected by 10 out of 44 antivirus scanners as Exploit.Java.CVE-2012-5076.A

Upon successful client-side exploitation, the campaign drops MD5: eadc019f64bbc6c162631db2430cb9a7 – detected by 15 out of 44 antivirus scanners as Trojan-Spy.Win32.Zbot.gkjh

We also know is that on 2012-11-12 10:58:07, the following client-side exploits serving domain was also responding to the same IP ( - hxxp://canadianpanakota.ru:8080/forum/links/column.php. Upon successful client-side exploitation, this URL dropped MD5: 532bdd2565cae7b84cb26e4cf02f42a0 – detected by 33 out of 44 antivirus scanners as Worm:Win32/Cridex.E.

We’re also aware of two more client-side exploits serving domains responding to the same IP ( on 2012-11-15 19:49:33 – hxxp://investomanio.ru/forum/links/public_version.php, and on the 2012-11-15 04:40:06 – hxxp://veneziolo.ru/forum/links/column.php.

Name servers part of the campaign’s infrastructure:
Name server: ns1.canadianpanakota.ru –
Name server: ns2.canadianpanakota.ru –
Name server: ns3.canadianpanakota.ru –
Name server: ns4.canadianpanakota.ru –
Name server: ns1.lemonadiom.ru –
Name server: ns2.lemonadiom.ru –
Name server: ns3.lemonadiom.ru –
Name server: ns4.lemonadiom.ru –
Name server: ns1.peneloipin.ru –
Name server: ns2.peneloipin.ru –
Name server: ns3.peneloipin.ru –
Name server: ns4.peneloipin.ru –
Name server: ns1.veneziolo.ru –
Name server: ns2.veneziolo.ru –
Name server: ns3.veneziolo.ru –
Name server: ns4.veneziolo.ru –
Name server: ns1.forumibiza.ru –
Name server: ns2.forumibiza.ru –
Name server: ns3.forumibiza.ru –
Name server: ns4.forumibiza.ru –
Name server: ns1.controlleramo.ru –
Name server: ns2.controlleramo.ru –
Name server: ns3.controlleramo.ru –
Name server: ns4.controlleramo.ru –
Name server: ns1.moneymakergrow.ru –
Name server: ns2.moneymakergrow.ru –
Name server: ns3.moneymakergrow.ru –
Name server: ns04.moneymakergrow.ru –
Name server: ns1.fionadix.ru –
Name server: ns2.fionadix.ru –
Name server: ns3.fionadix.ru –
Name server: ns4.fionadix.ru –
Name server: ns1.linkrdin.ru –
Name server: ns2.linkrdin.ru –
Name server: ns3.linkrdin.ru –
Name server: ns4.linkrdin.ru –
Name server: ns1.geforceexlusive.ru –
Name server: ns2.geforceexlusive.ru –
Name server: ns3.geforceexlusive.ru –
Name server: ns4.geforceexlusive.ru –

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share this news now.


  1. [...] – seen in “‘Copies of Missing EPLI Policies’ themed emails lead to Black Hole Exploit Kit“ investomanio.ru – seen in “‘Copies of Missing EPLI Policies’ [...]

  2. [...] already seen the same domain used in another malicious attack - ”‘Copies of Missing EPLI Policies’ themed emails lead to Black Hole Exploit Kit“, indicating that they’ve been both launched by the same [...]

  3. [...] – seen in – “‘Copies of Missing EPLI Policies’ themed emails lead to Black Hole Exploit Kit“ limonadiksec.ru – seen in – “‘Regarding your Friendster password’ [...]

  4. [...] themed emails lead to Black Hole Exploit Kit“ fionadix.ru – seen in – “‘Copies of Missing EPLI Policies’ themed emails lead to Black Hole Exploit Kit“; “Bogus ‘Intuit Software Order Confirmations’ lead to Black Hole Exploit [...]