‘Copies of Missing EPLI Policies’ themed emails lead to Black Hole Exploit Kit


Attempting to achieve a higher click-through rate for their exploits and malware serving malicious campaign, cybercriminals are currently spamvertising millions of emails attempting to trick users into thinking they’ve become part of a private conversation about missing EPLI policies.

In reality, clicking on any of the links in the oddly formulated email will expose them to the client-side exploits served by the latest version of the Black Hole Exploit Kit.

More details:

Sample screenshot of the spamvertised email:

Sample spamvertised and compromised URLs used in the campaign: hxxp://visage.ie/catalog/infourl.htm; hxxp://www.dace.nul.usb.ve/infourl.htm; hxxp://www.radclivecumchackmore.org.uk/drupal/sites/default/files/infourl.htm; hxxp://www.sgsoluciones.com.ar/sites/default/files/infourl.htm; hxxp://www.mv-ettlingenweier.de/sites/default/files/infourl.htm; hxxp://lanhaituandui.com/infourl.htm; hxxp://www.mv-ettlingenweier.de/sites/default/files/infourl.htm; hxxp://www.radclivecumchackmore.org.uk/drupal/sites/default/files/infourl.htm; hxxp://erotictrust.info/sites/all/themes/infourl.htm; hxxp://www.cardissa.fr/sites/default/files/infourl.htm; hxxp://mercurycube.com/infourl.htm; hxxp://www.fest-for-alle.dk/infourl.htm; hxxp://www.catriders.com/infourl.htm

Sample client-side exploits serving URL: hxxp://monacofrm.ru:8080/forum/links/column.php

Malicious domain name reconnaissance:
monacofrm.ru –, AS24496;, AS24514;, AS40676
Name server: ns1.monacofrm.ru –
Name server: ns2.monacofrm.ru –
Name server: ns3.monacofrm.ru –
Name server: ns4.monacofrm.ru –

The following malicious domains also respond to these IPs:

We’ve already seen lemonadiom.ru in another malicious campaign – “‘Fwd: Scan from a Xerox W. Pro’ themed emails lead to Black Hole Exploit Kit“, as well as linkrdin.ru in the following malicious campaigns: “Fwd: Scan from a Xerox W. Pro’ themed emails lead to Black Hole Exploit Kit“; “Cybercriminals spamvertise bogus ‘Microsoft License Orders’ serve client-side exploits and malware“. Clearly, these campaigns are operated by the same cybercriminal/gang of cybercriminals.

Sample detection rate for the javascript redirector: MD5: 65077fafa6632a43015320272c6a5776 – detected by 10 out of 44 antivirus scanners as Mal/JSRedir-M

Sample detection rate for a live client-side exploit: hxxp://monacofrm.ru:8080/forum/data/spn2.jar – SHANIKA.jar – MD5: d44ffa6065298d8b87900a7b9b16a494 – detected by 10 out of 44 antivirus scanners as Exploit.Java.CVE-2012-5076.A

Upon successful client-side exploitation, the campaign drops MD5: eadc019f64bbc6c162631db2430cb9a7 – detected by 15 out of 44 antivirus scanners as Trojan-Spy.Win32.Zbot.gkjh

We also know is that on 2012-11-12 10:58:07, the following client-side exploits serving domain was also responding to the same IP ( - hxxp://canadianpanakota.ru:8080/forum/links/column.php. Upon successful client-side exploitation, this URL dropped MD5: 532bdd2565cae7b84cb26e4cf02f42a0 – detected by 33 out of 44 antivirus scanners as Worm:Win32/Cridex.E.

We’re also aware of two more client-side exploits serving domains responding to the same IP ( on 2012-11-15 19:49:33 – hxxp://investomanio.ru/forum/links/public_version.php, and on the 2012-11-15 04:40:06 – hxxp://veneziolo.ru/forum/links/column.php.

Name servers part of the campaign’s infrastructure:
Name server: ns1.canadianpanakota.ru –
Name server: ns2.canadianpanakota.ru –
Name server: ns3.canadianpanakota.ru –
Name server: ns4.canadianpanakota.ru –
Name server: ns1.lemonadiom.ru –
Name server: ns2.lemonadiom.ru –
Name server: ns3.lemonadiom.ru –
Name server: ns4.lemonadiom.ru –
Name server: ns1.peneloipin.ru –
Name server: ns2.peneloipin.ru –
Name server: ns3.peneloipin.ru –
Name server: ns4.peneloipin.ru –
Name server: ns1.veneziolo.ru –
Name server: ns2.veneziolo.ru –
Name server: ns3.veneziolo.ru –
Name server: ns4.veneziolo.ru –
Name server: ns1.forumibiza.ru –
Name server: ns2.forumibiza.ru –
Name server: ns3.forumibiza.ru –
Name server: ns4.forumibiza.ru –
Name server: ns1.controlleramo.ru –
Name server: ns2.controlleramo.ru –
Name server: ns3.controlleramo.ru –
Name server: ns4.controlleramo.ru –
Name server: ns1.moneymakergrow.ru –
Name server: ns2.moneymakergrow.ru –
Name server: ns3.moneymakergrow.ru –
Name server: ns04.moneymakergrow.ru –
Name server: ns1.fionadix.ru –
Name server: ns2.fionadix.ru –
Name server: ns3.fionadix.ru –
Name server: ns4.fionadix.ru –
Name server: ns1.linkrdin.ru –
Name server: ns2.linkrdin.ru –
Name server: ns3.linkrdin.ru –
Name server: ns4.linkrdin.ru –
Name server: ns1.geforceexlusive.ru –
Name server: ns2.geforceexlusive.ru –
Name server: ns3.geforceexlusive.ru –
Name server: ns4.geforceexlusive.ru –

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


  1. [...] – seen in “‘Copies of Missing EPLI Policies’ themed emails lead to Black Hole Exploit Kit“ investomanio.ru – seen in “‘Copies of Missing EPLI Policies’ [...]

  2. [...] already seen the same domain used in another malicious attack - ”‘Copies of Missing EPLI Policies’ themed emails lead to Black Hole Exploit Kit“, indicating that they’ve been both launched by the same [...]

  3. [...] – seen in – “‘Copies of Missing EPLI Policies’ themed emails lead to Black Hole Exploit Kit“ limonadiksec.ru – seen in – “‘Regarding your Friendster password’ [...]

  4. [...] themed emails lead to Black Hole Exploit Kit“ fionadix.ru – seen in – “‘Copies of Missing EPLI Policies’ themed emails lead to Black Hole Exploit Kit“; “Bogus ‘Intuit Software Order Confirmations’ lead to Black Hole Exploit [...]