December 27, 2012 By Dancho Danchev

Fake ‘UPS Delivery Confirmation Failed’ themed emails lead to Black Hole Exploit Kit

Continuing their well proven social engineering tactic of impersonating the market leading courier services, cybercriminals are currently mass mailing tens of thousands of emails impersonating UPS, in an attempt to trick users into clicking on the malicious links found in the legitimate-looking emails.

Once they click on the links, they’re automatically exposed to the client-side exploits served by the Black Hole Exploit kit.

More details:

Sample screenshot of the spamvertised email:

UPS_Package_Failed_Delivery_Email_Spam_Exploits_Black_Hole_Exploit_Kit

Sample spamvertised compromised URLs:
hxxp://www.aberdyn.fr/letter.htm
hxxp://www.aberdyn.fr/osc.htm

Sample client-side exploits serving URLs:
hxxp://apendiksator.ru:8080/forum/links/column.php
hxxp://sectantes-x.ru:8080/forum/links/column.php

Sample malicious payload dropping URL:
hxxp://sectantes-x.ru:8080/forum/links/column.php?uvt=0a04070634&wvqi=33&yrhsb=3307093738070736060b&vjppc=02000200020002

Client-side exploits served: CVE-2010-0188

Although we couldn’t reproduce the client-side exploitation taking place through these domains in the time of posting this analysis, we know that on 2012-09-27 one of the domains (sectantes-x.ru) also served client-side exploits, and dropped a particular piece of malware – MD5: 9f86a132c0a5f00705433632879a20b9 – detected by 27 out of 42 antivirus scanners as Trojan-Ransom.Win32.PornoAsset.abup.

Upon execution, the sample phones back to the following command and control servers:
178.77.76.102 (AS20773)
91.121.144.158 (AS16276)
213.135.42.98 (AS15396)
207.182.144.115 (AS10297)

More MD5s are known to have phoned back to the same IPs:
MD5: 7515448fa3aa1ee585311b80dab7ca87 – detected by 38 out of 44 antivirus scanners as Worm:Win32/Cridex.E
MD5: 92978246ab42f68c323c36e62593d4ee – detected by 31 out of 43 antivirus scanners as HEUR:Trojan.Win32.Invader
MD5: 19f481447e1adf70245582d4f4f5719c – detected by 40 out of 43 antivirus scanners as Worm:Win32/Cridex.E
MD5: 62825338329b0fa9f3ec8cc282154760 – detected by 41 out of 44 antivirus scanners as Worm:Win32/Cridex.E
MD5: 1b97e4021dc75a8cd8854aa61984dd44 – detected by 34 out of 43 antivirus scanners as Worm:Win32/Cridex.E
MD5: e09f719b6dde74972a810979812fdc01 – detected by 42 out of 46 antivirus scanners as Worm:Win32/Cridex.E

Malicious domain name reconnaissance:
apendiksator.ru – 91.224.135.20; 187.85.160.106; 210.71.250.131
Name server: ns1.apendiksator.ru – 62.76.186.24
Name server: ns2.apendiksator.ru – 110.164.58.250
Name server: ns3.apendiksator.ru – 42.121.116.38
Name server: ns4.apendiksator.ru – 41.168.5.140

sectantes-x.ru
Name server: ns1.sectantes-x.ru – 62.76.46.195
Name server: ns2.sectantes-x.ru – 87.120.41.155
Name server: ns3.sectantes-x.ru – 132.248.49.112
Name server: ns4.sectantes-x.ru – 91.194.122.8
Name server: ns5.sectantes-x.ru – 62.76.188.246

Responding to these IPs (91.224.135.20; 187.85.160.106; 210.71.250.131) are also the following malicious domains:
bunakaranka.ru – 91.224.135.20
afjdoospf.ru – 91.224.135.20
angelaonfl.ru – 91.224.135.20
akionokao.ru – 91.224.135.20
apendiksator.ru – 91.224.135.20
bilainkos.ru – 91.224.135.20

Name servers participating in the campaign’s infrastructure:
Name server: ns1.bunakaranka.ru – 62.76.186.24
Name server: ns2.bunakaranka.ru – 110.164.58.250
Name server: ns3.bunakaranka.ru – 42.121.116.38
Name server: ns4.bunakaranka.ru – 41.168.5.140
Name server: ns1.afjdoospf.ru – 62.76.186.24
Name server: ns2.afjdoospf.ru – 110.164.58.250
Name server: ns3.afjdoospf.ru – 42.121.116.38
Name server: ns4.afjdoospf.ru – 41.168.5.140
Name server: ns1.angelaonfl.ru – 62.76.186.24
Name server: ns2.angelaonfl.ru – 110.164.58.250
Name server: ns3.angelaonfl.ru – 42.121.116.38
Name server: ns4.angelaonfl.ru – 41.168.5.140
Name server: ns1.akionokao.ru – 62.76.186.24
Name server: ns2.akionokao.ru – 110.164.58.250
Name server: ns3.akionokao.ru – 42.121.116.38
Name server: ns4.akionokao.ru – 41.168.5.140
Name server: ns1.apendiksator.ru – 62.76.186.24
Name server: ns2.apendiksator.ru – 110.164.58.250
Name server: ns3.apendiksator.ru – 42.121.116.38
Name server: ns4.apendiksator.ru – 41.168.5.140
Name server: ns1.bilainkos.ru – 62.76.186.24
Name server: ns2.bilainkos.ru – 110.164.58.250
Name server: ns3.bilainkos.ru – 42.121.116.38
Name server: ns4.bilainkos.ru – 41.168.5.140

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button

Trackbacks

  1. […] researchers warn that spammers are up to their old tricks and are widely-spamming out fraudulent UPS notices to […]

true