Cybercriminals are currently spamvertising tens of thousands of emails in an attempt to impersonate the recipients’ bank, tricking them into thinking that the Ministry of Finance in their country has introduced new rules for records keeping, and that they need to print and sign a non-existent document.

Once users click on the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit.

More details:

Sample screenshot of the spamvertised email:

Email_Spam_Changed_Bank_Reports_Exploits_Malware_Black_Hole_Exploit_Kit

Sample spamvertised compromised URLs: hxxp://procenter.se/stats/mail.htm?RANDOM_CHARACTERS ; hxxp://epk.cm.ru/sites/default/files/mail.htm?RANDOM_CHARACTERS

Sample client-side exploits serving URL: hxxp://apendiksator.ru:8080/forum/links/column.php

Malicious domain name reconnaissance:
apendiksator.ru – 91.224.135.20; 210.71.250.131; 187.85.160.106
Name server: ns1.apendiksator.ru – 62.76.186.24
Name server: ns2.apendiksator.ru – 110.164.58.250
Name server: ns3.apendiksator.ru – 42.121.116.38
Name server: ns4.apendiksator.ru – 41.168.5.140

Responding to the same IPs are also the following malicious domains part of the campaign’s infrastructure:
afjdoospf.ru – 91.224.135.20
angelaonfl.ru – 91.224.135.20
akionokao.ru – 91.224.135.20

The following malicious domains/URLs have also been known to respond to 187.85.160.106:
hxxp://bunakaranka.ru/
hxxp://bumarazhkaio.ru:8080/forum/links/public_version.php
hxxp://seledkindoms.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c
hxxp://mazdaforumi.ru:8080/forum/w.php?f=182b5&e=2
hxxp://immerialtv.ru:8080/forum/files/182b5

Although we couldn’t reproduce the malicious payload at apendiksator.ru, we found that the malicious payload served by immerialtv.ru (known to have responded to the same IP) is identical to  the MD5 (MD5: 83db494b36bd38646e54210f6fdcbc0d – detected by 34 out of 42 antivirus scanners as VirTool:Win32/CeeInject.). This MD5 was dropped in a previously profiled campaign – “Spamvertised ‘Your Amazon.com order confirmation’ emails serving client-side exploits and malware“, indicating that both of these campaigns are launched by the same cybercriminal/gang of cybercriminals.

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This