Malicious ‘RE: Your Wire Transfer’ themed emails serve client-side exploits and malware

by

Share this news now.

Over the last couple of days, we’ve been monitoring a persistent attempt to infect tens of thousands of users with malware through a systematic rotation of multiple social engineering themes. What all of these campaigns have in common is the fact that they all share the same malicious infrastructure.

Let’s profile one of the most recently spamvertised campaigns, and expose the cybercriminals’ complete portfolio of malicious domains, their related name servers, dropped MD5 and its associated run time behavior.

More details:

Sample screenshot of the spamvertised email:

Email_Spam_Malware_Exploits_Wire_Transfer_Fake_Black_Hole_Exploit_Kit

Sample spamvertised compromised URLs:
hxxp://2555.ruksadindan.com/page-329.htm
hxxp://www.athenassoftware.com.br/page-329.htm
hxxp://www.sweetgarden.ca/page-329.htm
hxxp://lab.monohrom.uz/page-329.htm
hxxp://easy2winpoker.com/page-329.htm
hxxp://ideashtor.ru/page-329.htm

Sample client-side exploits serving URL:
hxxp://202.72.245.146:8080/forum/links/public_version.php

The following malicious domains also respond to the same IP (202.72.245.146) and are part of multiple campaigns spamvertised over the past couple of days:
enakinukia.ru
dekamerionka.ru
evskindarka.ru
exibonapa.ru
esigbsoahd.ru
dmssmgf.ru
epianokif.ru
elistof.ru
dmpsonthh.ru
esekundi.ru
egihurinak.ru
exiansik.ru
ewinhdutik.ru
efjjdopkam.ru
eipuonam.ru
emaianem.ru
epionkalom.ru
disownon.ru
estipaindo.ru
ejiposhhgio.ru
epilarikko.ru
damagalko.ru
emalenoko.ru
epiratko.ru
evujalo.ru
bananamamor.ru
eminakotpr.ru
dfudont.ru

Related Name Servers (part of the infrastructure of these campaigns):
Name server: ns1.enakinukia.ru – 85.143.166.174
Name server: ns2.enakinukia.ru – 41.168.5.140
Name server: ns3.enakinukia.ru – 42.121.116.38
Name server: ns4.enakinukia.ru – 110.164.58.250
Name server: ns5.enakinukia.ru – 210.71.250.131
Name server: ns1.dekamerionka.ru – 62.76.185.169
Name server: ns2.dekamerionka.ru – 41.168.5.140
Name server: ns3.dekamerionka.ru – 42.121.116.38
Name server: ns4.dekamerionka.ru – 110.164.58.250
Name server: ns5.dekamerionka.ru – 210.71.250.131
Name server: ns1.evskindarka.ru – 85.143.166.174
Name server: ns2.evskindarka.ru – 41.168.5.140
Name server: ns3.evskindarka.ru – 42.121.116.38
Name server: ns4.evskindarka.ru – 110.164.58.250
Name server: ns5.evskindarka.ru – 210.71.250.131
Name server: ns1.exibonapa.ru – 85.143.166.174
Name server: ns2.exibonapa.ru – 41.168.5.140
Name server: ns3.exibonapa.ru – 42.121.116.38
Name server: ns4.exibonapa.ru – 110.164.58.250
Name server: ns5.exibonapa.ru – 210.71.250.131
Name server: ns1.esigbsoahd.ru – 62.76.40.244
Name server: ns2.esigbsoahd.ru – 41.168.5.140
Name server: ns3.esigbsoahd.ru – 110.164.58.250
Name server: ns4.esigbsoahd.ru – 210.71.250.131
Name server: ns5.esigbsoahd.ru – 203.171.234.53
Name server: ns1.dmssmgf.ru – 62.76.185.169
Name server: ns2.dmssmgf.ru – 41.168.5.140
Name server: ns3.dmssmgf.ru – 42.121.116.38
Name server: ns4.dmssmgf.ru – 110.164.58.250
Name server: ns5.dmssmgf.ru – 210.71.250.131
Name server: ns1.epianokif.ru – 62.76.40.244
Name server: ns2.epianokif.ru – 41.168.5.140
Name server: ns3.epianokif.ru – 110.164.58.250
Name server: ns4.epianokif.ru – 210.71.250.131
Name server: ns1.elistof.ru – 62.76.40.244
Name server: ns2.elistof.ru – 41.168.5.140
Name server: ns3.elistof.ru – 110.164.58.250
Name server: ns4.elistof.ru – 210.71.250.131
Name server: ns1.dmpsonthh.ru – 62.76.185.169
Name server: ns2.dmpsonthh.ru – 41.168.5.140
Name server: ns3.dmpsonthh.ru – 42.121.116.38
Name server: ns4.dmpsonthh.ru – 110.164.58.250
Name server: ns5.dmpsonthh.ru – 210.71.250.131
Name server: ns1.esekundi.ru – 85.143.166.174
Name server: ns2.esekundi.ru – 41.168.5.140
Name server: ns3.esekundi.ru – 42.121.116.38
Name server: ns4.esekundi.ru – 110.164.58.250
Name server: ns5.esekundi.ru – 210.71.250.131
Name server: ns1.egihurinak.ru – 85.143.166.174
Name server: ns2.egihurinak.ru – 41.168.5.140
Name server: ns3.egihurinak.ru – 42.121.116.38
Name server: ns4.egihurinak.ru – 110.164.58.250
Name server: ns5.egihurinak.ru – 210.71.250.131
Name server: ns1.exiansik.ru – 85.143.166.174
Name server: ns2.exiansik.ru – 41.168.5.140
Name server: ns3.exiansik.ru – 42.121.116.38
Name server: ns4.exiansik.ru – 110.164.58.250
Name server: ns5.exiansik.ru – 210.71.250.131
Name server: ns1.ewinhdutik.ru – 62.76.40.244
Name server: ns2.ewinhdutik.ru – 41.168.5.140
Name server: ns3.ewinhdutik.ru – 110.164.58.250
Name server: ns4.ewinhdutik.ru – 210.71.250.131
Name server: ns5.ewinhdutik.ru – 203.171.234.53
Name server: ns1.efjjdopkam.ru – 62.76.40.244
Name server: ns2.efjjdopkam.ru – 41.168.5.140
Name server: ns3.efjjdopkam.ru – 110.164.58.250
Name server: ns4.efjjdopkam.ru – 210.71.250.131
Name server: ns5.efjjdopkam.ru – 203.171.234.53
Name server: ns1.eipuonam.ru – 62.76.40.244
Name server: ns2.eipuonam.ru – 41.168.5.140
Name server: ns3.eipuonam.ru – 110.164.58.250
Name server: ns4.eipuonam.ru – 210.71.250.131
Name server: ns5.eipuonam.ru – 203.171.234.53
Name server: ns1.emaianem.ru – 62.76.40.244
Name server: ns2.emaianem.ru – 41.168.5.140
Name server: ns3.emaianem.ru – 110.164.58.250
Name server: ns4.emaianem.ru – 210.71.250.131
Name server: ns1.epionkalom.ru – 62.76.40.244
Name server: ns2.epionkalom.ru – 41.168.5.140
Name server: ns3.epionkalom.ru – 110.164.58.250
Name server: ns4.epionkalom.ru – 210.71.250.131
Name server: ns5.epionkalom.ru – 203.171.234.53
Name server: ns1.disownon.ru – 62.76.185.169
Name server: ns2.disownon.ru – 41.168.5.140
Name server: ns3.disownon.ru – 42.121.116.38
Name server: ns4.disownon.ru – 110.164.58.250
Name server: ns5.disownon.ru – 210.71.250.131
Name server: ns1.estipaindo.ru – 62.76.40.244
Name server: ns2.estipaindo.ru – 41.168.5.140
Name server: ns3.estipaindo.ru – 110.164.58.250
Name server: ns4.estipaindo.ru – 210.71.250.131
Name server: ns1.ejiposhhgio.ru – 62.76.40.244
Name server: ns2.ejiposhhgio.ru – 41.168.5.140
Name server: ns3.ejiposhhgio.ru – 110.164.58.250
Name server: ns4.ejiposhhgio.ru – 210.71.250.131
Name server: ns5.ejiposhhgio.ru – 203.171.234.53
Name server: ns1.epilarikko.ru – 85.143.166.174
Name server: ns2.epilarikko.ru – 41.168.5.140
Name server: ns3.epilarikko.ru – 42.121.116.38
Name server: ns4.epilarikko.ru – 110.164.58.250
Name server: ns5.epilarikko.ru – 210.71.250.131
Name server: ns1.damagalko.ru – 62.76.185.169
Name server: ns2.damagalko.ru – 41.168.5.140
Name server: ns3.damagalko.ru – 42.121.116.38
Name server: ns4.damagalko.ru – 110.164.58.250
Name server: ns5.damagalko.ru – 210.71.250.131
Name server: ns1.emalenoko.ru – 62.76.40.244
Name server: ns2.emalenoko.ru – 41.168.5.140
Name server: ns3.emalenoko.ru – 110.164.58.250
Name server: ns4.emalenoko.ru – 210.71.250.131
Name server: ns1.epiratko.ru – 85.143.166.174
Name server: ns2.epiratko.ru – 41.168.5.140
Name server: ns3.epiratko.ru – 42.121.116.38
Name server: ns4.epiratko.ru – 110.164.58.250
Name server: ns5.epiratko.ru – 210.71.250.131
Name server: ns1.evujalo.ru – 85.143.166.174
Name server: ns2.evujalo.ru – 41.168.5.140
Name server: ns3.evujalo.ru – 42.121.116.38
Name server: ns4.evujalo.ru – 110.164.58.250
Name server: ns5.evujalo.ru – 210.71.250.131
Name server: ns1.bananamamor.ru – 62.76.186.24
Name server: ns2.bananamamor.ru – 41.168.5.140
Name server: ns3.bananamamor.ru – 42.121.116.38
Name server: ns4.bananamamor.ru – 110.164.58.250
Name server: ns5.bananamamor.ru – 210.71.250.131
Name server: ns1.eminakotpr.ru – 62.76.40.244
Name server: ns2.eminakotpr.ru – 41.168.5.140
Name server: ns3.eminakotpr.ru – 110.164.58.250
Name server: ns4.eminakotpr.ru – 210.71.250.131
Name server: ns5.eminakotpr.ru – 203.171.234.53
Name server: ns1.dfudont.ru – 62.76.185.169
Name server: ns2.dfudont.ru – 41.168.5.140
Name server: ns3.dfudont.ru – 42.121.116.38
Name server: ns4.dfudont.ru – 110.164.58.250
Name server: ns5.dfudont.ru – 210.71.250.131

Sample malicious payload dropping URL:
hxxp://202.72.245.146:8080/forum/links/public_version.php?mmltejvt=1g:2v:33:2v:2w&pstvw=3d&xrej=1j:33:32:1l:1g:1i:1o:1n:1o:1i&vczaspnq=1n:1d:1f:1d:1f:1d:1j:1k:1l

Sample client-side exploits served: CVE-2010-0188

Upon successful client-side exploitation, the campaign drops MD5: 04e9d4167c9a1b82e622e04ad85f8e99 – detected by 31 out of 46 antivirus scanners as Trojan.Win32.Yakes.cdxy.

Once executed, the sample creates the following Registry Keys:
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlMediaResourcesmsvideo
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlMediaResourcesmsvideo
HKEY_CURRENT_USERSoftwareMicrosoftMultimediaDrawDib

And modifies them in the following way:
[HKEY_CURRENT_USERSoftwareMicrosoftMultimediaDrawDib] -> vga.drv 640x480x32(BGR 0) = “31,31,31,31″
[HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon] -> shell = “explorer.exe,%AppData%skype.dat”

Once executed, the sample phones back to the following URLs:
hxxp://gpbxn.ru/rzprxtgxtyebms-qtda-nmxt-ndfvohvndd-cbdh-qtorpp-fprg-sdqj-yszh-vnamvylalipbpyykeawkdastftukky.php
hxxp://jhlxk.su/oyxioyxi-oyxioyxibcvnosrqqrprar-nbjk-ndelquqjoheyowmsndxp-ltwgysxixsnnceksdm_rzbi_aumr-ysix.php
hxxp://gpbxn.ru/itqukqcbkydftmysmrrqfqnbptfpxlyedapffv-uqxfakkoqp-orzmsd-cupz-atqc_ybeh_ohtfsi-ykjz_prdmuq-yk.php
hxxp://jhlxk.su/cnpmezeamv-kort-ioou_wkzjvr-alpb-cuqsfv-lipt_nhuk-jzgx-acix_abgn-fvca-oept-zhgjtmqtdnkg-pvzo-zauuqk-.php
hxxp://gpbxn.ru/rkow-pvpz-turnndgkgnrueglazvrdqzmvdhsukgcuzjyxofuynn-kkhj-wpli-lxca-auwbybppplyjouiivnno_xf.php
hxxp://jhlxk.su/qnjt-ixjxqnjtixjxyeppoycn-qzgb-gbihspkftiqu-syqtdhxydk_zozm_dkgbsprnxljz-quplhcpixo-rzdm-zvyx-.php
hxxp://gpbxn.ru/rnnd-gkjkpp-phacuypfsrhcawshpi-prmx-nfuyqzdnxopygt-pyko-acus-tugaxfiqegybqcdheabi-zmiirkculi.php
hxxp://jhlxk.su/my-nsoe-exjlbwipnafquq-nbqk-cglx-cexcdaykcn_baohzaiirkfy-qzdn-gdva_yhlzif-jtca-cgclrcnlgkpvfcxx.php
hxxp://gpbxn.ru/piqjteitqukqcbkyvyteptofxpxsyerksrfmvp-jpjxej-uswi-kkjl-xytewpegnezjsuon-ownq-xcbt_xqyb_uxeh.php
hxxp://jhlxk.su/lajutfofnoygfq-uomyor-lxpqnqwpzvawsn-kyst-nfmpmpsuarkdsulz-lgtmnwabjtcj-aueblmifioiqvkoarn.php
hxxp://gpbxn.ru/ebmsqtusqzukwgrgky-shpicusygkppuavaca-cnfq-ddsu_ynorjkllgoon-juns-goyhcgyjzmlg-rzpq-qpjt_xvuq.php
hxxp://jhlxk.su/ip-nadw-wipqne-ytmx_bldr-lzht-cjro-lgty-qcky-coprzrjwalpz-myteez-owwk-suab_bcjt_nojt_ysnakb-jkos-fyzj-.php
hxxp://gpbxn.ru/vy_vlcu-opvk-dgks-babc-ixgsuy-nqey-cjjh-eaxtzriioasd-jgnd_rcea_fcoudf-kktiezfpwp-phon_jtea_dgamzhga.php
hxxp://jhlxk.su/hjyqybti-sddn-xocq-ohlx-osgt-gdhcrnyqvqukclyx-fyjk-oxoy-nwsn_oxmr_glwk-nmqn-vyac-pbrtmyvafappnlea.php
hxxp://gpbxn.ru/igyhva-xlsyft-xplx-rizh-yszn-ltli-wpnstmspdanqmy_qsqj-cqjkfzgdwfuy-garalabwyear_ouabdhldcbuqjp.php
hxxp://jhlxk.su/jutf-ofnoygfquobi-jtbilmrdpixp-pabcdnstos-dhti_ohjp_pyqt-mvkdsiqttykfgs-lirkfc-zhxl-gjyhzvhelx.php
hxxp://gpbxn.ru/pt-ptptptptptptptuqmpbhjlstusplfmgtdh_xyuyms-ofvizovqqcxohemp-mpzv-vlit-nhne_htuqvl-yxph-zjuu-.php
hxxp://jhlxk.su/ipna-dwwi_pqneytmxbldrlzht-cjro-lgtyqckycoprzrjwalpzmyte-ezowwk-suabbcjtno-jtys-nakb-jkos-fyzj-.php
hxxp://gpbxn.ru/uqfplgsncexczjddtybaonfcybioiisimyprmvxvea-laxvjvfzpv-oatu-gdoe-bafrqkstkgowitbfblsujguo-.php
hxxp://jhlxk.su/sncexczjddongdqkpaoyvnxtdm-qtqu-yvvpbtgxfrynwg_dkspqposoaohqt-ouvqtixoxxvacg-xqte_ofzj-xcfr-.php
hxxp://gpbxn.ru/mpfmgnlt-blcrkgoxopelar-uaop-vtrp-lmcd-juosvalzoaqt-xplx-siwkcokqnssu_nskq_uavi_jhvpca-owdgab-jz.php
hxxp://jhlxk.su/bihc-kkrq-shgscdnbuulx-qcipvtcaaw-lxzm_ygxt-ygyxpacenosdvybhnbwinaixoykdxqduxpdunwnhxlyvbi.php
hxxp://gpbxn.ru/cd-nbvpherovnvy-vlxsrnitlzorjthtldkoxqfccd-frjuzmgtjp-dmbc-bwau-bccdsnohezwidmduqtzhbqrn-nn.php
hxxp://jhlxk.su/vqsrznyjbqricoarxplasiuu_fqye_dfuq-qcrtddfzroxowgowix-ygnmllrpabus-gkfzjxoxjxopplitzvkfla.php
hxxp://gpbxn.ru/nfwfmrhttwwp-wbjg_bwms-iqdwqcliop-nlos-qpuanfmrndzo-kots-ppjt-akzmgncjgdorouohabfv-bhhtrpaccn.php
hxxp://jhlxk.su/jkpp-phacuyqckfouvlznkg-rquxjgstybditmbwtmixacyehe-uaejcbvpxfjkgdgxiffzxtfaebbwviqj-qsip-.php
hxxp://gpbxn.ru/zh-rubt-oahjyqybtiybnesncnofstdforqn-awpf-ptcqfmsuqzgdlxusif-ftybuozacnvnsnosnfnaneye_akea.php
hxxp://jhlxk.su/ppph-acuy-qckfougjlznw_bipbnf-ifgdvylzshsdigsuuynmqrybptzm_kkxttm-ioqsfyrchcvrop-kdip_oajvpi.php
hxxp://gpbxn.ru/zv-yxpajheluqfp-lgii-ynyvvpjkoaeg-ksxi-tsioygzrxcytvqzvhezmjtmppftmosit_qrks_xotf_ptnaqugbcq.php
hxxp://jhlxk.su/itqukqcbkydf-tmysmr-rqfq-nbpt-fpxl_yeda_pffv_uqxfak-koqporzmsdcupzatqcybehohtfsiykjzprdm-uqyk.php
hxxp://gpbxn.ru/zmfrqsrafyabdiii-xpkkxj-exsu-pbbtuk-oait-llar_rukf_jtsi_yttsjw-fvfr-qzsplgtuosdwjh-ruyb-rtne-kgif-.php
hxxp://jhlxk.su/oa-hjyqybtisddnxojgtskorpvqvrdgksauqkddxxrc-elpaehsdceal-alfz_oyoamr-dgqs_xjyt-cnxignohzhqt.php
hxxp://gpbxn.ru/vl-cuopvkdgksba_fvux-ytfpygzvbtbidg-dadrlxacmxjponvtfvcbfr-dnprauzmsrnfdk-ltju-alkbpqxlcqll.php
hxxp://jhlxk.su/mynsoeexjlbwip-nafquqnbqkcglxcexcda_ykcn_baohza-iirkfyqzdngdva-yhlzifjtcacgcl-rcnl_gkpvfc-xx.php
hxxp://gpbxn.ru/ux-mpfmgnltblcrkg-tinf-rpty-jhynuyhctycuzmtfzmspatipky-qkmrtuauzallcj-kqftkytwmrgl-zvfvey-sy.php
hxxp://jhlxk.su/ougjyv-xvak-uakbegmvezzafabieyoszmpfnwcb-tmgari-tyrnjzcaqsgs_mswfnd-dhkqzv-snptpynqldbqioxt.php
hxxp://gpbxn.ru/uxmpfmgnltbl-crkg-tinfrptyjhyn-uyhcty-cuzm-tfzmspatipkyqkmrtuauzallcjkqftky-twmrglzvfveysy.php
hxxp://jhlxk.su/ar-zmfr-qsra-fyabdimvzvmsyxuojz-laebalcuzryeyeuqrnrk-pyzj-fzqnqkzadiihtugoxl-tufthealmsvasn.php
hxxp://gpbxn.ru/sddn-xocq-piqjteitdwyvfmatqc_akgn-xqsnmxqzcahtjzyjftznqz-yjor-kdrqdrakvyms-cbdwrncolljhjuam.php
hxxp://jhlxk.su/vaxlsyft-xplx-stzhit-qnzn-vaea-wfbwihytzjfp-ehehnlhtiivy-zjcaorjzyttempli_kovy_pfkddk-abht-opxf-.php
hxxp://gpbxn.ru/wfmrht-twwp-wbjgnfgnebwbjpkoxc-prkdyv-jptm_ejzh_pyxoehpvgkbh_jhgkdivqzaoygsammxakdw_fmixzoez.php
hxxp://jhlxk.su/kk_rqshgs-cdnb-vphe-rprd_pqez_bwalbquqjtradnejtsak-lamsfvqcmrejifqkbtkfeh_prnbuk-ykzo-zjkf-viyh.php
hxxp://gpbxn.ru/xyawrkowpvpztu-rnjp-cjopouzasnxcjgyjiogbna_nnix_xtkbcu-bijgbqjxvtositpzxypq-gapvejrdmyoxfy.php
hxxp://jhlxk.su/ih_zovr_dmih-zovrdmxcnwrialroju-iocu-rulaga-gbeh-kqnornvionpisyspxqruyeyvpixlvifmft-kygkawjx.php
hxxp://gpbxn.ru/teitqukqcbkydftm_htra_eygo-usgnlmzhtevlrk-owxyiojuehcj-wksh_auoy-rpbajxrocgdrvajxitlidr-exip_.php
hxxp://jhlxk.su/mynsoeexjlbwipnafq_uqnb-qkcg-lxce_xcda_ykcnba-ohzaiirkfy-qzdngdvayhlzifjtcacgclrcnlgkpvfcxx.php
hxxp://gpbxn.ru/kq-cbky-dftmys-glga_ohtm-vrqswprpvqmslmatdwgtzmbhkggtukuu-cbyt-yquu-wfptjkpflxmxkq-qjllhcrgko.php
hxxp://jhlxk.su/ygfquobihc-kkrq-shjppf-ifytxf-wixv_gtxp-bfceoxyvht-ddshqs-pbfq_rcli-gbalxcauriebhtxyqkwfprwgkd.php
hxxp://gpbxn.ru/opvk-dgksbafvsudu-jhvinsrogojlnhsikgofgbuyqkkfrixvfrdmvnsuhtehifnsky-jxwk_dniiys-bwraeb-of.php
hxxp://jhlxk.su/exjlbwip-nadwwipqrqtswblmfp-vifayqwfioxtyquabi-cnfm-osel-fcli_rqjtearzhcac-vkoaxqpypp-qnnnlm-.php
hxxp://gpbxn.ru/vaxlsyftxplxstzhitqnzn-vaea-wfbwihytzjfp-eheh-nlhtiivyzjcaorjzytte_mpli_kovypf-kddk-abht-opxf-.php
hxxp://jhlxk.su/ifej_dapl_jvzvyxpaoaih_pqgx_ipiisilipmohowoewiacxxplshsntiuoxopyhelisybhsn-kkms-vlbc-ukmxfp.php
hxxp://gpbxn.ru/ygfquobihckk-rqshjppfifytxf-wixvgtxpbfceoxyvhtdd_shqspbfqrcligbalxcauriebhtxyqkwfprwgkd.php
hxxp://jhlxk.su/lz-lipbux-mpfmgnltwpdmmpli_dudf-tfih-oari_bhgo_elixawdnrgcdzjra-jgsd-yjnw-korojuysdh-ykpynekqlt.php
hxxp://gpbxn.ru/bqricoarzmfrqsracewg-paruoxhjmy-oxvi_ptopbajpehgsnl-culg-eaxfli-lagdcaptrgfq_itvasd-gtwk-gaqn-.php
hxxp://jhlxk.su/jgnf-wfmrhttwwp-wbxo_hjii-xfbh-kqfcjujkgacg-zngt-vnce-xvwkjwnsgd-godu-pmqzceftrgcrkqjgdgnn_mxfq-.php
hxxp://gpbxn.ru/noygfquobihckkrqwfuocllgdh-zrouipdurqlililakyzvsrcjjurqxopfipauabqu-wfba-kbegzjyvqjbhvl.php
hxxp://jhlxk.su/gjyv-xvakuakbeg-nldg_zmexcunhwiosxfsugspqearomy_pycu-dwys-xvvykseyfr_spuq_dnfc_osjthtllkdonxj.php
hxxp://gpbxn.ru/kfougj-yvxv_akuakbigohzhxowiezzjbigddh-ytxsbwexsy-exdmcbatehgnyqcnjxsujl_hjpzglfpzhdkkb-ih.php
hxxp://jhlxk.su/nnrpfaau-xfjwbheynblxqt-gofqtmqcnmignhhceluujgaclzvpawyvpikykqykoullzvlzclbteh-nliivqoy.php
hxxp://gpbxn.ru/kydf-tmysglgajzqrdrtwjtqtoehjnlllzvuastnsmrakiixcsuxscqrdgoppjxoreakq-mytsamwfpq-qczjgj.php
hxxp://jhlxk.su/opvkdgksbafvsudujh-vins-rogo-jlnhsikgofgbuyqkkfrixvfrdmvnsuhtehifnskyjxwkdn-iiys-bwra-ebof.php
hxxp://gpbxn.ru/on-gdqk-kdvttsorqpamqp_zvysxs-nmqc-rgyx-fvhj-zrrnbtatfcqcawquvkwfej-gncjit-vtsn-fqpi-bcyn-yxclgb-.php
hxxp://jhlxk.su/hjyqybtisddnxocqohlxosgtgdhcrnyqvqukclyx-fyjkox-oynwsnoxmrglwknmqnvyacpbrtmyvafa-ppnl-ea.php
hxxp://gpbxn.ru/kb_egnlxj-igyh-vaxltyegnwtwykyhtsifoegdglxf-xixliquqdnqpfcxpfapf-ebvl_earqqu-lmmsqp-kfnemynd.php
hxxp://jhlxk.su/nwamrdmynsoeexjlliiolt-bqvnebpytico_oxua-egig-linbllcornxjowzrgkrztuexux-ebop-qnjxaratuqvi.php
hxxp://gpbxn.ru/nn_rpfaau-xfjwbheynblxqtgo-fqtm-qcnm-ignh-hcel-uujgaclzvpawyvpikykqykoullzvlz-clbtehnliivqoy.php
hxxp://jhlxk.su/ba-fvsuducalaju-tfig_ampvkqyxfyuu-uszvbc-nodkjkdusp-rtla-xcey-amlm-jwzmdiuonfno-xjglvlusigtfpm.php
hxxp://gpbxn.ru/yvxvakuakbeg_nlxj_caoy_vpkdjxqsdfnwfzhecoshegussi-dkcr-nfjw-cjfm-btii_fqjgxq-jvftqr-rduqjzoapb.php
hxxp://jhlxk.su/dg_ksba_fvsu_duca_layxlitmuqxoynfqpmpf_xvty-rceacdcnrq-vnco-rkwb_nqyt-blfvukoftwks-cjlauu-eaqp-mv.php
hxxp://gpbxn.ru/bcgocnpmez-eamv-kons-ksaw_yjvl-xpyb-gkjw-nwjukbcbsh_bqfy_ebxoyv-ykbqatdirkoejtqj_pbpq_lzdk-jkrq-bh.php
hxxp://jhlxk.su/amrdmy-nsoeex-jlbwndftcajvgnabjgfqvtsnfc-nhyt_gtejshfcdgsu-rnuypzduns_egye-mpgojhoekfnnyjhc-.php
hxxp://gpbxn.ru/bafvsuducala-jutf-igampv-kqyxfyuuuszvbcnodkjkdusprtla-xceyamlmjwzmdiuonfnoxjglvlus-igtfpm.php
hxxp://jhlxk.su/owpvpzturn-ndgkjkdhro_fyfzzokbofoaxlbfonsngbkdwgbl-ofqzfmoakf-yjqr-dfro_osvl-rggbouplallt-rg.php
hxxp://gpbxn.ru/yv_xvakuakbegnlxj_caoy_vpkdjx-qsdfnw-fzheco-sheg-ussi-dkcr_nfjw-cjfm-btii_fqjg-xqjvftqrrduq-jzoapb-.php
hxxp://jhlxk.su/gocnpm_ezea_mvkortcdranq-jvtuqjuodmbqiifpca-dwptpqpioa_xcsh-lxgbmrwigbakpvrg-pisyegnoxymp_ru.php
hxxp://gpbxn.ru/xo-cqpi-qjteitqukqrz-zjqrxfxqgjuy-cnns_ihuo_nlxxda-oukk-tsbauq-uykb_uudi-bwiqbwynof-jkuo-znawkgux.php
hxxp://jhlxk.su/bqricoarzmfrqs-racewg-paru-oxhjmy-oxviptopbajpeh-gsnl-culgeaxflilagdcaptrg-fqitvasdgt_wkga_qn.php
hxxp://gpbxn.ru/egnl-xjig-yhva_xlsy_uyruvr-uoyq-pyrp-ynht-gkce-cejkbhmsxliq-phatlzgnfcxlpa-fzxp-ukwbeayhrkzmnlit.php
hxxp://jhlxk.su/ndgkjkppphacuyqcipduyhmy-ladr-fcbayh-cdcn_tmppft-gxyt-pvvkkkrqartsorquxxrannygiicnkfyq-owjv.php
hxxp://gpbxn.ru/calajutf_ofnoyg-fqih-wgti-ehjg-ybdm-jvcaru-tmwiybnsnb-jzey_mrowxl-bljh_jlpm-bfof-gsnq-cncq-ybzm-fyvr.php
hxxp://jhlxk.su/ihzo-vrdmihzovrdmxc-nwrialroju-iocurulagagbeh-kqnornvion_pisy-spxq-ruyeyvpixlvi-fmftkygkawjx-.php
hxxp://gpbxn.ru/rd-mynsoeexjlbwiptivtynddlgcdllusmrqngkac-pzjwjwblpaihkq-lgmpifiqbans-almrtiplop-ybsd-xpuo-.php
hxxp://jhlxk.su/wkcl-albc-gocnpmezsycqxqftuy-tuqz-qkampyytcbfmio-pikq-xilmpaihcagbmpzayv-ytvq_vayx_cjxjjz-jxdw.php
hxxp://gpbxn.ru/atrz_prxtgxtyebmsjwop-phkd-dayedavyqsyx-mxmy-kodw-ndfclldadrna-ebybtsqnrkifcojzqsbwuq-xfheuy.php
hxxp://jhlxk.su/rafy-abdi_iiye_ohif-syph-vtmvyjohhetmnolg_kopvqkfzgoejaw-qrvl-fyuumvawph_vrwkvliimpuqwbfyraht-.php
hxxp://gpbxn.ru/btoahjyq-ybti-sddn-tugl-koty-nbvq-dfjvrodhejgajxkqpaoaspnbkkkfcartgxnexozhoyuarg_nlpa_expq-rt.php
hxxp://jhlxk.su/rp-faau-xfjw-bhey_vixv-rpld-vripyh-cgvicq-orcjam-awegihrgyqphvp-kbam-qtvq-fykq-jubqlxfysusivqht-ft.php
hxxp://gpbxn.ru/rnnd-gkjkppphacuypfsrhcawsh-pipr-mxnfuyqzdnxo-pygt-pykoacustu_gaxf-iqegybqcdheabizmiirkculi.php
hxxp://jhlxk.su/uobihckkrqsh_gscdpt-yxuu-spwi-xitept-gngauomsvamrph-hcmypy-ldnn-rnzrkyjkosel-mpoujuvtsidizjkf.php
hxxp://gpbxn.ru/my-nsoe-exjl-bwipnafquqnbqkcglxcexc-daykcnbaoh_zaiirk-fyqz-dngdva-yhlzif-jtca-cgcl_rcnlgk-pvfc-xx.php
hxxp://jhlxk.su/jpfc-gtdh-xsdknqzapzvqzrteejixuaplpbtivpcjvpyh-qkeb_sdnoqr-oeca-biorehsrbt-ehuy-tmybza-wipfcj-.php
hxxp://gpbxn.ru/fplgsncexc_zjddonjufzna-gdfrtycjukonxvruuqawpmti-yjnawbgarc-xcsh-rgqzzvjlexrkmxzofckgdi-di.php
hxxp://jhlxk.su/duca-laju-tfofno-ygsi-exnd-wfjt-banafqpbpmos_oskyaknstiqtehjziqukfqltba-ykmvnniosdlzzncg-fqju-.php
hxxp://gpbxn.ru/akua-kbegnl-xjig-yhclpq-sypa-runo-plpmcq-gadk-ruramrkdvnfq-ohjh-mvxleg-ukcdsy-ofox-onqz-syqt-ksxf-ts.php
hxxp://jhlxk.su/dftm-ysglgajzqrpftfoaxj-fzco-uofp-dwon-jtrpqtnmlllxoeuoga-itwk-rngkfrzrxpptcqfcuujplixc-ykvr.php
hxxp://gpbxn.ru/rq_shgscdnbvphero-pyga_vnnete-fmkk_rgiivkfaxjfpejoy-bczokqatno-mvdk-zmbf-cbtf_itnsxoqznenopl-vq.php
hxxp://jhlxk.su/jxqn_jtixjxqnjtixjkcqstll-elvpgn-jplikqbluu-dicbukitiokq-xonh-iioynovnbqtedd_xlbt_jtwi-ipmyal.php
hxxp://gpbxn.ru/calajutfofnoygfqihwgtiehjgybdmjv-caru_tmwi_ybnsnb-jzeymrowxlbljhjlpmbfofgsnqcn-cqybzmfyvr.php
hxxp://jhlxk.su/bihckkrqshgs-cdnb_uulx_qcipvtcaawlxzm-ygxtygyxpace-nosdvybhnbwinaixoykdxqduxpdu-nwnh-xlyv-bi.php

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Share this news now.

Trackbacks

  1. [...] resumed spamvertising tens of thousands of emails, in an attempt to trick users that they have a pending wire transfer. Once users click on any of the links found in the malicious emails, they’re exposed to the [...]

  2. [...] The command and control IP (203.171.234.53) use to respond to a Name Server in a previosly profiled malicious campaign – “Malicious ‘RE: Your Wire Transfer’ themed emails serve client-side exploits and malware“. [...]