February 18, 2014Dancho Danchev By Dancho Danchev

Spamvertised ‘Image has been sent’ Evernote themed campaign serves client-side exploits

Cybercriminals continue to populate their botnets, with new infected hosts, through the persistent and systematic spamvertising of tens of thousands of fake emails which impersonate popular and well known brands – all in an attempt to socially engineer prospective victims into interacting with the scam.

We’ve recently intercepted a currently circulating malicious spam campaign, impersonating Evernote, serving client-side exploits to prospective victims who click on the links found in the fake emails.

More details:

Sample screenshot of the spamvertised email:



Sample redirection chain: hxxp://nortonfire.co.uk/1.html ( -> hxxp://merdekapalace.com/1.txt – -> hxxp://www.shivammehta.com/1.txt – -> hxxp://ypawhygrawhorsemto.ru:8080/z4ql9huka0

Domain name reconnaissance for the fast-fluxed ypawhygrawhorsemto.ru:

Responding to, are also the following malicious domains:
ypawhygrawhorsemto.ru –
jolygoestobeinvester.ru –
afrikanajirafselefant.biz –
bakrymseeculsoxeju.ru –
ozimtickugryssytchook.org –
bydseekampoojopoopuboo.biz –

Name servers used in the campaign:
Name server: ns1.ypawhygrawhorsemto.ru –
Name server: ns2.ypawhygrawhorsemto.ru –
Name server: ns3.ypawhygrawhorsemto.ru –
Name server: ns4.ypawhygrawhorsemto.ru –

Second sample redirection chain: hxxp://www.smithpointarchery.com/1.html – -> hxxp://merdekapalace.com/1.txt – -> hxxp://www.shivammehta.com/1.txt – -> hxxp://opheevipshoopsimemu.ru:8080/dp2w4dvhe2 –

Detection rate for a sample served client-side exploit:
MD5: c81b2b9fbee87c6962299f066b983a46 

Domain name reconnaissance for the fast-fluxed opheevipshoopsimemu.ru:

Name servers part of the campaign’s infrastructure:
Name server: ns1.opheevipshoopsimemu.ru.
Name server: ns2.opheevipshoopsimemu.ru.
Name server: ns3.opheevipshoopsimemu.ru.
Name server: ns4.opheevipshoopsimemu.ru.

Webroot SecureAnywhere users are proactively protected from these threats.

Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *