Remember the ‘Your order confirmation’ client-side exploits and malware serving campaign which I profiled earlier this week?

It appears that the gang behind it is back with another campaign, this time impersonating PayPal. For the time being, another round consisting of millions of malicious emails is circulating in the wild, enticing end and corporate users into clicking on malicious links found in the emails.

More details:

Screenshots of the spamvertised emails:

Upon clicking on the link, users are exposed to the following page:

In the background, the malicious script loads and performs several redirections until exposing the user to the malicious payload.

Sample compromised URls participating in the campaingn: hxxp://

both of these URls redirect to hxxp:// Surprise, surprise, we’ve already seen this malicious URL in the ‘Your order confirmation’ client-side exploits and malware serving campaign profiled earlier this week.

Upon successful client-side exploitation, the campaign drops the following MD5, MD5: 49f91a1597bc4dd25d3d23302125dae7 – detected by 8 out of 42 antivirus scanners as PWS-Zbot.gen.xs; W32/Injector.AQSI

Upon execution, the sample creates a new file on the system – %AppData%KB00121600.exe – MD5: 49F91A1597BC4DD25D3D23302125DAE7 – detected by 27 out of 42 antivirus scanners as Trojan-Dropper.Win32.Dapato.bigc

It also phones back to the same C&C server used in the ‘Your order confirmation’ campaign, namely, hxxp://

Webroot SecureAnywhere users are proactively protected from this threat. We predict that we’re going to see more brands systematically impersonated by the same gang, in an attempt to serve malware through exploitation of client-side vulnerabilities.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This