Cybercriminals are currently spamvertising millions of emails impersonating United Parcel Service (UPS) in an attempt to trick end and corporate users into clicking on exploits and malware serving links found in the malicious emails. What exploits are they using? How widespread is the campaign? Is it an isolated incident, or is the campaign linked to more malicious activity?

More details:

Screenshots of the spamvertised campaign:

Upon clicking on the link, users are exposed to the following bogus page displaying additional information about the package:

Sample spamvertised malicious URLs: hxxp://

Detection rate for the client-side exploit serving page: devil.html – MD5: f9a47465f88bb76d1987fba6ffc72db7 – detected by 2 out of 42 antivirus scanners as JS/Obfuscus.AACB!tr; HEUR:Trojan.Script.Generic

Client-side exploitation chain: hxxp:// -> hxxp://

Second client-side exploitation chain seen in the same campaign: hxxp:// -> hxxp://

Upon clicking on the link, the campaign is serving client-side exploits using the Black Hole web malware exploitation kit, and in this particular campaign it’s attempting to exploit CVE-2010-1885 and CVE-2012-0507.

Once the client-side exploitation takes place, the campaign drops MD5: 202d24597758dc5f190bf63527712af0 – detected by 2 out of 42 antivirus scanners as Trojan/Win32.Hrup; Suspicious.Cloud.5

Info on the client-side exploit serving domain: –;; name servers: NS1.GRAPECOMPUTERS.NET; NS2.GRAPECOMPUTERS.NET – Email:

The following malware-serving domains are also using the same name servers:

Info on the second client-side exploits serving domain observed in the campaign: – (known to have also responding to ( – Email: Name servers:,

More domains known to be using the same name servers as

Client-side exploitation chain: hxxp:// -> hxxp://

Upon successful client-side exploitation the second malicious URL drops MD5: 5e187c293a563968dd026fae02194cfa, detected by 3 out of 42 antivirus scanners as PAK_Generic.001. Upon execution it creates the following file:

%AppData%KB00121600.exe – MD5: 5E187C293A563968DD026FAE02194CFA – detected by 3 out of 42 antivirus scanners as PAK_Generic.001

Upon execution, the sample phones back to on port 8080. Another sample is known to have phoned back to the same URL, namely, MD5: 108F10F0921F2B4FCA87FE6E620D21EF which phones back to:


u2006a.exe has a MD5 of MD5: c5fcee018e9b80a2574d98189684ba2a, and is detected by 4 out of 42 antivirus scanners as Worm.Win32.AutoRun.dtaf.

This is the second UPS themed campaign that we’ve intercepted during June, 2012. In the first campaign, the cybercriminals used malicious .html attachments compared to directly linking to exploits and malware serving sites like we’ve seen in the latest campaign.

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This