Over the last couple of hours, cybercriminals have started spamvertising millions of emails pretending to be coming from HP ScanJet scanner, in an attempt to trick end and and corporate users into downloading and viewing the malicious .html attachment.

Upon viewing, the document loads the invisible iFrame script, ultimately redirecting the user to a landing URL courtesy of the Black Hole web malware exploitation kit.

More details:

The ongoing spam campaign is using both, zip attachments containing a malicious executable, and a malicious iFrame loading .html file. Let’s take a closer look at the dynamics behind the campaigns.

Spamvertised subject: Scan from a Hewlett-Packard ScanJet #[random number]

Client-side exploits serving URls: hxxp://mirdymas.ru:8080/forum/showthread.php?page=5fa58bce769e5c2chxxp://anapoli.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c

Client-side exploits served: CVE-2010-0188CVE-2010-1885

Detection rate for a sample malicious .html attachment: MD5: 2e12ae0e2472bcd43e4f08e82faaf561 – detected by 16 out of 42 antivirus scanners as Trojan-Clicker.JS.Iframe.gr; Trojan:JS/BlacoleRef.W

Detection rate for a sample spamvertised malicious .zip archive: MD5: 41f6cd9df05fa7d880061651235d50e0 – detected by 30 out of 41 antivirus scanners as Trojan-Ransom.Win32.PornoAsset!IK; TrojanDownloader.Win32.Deliver.st.

Upon successful client-side exploitation, the campaign drops MD5: 4e0053fe00b65627c07dc8c85c85a351 – detected by 31 out of 42 antivirus scanners as Trojan.Generic.KDV.696365; Trojan.Win32.Yakes.antc; and MD5: 7fe4d2e52b6f3f22b2f168e8384a757e – detected by 28 out of 42 antivirus scanners as Trojan.Win32.Buzus.lxwt; Worm:Win32/Cridex.E.

Once executed, the samples phones back to 87.120.41.155:8080/mx5/in. In fact, we already seen another campaign using the same command and control server, namely, the malicious spam campaign impersonating 123greetings.com. Clearly, both of these campaigns are launched by the same cybercriminal/gang of cybercriminals.

Now let’s take a deeper look into the malicious Black Hole exploit kit landing URLs.

anapoli.ru – 50.56.92.47; 190.120.228.92; 203.80.16.81

Name servers part of the campaign’s infrastructure:
ns1.anapoli.ru – 85.143.166.186
ns2.anapoli.ru – 203.172.140.202
ns3.anapoli.ru – 87.120.41.155
ns4.anapoli.ru – 173.224.208.60
ns5.anapoli.ru – 132.248.49.112

Responding to the same IPs are the following malicious domains and command and control servers:
penelopochka.ru
sergikgorec.ru
kolmykiaonline.ru
mskoblastionline.ru
panalki.ru
flumifrator2unix.ru

mirdymas.ru – 71.89.140.153; 46.51.218.71; 203.80.16.81

Name servers part of the campaign’s infrastructure:
ns1.mirdymas.ru – 85.143.166.186
ns2.mirdymas.ru – 203.172.140.202
ns3.mirdymas.ru – 87.120.41.155
ns4.mirdymas.ru – 173.224.208.60
ns5.mirdymas.ru – 132.248.49.112

Responding to 71.89.140.153 are also the following malicious domains and command and control servers:
gorysevera.ru
pussyriotss.ru
spb-koalitia.ru
ashanrestaurant.ru
panamamoskow.ru
onerussiaboard.ru

We’ve already seen some of these domains in the recently profiled spam campaign that was impersonating 123greetings.com in an attempt to trick end and corporate users into clicking on exploits and malware serving links.

Related name servers used in the campaign’s infrastructure:

gorysevera.ru
ns1.gorysevera.ru – 62.76.190.208
ns2.gorysevera.ru – 203.172.140.202
ns3.gorysevera.ru – 87.120.41.155
ns4.gorysevera.ru – 173.224.208.60
ns5.gorysevera.ru – 132.248.49.112

pussyriotss.ru
ns1.pussyriotss.ru – 62.76.190.208
ns2.pussyriotss.ru – 203.172.140.202
ns3.pussyriotss.ru – 87.120.41.155
ns4.pussyriotss.ru – 173.224.208.60
ns5.pussyriotss.ru – 62.76.188.138

spb-koalitia.ru
ns1.spb-koalitia.ru – 62.76.190.208
ns2.spb-koalitia.ru – 203.172.140.202
ns3.spb-koalitia.ru – 87.120.41.155
ns4.spb-koalitia.ru – 173.224.208.60
ns5.spb-koalitia.ru – 62.76.188.138

ashanrestaurant.ru
ns1.ashanrestaurant.ru – 62.76.190.208
ns2.ashanrestaurant.ru – 203.172.140.202
ns3.ashanrestaurant.ru – 87.120.41.155
ns4.ashanrestaurant.ru – 173.224.208.60
ns5.ashanrestaurant.ru – 132.248.49.112

panamamoskow.ru
ns1.panamamoskow.ru – 62.76.190.208
ns2.panamamoskow.ru – 203.172.140.202
ns3.panamamoskow.ru – 87.120.41.155
ns4.panamamoskow.ru – 173.224.208.60
ns5.panamamoskow.ru – 62.76.188.138

onerussiaboard.ru
ns1.onerussiaboard.ru – 62.76.190.208
ns2.onerussiaboard.ru – 203.172.140.202
ns3.onerussiaboard.ru – 87.120.41.155
ns4.onerussiaboard.ru – 173.224.208.60
ns5.onerussiaboard.ru – 62.76.188.138

The last time we intercepted and profiled a similar campaign, was in March 2012. Back then, the malicious domains were fast-fluxed.

We’ll continue monitoring the development of the campaign, and update this post as soon as new developments emerge.

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This