Reading Time: ~ 3 min.

Over the past 24 hours, cybercriminals have launched yet another massive spam run, this time impersonating FedEx in an attempt to trick its customers into clicking on a malware and exploits-serving URL found in the malicious email.

More details:

Screenshot of the spamvertised email:

Screenshot of a sample Java script obfuscation:

Sample spamvertised URLs: hxxp://; hxxp://, hxxp://; hxxp://; hxxp://; hxxp://

Sample client-side exploits serving URLs: hxxp:// (, AS10481;, AS6921); hxxp:// (, AS40034)

Sample client-side exploits served: CVE-2010-1885

Responding to the same IPs is also the following malicious domain –

Name servers part of the campaign’s malicious infrastructure: –, AS24940 –, AS33182 –, AS15003 –, AS32475

More malicious domains are using these name servers, such as, for instance:

Detection rate for a sample Java script redirector: MD5: 32a74240c7e1a34a2a8ed8749758ef15 – detected by 8 by 41 antivirus scanners as JS/Iframe.FR; Trojan-Downloader.JS.Iframe.dbe; JS/Exploit-Blacole.hd

Upon successful client-side exploitation, the campaign drops MD5: f9904f305de002ad5c0ad4b4648d0ca7detected by 23 out of 40 antivirus scanners as Trojan.Win32.Obfuscated.aopm; Worm:Win32/Cridex.E and MD5: 0e2c968865d34c8570bb69aa6156b915 – detected by 24 out of 42 antivirus scanners as Worm.Win32.Cridex.jb

The first sample phones back to (AS1955) and to (AS13147), and the second sample initiates DNS queries to; and it also produces TCP traffic to on port 443, as well as to again on port 443.

Deja vu! We’ve already seen numerous malicious campaigns phoning back one of these command and control servers, in particular. Campaigns known to have also used the same C&C server:

Responding to are also the following malicious C&C servers:

Related name servers part of the campaign’s infrastructure: –, AS57683 – – – –, AS15756 –, AS6724 –, AS19994 –, AS19994 –

Responding to three of these IPS (, and in particular) are also the following malicious domains, part of the campaign’s infrastructure:

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This