November 7, 2012Blog Staff By Blog Staff

‘Fwd: Scan from a Xerox W. Pro’ themed emails lead to Black Hole Exploit Kit

On a periodic basis, malicious cybercriminals spamvertise millions of emails attempting to trick end users into thinking that they’ve received a scanned document. Upon clicking on the links found in these emails, or viewing the malicious .html attachment, users are automatically exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit.

In this post, I will profile two currently circulating malicious campaigns. The first is mimicking a Xerox Pro printer, and the second is claiming to be a legitimate Wire Transfer. Both of these campaigns point to the same client-side exploits serving URL, indicating that they’ve been launched by the same cybercriminal/gang of cybercriminals.

More details: Sample screenshots of the spamvertised emails:

Client-side exploits serving URLs: hxxp://; hxxp://

Spamvertised compromised URL used in the Wire Transfer themed campaign: hxxp://

Upon loading, the URLs exploit CVE-2010-0188 in an attempt to drop a malicious PDF file on the affected host. The sample then drops additional malware.

Detection rate for a sample javascript obfuscation: MD5: 0a8a06770836493a67ea2e9a1af844bf – detected by 15 out of 43 antivirus scanners as Mal/JSRedir-M

Detection rate for the dropped malware: MD5: 194655f7368438ab01e80b35a5293875 – detected by 25 out of 43 antivirus scanners as Trojan-Ransom.Win32.PornoAsset.avzz responds to the following IPs –, AS24514;, AS10297;, AS16276

Responding to the same IPs are also the following malicious domains part of the campaign’s infrastructure:

Deja vu! We’ve already seen one of these domains ( used in the recently profiled “‘Regarding your Friendster password’ themed emails lead to Black Hole exploit kit” campaign, indicating that these campaigns have been launched by the same malicious party.

Name servers used in the campaign’s infrastructure: – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button