Reading Time: ~ 2 min.

Cybercriminals are mass mailing tens of thousands of malicious Federal Deposit Insurance Corporation (FDIC) themed emails, in an attempt to trick users into clicking on the client-side exploits serving and malware dropping URLs found in the bogus emails. Let’s dissect the campaign, expose the portfolio of malicious domains using it, provide MD5s for a sample exploit and the dropped malware, as well as connect the campaign with previously launched already profiled malicious campaigns.

Sample screenshot of the spamvertised email:


Sample redirection chain:
hxxp:// ( -> hxxp:// (;;;; Email:

Known to have responded to the same IP ( are also the following fraudulent/malicious domains:

The following malicious MD5s are also known to have phoned back to the same IP in the past:
MD5: d672db2c3f398f1bb55ed0030467277d
MD5: 5cb9893095f6087fe741853213f244e8

Known to have responded to are also the following malicious domains:

Known to have responded to are also the followig malicious domains:

Known to have responded to are also the following malicious domains:

Name servers part of the campaign’s infrastructure:
Name Server: NS1.NAMASTELEARNING.NET – – Email: – Deja vu! We’ve already seen the same email used in a related Facebook themed malicious campaign.

The following name servers are also providing DNS services to the following malicious domains:

MD5 for a sample served client-side exploit: MD5: 92897ad0aff69dee36dc22140bf3d8a9. Sample MD5 for the dropped malware: MD5: 7b6332de90e25a5b26f7c75910a22e0c.

Once executed, the sample phones back to the following C&C servers:

Webroot SecureAnywhere users are proactively protected from these threats.

Blog Staff

About the Author

Blog Staff

Share This