Reading Time: ~ 2 min.

Cybercriminals continue to populate their botnets, with new infected hosts, through the persistent and systematic spamvertising of tens of thousands of fake emails which impersonate popular and well known brands – all in an attempt to socially engineer prospective victims into interacting with the scam.

We’ve recently intercepted a currently circulating malicious spam campaign, impersonating Evernote, serving client-side exploits to prospective victims who click on the links found in the fake emails.

More details:

Sample screenshot of the spamvertised email:

Evernote_Malware_Malicious_Software_Client_Side_Exploits_Spam_Spamvertised

 

Sample redirection chain: hxxp://nortonfire.co.uk/1.html (82.165.213.55) -> hxxp://merdekapalace.com/1.txt – 202.71.103.21 -> hxxp://www.shivammehta.com/1.txt – 181.224.129.14 -> hxxp://ypawhygrawhorsemto.ru:8080/z4ql9huka0

Domain name reconnaissance for the fast-fluxed ypawhygrawhorsemto.ru:
37.59.36.223
180.244.28.149
140.112.31.129
31.222.178.84
54.254.203.163
78.108.93.186
202.22.156.178
54.254.203.163
78.108.93.186
140.112.31.129
202.22.156.178
31.222.178.84
37.59.36.223
180.244.28.149

Responding to 78.108.93.186, are also the following malicious domains:
ypawhygrawhorsemto.ru – 78.108.93.186
jolygoestobeinvester.ru – 78.108.93.186
afrikanajirafselefant.biz – 78.108.93.186
bakrymseeculsoxeju.ru – 78.108.93.186
ozimtickugryssytchook.org – 78.108.93.186
bydseekampoojopoopuboo.biz – 78.108.93.186

Name servers used in the campaign:
Name server: ns1.ypawhygrawhorsemto.ru – 173.255.243.199
Name server: ns2.ypawhygrawhorsemto.ru – 119.226.4.149
Name server: ns3.ypawhygrawhorsemto.ru – 192.237.247.65
Name server: ns4.ypawhygrawhorsemto.ru – 204.232.208.115
——————————————-

Second sample redirection chain: hxxp://www.smithpointarchery.com/1.html – 65.61.11.74 -> hxxp://merdekapalace.com/1.txt – 202.71.103.21 -> hxxp://www.shivammehta.com/1.txt – 181.224.129.14 -> hxxp://opheevipshoopsimemu.ru:8080/dp2w4dvhe2 – 31.222.178.84

Detection rate for a sample served client-side exploit:
MD5: c81b2b9fbee87c6962299f066b983a46 

Domain name reconnaissance for the fast-fluxed opheevipshoopsimemu.ru:
31.222.178.84
180.244.28.149
78.108.93.186
140.112.31.129
78.129.184.4
54.254.203.163
202.22.156.178
37.59.36.223

Name servers part of the campaign’s infrastructure:
Name server: ns1.opheevipshoopsimemu.ru. 173.255.243.199
Name server: ns2.opheevipshoopsimemu.ru. 119.226.4.149
Name server: ns3.opheevipshoopsimemu.ru. 192.237.247.65
Name server: ns4.opheevipshoopsimemu.ru. 204.232.208.115

Webroot SecureAnywhere users are proactively protected from these threats.

Blog Staff

About the Author

Blog Staff

Share This