Spamvertised ‘Image has been sent’ Evernote themed campaign serves client-side exploits

Cybercriminals continue to populate their botnets, with new infected hosts, through the persistent and systematic spamvertising of tens of thousands of fake emails which impersonate popular and well known brands – all in an attempt to socially engineer prospective victims into interacting with the scam.

We’ve recently intercepted a currently circulating malicious spam campaign, impersonating Evernote, serving client-side exploits to prospective victims who click on the links found in the fake emails.

More details:

Sample screenshot of the spamvertised email:

Sample redirection chain: hxxp://nortonfire.co.uk/1.html (82.165.213.55) -> hxxp://merdekapalace.com/1.txt – 202.71.103.21 -> hxxp://www.shivammehta.com/1.txt – 181.224.129.14 -> hxxp://ypawhygrawhorsemto.ru:8080/z4ql9huka0

Domain name reconnaissance for the fast-fluxed ypawhygrawhorsemto.ru:
37.59.36.223
180.244.28.149
140.112.31.129
31.222.178.84
54.254.203.163
78.108.93.186
202.22.156.178
54.254.203.163
78.108.93.186
140.112.31.129
202.22.156.178
31.222.178.84
37.59.36.223
180.244.28.149

Responding to 78.108.93.186, are also the following malicious domains:
ypawhygrawhorsemto.ru – 78.108.93.186
jolygoestobeinvester.ru – 78.108.93.186
afrikanajirafselefant.biz – 78.108.93.186
bakrymseeculsoxeju.ru – 78.108.93.186
ozimtickugryssytchook.org – 78.108.93.186
bydseekampoojopoopuboo.biz – 78.108.93.186

Name servers used in the campaign:
Name server: ns1.ypawhygrawhorsemto.ru – 173.255.243.199
Name server: ns2.ypawhygrawhorsemto.ru – 119.226.4.149
Name server: ns3.ypawhygrawhorsemto.ru – 192.237.247.65
Name server: ns4.ypawhygrawhorsemto.ru – 204.232.208.115
——————————————-

Second sample redirection chain: hxxp://www.smithpointarchery.com/1.html – 65.61.11.74 -> hxxp://merdekapalace.com/1.txt – 202.71.103.21 -> hxxp://www.shivammehta.com/1.txt – 181.224.129.14 -> hxxp://opheevipshoopsimemu.ru:8080/dp2w4dvhe2 – 31.222.178.84

Detection rate for a sample served client-side exploit:
MD5: c81b2b9fbee87c6962299f066b983a46 

Domain name reconnaissance for the fast-fluxed opheevipshoopsimemu.ru:
31.222.178.84
180.244.28.149
78.108.93.186
140.112.31.129
78.129.184.4
54.254.203.163
202.22.156.178
37.59.36.223

Name servers part of the campaign’s infrastructure:
Name server: ns1.opheevipshoopsimemu.ru. 173.255.243.199
Name server: ns2.opheevipshoopsimemu.ru. 119.226.4.149
Name server: ns3.opheevipshoopsimemu.ru. 192.237.247.65
Name server: ns4.opheevipshoopsimemu.ru. 204.232.208.115

Webroot SecureAnywhere users are proactively protected from these threats.

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.