{"id":16013,"date":"2014-02-18T14:51:41","date_gmt":"2014-02-18T21:51:41","guid":{"rendered":"https://www.webroot.com/blog/?p=16013"},"modified":"2023-12-08T07:36:04","modified_gmt":"2023-12-08T14:36:04","slug":"spamvertised-image-sent-evernote-themed-campaign-serves-client-side-exploits","status":"publish","type":"post","link":"https://www.webroot.com/blog/2014\/02\/18\/spamvertised-image-sent-evernote-themed-campaign-serves-client-side-exploits\/","title":{"rendered":"Spamvertised ‘Image has been sent’ Evernote themed campaign serves client-side exploits"},"content":{"rendered":"

Cybercriminals continue to populate their botnets,\u00a0with new infected hosts, through the persistent and systematic spamvertising of tens of thousands of fake emails which impersonate popular and well known brands – all in an attempt to socially engineer prospective victims into interacting with the scam.<\/p>\n

We’ve recently intercepted a currently circulating malicious spam campaign, impersonating Evernote, serving client-side exploits to prospective victims who click on the links found in the fake emails.<\/p>\n

More details:<\/p>\n

<\/p>\n

Sample screenshot of the spamvertised email:<\/strong><\/p>\n

\"Evernote_Malware_Malicious_Software_Client_Side_Exploits_Spam_Spamvertised\"<\/a><\/p>\n

Sample redirection chain:<\/strong> hxxp:\/\/nortonfire.co.uk\/1.html<\/em> (82.165.213.55) -> hxxp:\/\/merdekapalace.com\/1.txt<\/em> – 202.71.103.21 -> hxxp:\/\/www.shivammehta.com\/1.txt<\/em> – 181.224.129.14 -> hxxp:\/\/ypawhygrawhorsemto.ru:8080\/z4ql9huka0<\/em><\/p>\n

Domain name reconnaissance for the fast-fluxed ypawhygrawhorsemto.ru:<\/strong>
\n37.59.36.223
\n180.244.28.149
\n140.112.31.129
\n31.222.178.84
\n54.254.203.163
\n78.108.93.186
\n202.22.156.178
\n54.254.203.163
\n78.108.93.186
\n140.112.31.129
\n202.22.156.178
\n31.222.178.84
\n37.59.36.223
\n180.244.28.149<\/p>\n

Responding to 78.108.93.186, are also the following malicious domains:<\/strong>
\nypawhygrawhorsemto.ru – 78.108.93.186
\njolygoestobeinvester.ru – 78.108.93.186
\nafrikanajirafselefant.biz – 78.108.93.186
\nbakrymseeculsoxeju.ru – 78.108.93.186
\nozimtickugryssytchook.org – 78.108.93.186
\nbydseekampoojopoopuboo.biz – 78.108.93.186<\/p>\n

Name servers used in the campaign:<\/strong>
\nName server: ns1.ypawhygrawhorsemto.ru – 173.255.243.199
\nName server: ns2.ypawhygrawhorsemto.ru – 119.226.4.149
\nName server: ns3.ypawhygrawhorsemto.ru – 192.237.247.65
\nName server: ns4.ypawhygrawhorsemto.ru – 204.232.208.115
\n——————————————-<\/p>\n

Second sample redirection chain:<\/strong> hxxp:\/\/www.smithpointarchery.com\/1.html<\/em> – 65.61.11.74 -> hxxp:\/\/merdekapalace.com\/1.txt<\/em> – 202.71.103.21 -> hxxp:\/\/www.shivammehta.com\/1.txt<\/em> – 181.224.129.14 -> hxxp:\/\/opheevipshoopsimemu.ru:8080\/dp2w4dvhe2<\/em> – 31.222.178.84<\/p>\n

Detection rate for a sample served client-side exploit:<\/strong>
\nMD5: c81b2b9fbee87c6962299f066b983a46\u00a0<\/strong><\/a><\/p>\n

Domain name reconnaissance for the fast-fluxed opheevipshoopsimemu.ru:<\/strong>
\n31.222.178.84
\n180.244.28.149
\n78.108.93.186
\n140.112.31.129
\n78.129.184.4
\n54.254.203.163
\n202.22.156.178
\n37.59.36.223<\/p>\n

Name servers part of the campaign’s infrastructure:<\/strong>
\nName server: ns1.opheevipshoopsimemu.ru. 173.255.243.199
\nName server: ns2.opheevipshoopsimemu.ru. 119.226.4.149
\nName server: ns3.opheevipshoopsimemu.ru. 192.237.247.65
\nName server: ns4.opheevipshoopsimemu.ru. 204.232.208.115<\/p>\n

Webroot\u00a0SecureAnywhere<\/a><\/strong>\u00a0users are proactively protected from these threats.<\/p>\n","protected":false},"excerpt":{"rendered":"

Cybercriminals continue to populate their botnets,\u00a0with new infected hosts, through the persistent and systematic spamvertising of tens of thousands of fake emails which impersonate popular and well known brands – all in an attempt to socially engineer prospective victims into interacting with the scam. We’ve recently intercepted a currently circulating malicious spam campaign, impersonating Evernote, […]<\/p>\n","protected":false},"author":65,"featured_media":17048,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[23159,23155,23161,23163,23157,17177,16183,23165,23153,17175,17181,17179,17185,17183,14051],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/16013"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=16013"}],"version-history":[{"count":11,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/16013\/revisions"}],"predecessor-version":[{"id":32485,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/16013\/revisions\/32485"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17048"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=16013"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=16013"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=16013"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=16013"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}