{"id":7117,"date":"2012-06-07T13:48:16","date_gmt":"2012-06-07T20:48:16","guid":{"rendered":"http:\/\/blog.webroot.com\/?p=7117"},"modified":"2018-10-05T11:03:12","modified_gmt":"2018-10-05T17:03:12","slug":"spamvertised-ups-delivery-notification-emails-serving-client-side-exploits-and-malware","status":"publish","type":"post","link":"https://www.webroot.com/blog/2012\/06\/07\/spamvertised-ups-delivery-notification-emails-serving-client-side-exploits-and-malware\/","title":{"rendered":"Spamvertised &#8216;UPS Delivery Notification&#8217; emails serving client-side exploits and malware"},"content":{"rendered":"<p>Think you received a package? Think again. Cybercriminals are currently spamvertising millions of emails impersonating UPS (United Parcel Service) in an attempt to trick users into downloading the viewing the malicious <strong>.html<\/strong> attachment.<\/p>\n<p style=\"text-align: center;\"><a href=\"http:\/\/webrootblog.files.wordpress.com\/2012\/06\/spam_ups_client_side_exploits_malware.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-7123\" title=\"Spam_UPS_Client_Side_Exploits_Malware\" src=\"http:\/\/webrootblog.files.wordpress.com\/2012\/06\/spam_ups_client_side_exploits_malware.png\" alt=\"\" width=\"340\" height=\"202\" \/><\/a><\/p>\n<p>More details:<\/p>\n<p><!--more--><\/p>\n<p><strong>Subject:<\/strong> <em>UPS Delivery Notification, Tracking Number CDE_RANDOM_NUMBER<\/em><\/p>\n<p><strong>Sample message:<\/strong> <em>You have attached the invoice for your package delivery. Thank you, United Parcel Service. *** This is an automatically generated email, please do not reply ***<\/em><\/p>\n<p><strong>Sample attachment:<\/strong> <em>invoiceCDE31400FCA9E1A9.html; <a href=\"https:\/\/www.virustotal.com\/file\/535efac841f106b811e1199455ed9f6060712a73efc2d2c056cbc446263487c1\/analysis\/1339004308\/\"><strong>MD5: 3df9cab56e3a354c56d0b50680a9e087<\/strong><\/a> detected by 8 out of 42 antivirus scanners as HTML:Iframe-inf; Trojan.IframeRef; Mal\/JSRedir-J<\/em><\/p>\n<p>The attached .html file includes a tiny iFrame pointing to the client-side exploits serving domain <strong>hxxp:\/\/www7apps-myups.com\/main.php?page=cde31400fca9e1a9<\/strong> &#8211; 96.43.129.237, Email: zxhxnjsgh@126.com<\/p>\n<p>Upon loading, it attempts to exploit <strong><a href=\"http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2010-1885\">CVE-2010-1885<\/a>,\u00a0<\/strong>served by the BlackHole web malware exploitation kit.<\/p>\n<p><strong>Sample client-side exploitation chain:<\/strong> <em>hxxp:\/\/www7apps-myups.com\/main.php?page=cde31400fca9e1a9 -&gt; hxxp:\/\/www7apps-myups.com\/Set.jar -&gt; hxxp:\/\/www7apps-myups.com\/data\/ap2.php<\/em><\/p>\n<p>Upon successful exploitaion the campaingn drops the following MD5 on the infected hosts, <a href=\"https:\/\/www.virustotal.com\/file\/010e5d960c9c1add340c7bb20fd06ca0bb9bf2535a8e5336938d56bdc026a592\/analysis\/\"><strong>MD5: 5806aba72a0725a9d65eb12586846da3<\/strong><\/a>,\u00a0currently detected by 8 out of 41 antivirus scanners as Gen:Variant.Kazy.74635; Trojan.PWS.Panda.655.<\/p>\n<p>It&#8217;s worth pointing out that the initially spamvertised .html file doesn&#8217;t contain any exploit code in an attempt to trick antivirus scanners into thinking it&#8217;s a legitimate content.<\/p>\n<p><a href=\"https:\/\/www.webroot.com\/us\/en\/home\/products\/complete\"><strong>Webroot SecureAnywhere<\/strong><\/a> users are proactively protected from this threat.<\/p>\n<p><em>You can find more about Dancho Danchev at his\u00a0<a href=\"http:\/\/nl.linkedin.com\/in\/danchodanchev\"><strong>LinkedIn Profile<\/strong><\/a>. You can also\u00a0<a href=\"http:\/\/www.twitter.com\/danchodanchev\"><strong>follow him on \u00a0Twitter<\/strong><\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Think you received a package? Think again. Cybercriminals are currently spamvertising millions of emails impersonating UPS (United Parcel Service) in an attempt to trick users into downloading the viewing the malicious .html attachment. More details:<\/p>\n","protected":false},"author":65,"featured_media":17048,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[4811,3871,5593,10099,10299,3885,10891,5717,10895,8213,8287,3875,5721,3947,4439,9639,8285,8283,8209,3529],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/7117"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=7117"}],"version-history":[{"count":2,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/7117\/revisions"}],"predecessor-version":[{"id":25349,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/7117\/revisions\/25349"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17048"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=7117"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=7117"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=7117"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=7117"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}