{"id":7142,"date":"2012-06-13T08:09:04","date_gmt":"2012-06-13T15:09:04","guid":{"rendered":"http:\/\/blog.webroot.com\/?p=7142"},"modified":"2018-10-05T11:05:59","modified_gmt":"2018-10-05T17:05:59","slug":"spamvertised-your-amazon-com-order-confirmation-emails-serving-client-side-exploits-and-malware","status":"publish","type":"post","link":"https://www.webroot.com/blog/2012\/06\/13\/spamvertised-your-amazon-com-order-confirmation-emails-serving-client-side-exploits-and-malware\/","title":{"rendered":"Spamvertised ‘Your Amazon.com order confirmation’ emails serving client-side exploits and malware"},"content":{"rendered":"

Everyone uses Amazon!\u00a0At least\u00a0that’s what the cybercriminals are hoping. \u00a0Cybercriminals are currently spamvertising millions of emails impersonating Amazon.com Inc. in an attempt to trick end and corporate users into clicking on the malicious links found in the emails.<\/p>\n

More details:<\/p>\n

<\/p>\n

Screenshot of the spamvertised email:<\/strong><\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

Sample subjects:\u00a0<\/strong>Your Amazon.com Kindle e-book order confirmation<\/em>;\u00a0Your Amazon.com order confirmation<\/em><\/p>\n

Sample spamvertised compromised URls:\u00a0<\/strong>hxxp:\/\/www.archos5.com\/wp-content\/themes\/twentyten\/enoz.html<\/em>;\u00a0hxxp:\/\/bambizilla.com\/wp-includes\/enoz.html<\/em>;\u00a0hxxp:\/\/save20discout.com\/wp-content\/plugins\/social-stats\/omaz.html<\/em><\/p>\n

Client-side exploits serving URls:\u00a0<\/strong>hxxp:\/\/kidwingz.net\/main.php?page=614411383eef8d97<\/em>;\u00a0hxxp:\/\/cool-mail.net\/main.php?page=640db37c90c88306<\/em><\/p>\n

cool-mail.net<\/strong> responds to 84.106.114.97, responding to the same IP are also the following domains lifelovework.net<\/strong>; homeofficecaptioning.ru<\/strong>. Name servers courtesy of \u00a0ns1.grapecomputers.net<\/strong> with the following domains also using the same name server as cool-mail.net<\/strong> – grapecomputers.net<\/strong>; kidwingz.net<\/strong>; itscholarshipz.net<\/strong>; \u00a0homeofficecaptioning.ru;\u00a0kidwingz.net<\/strong> responds to 208.91.197.54.<\/p>\n

Both domains attempt to exploit client-side exploits served by the BlackHole web malware exploitation kit,\u00a0Exploits CVE-2010-1885<\/strong><\/a> in particular.<\/p>\n

Upon successful client-side exploitation the campaingn drops MD5: c23dab8cff55155f815639d7072de21a<\/strong><\/a> detected by 31 out of 42 antivirus scanners as TROJ_CRYPTOR.TH;\u00a0Trojan.Generic.KD.644812, and\u00a0and MD5: 49f91a1597bc4dd25d3d23302125dae7<\/strong><\/a> – detected by 5 out of 41 antivirus scanners as PWS-Zbot.gen.xs<\/p>\n

Upon execution the samples create the following registry entry, next to creating a new process:<\/p>\n

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] KB00121600.exe = “”%AppData%KB00121600.exe” so that KB00121600.exe runs every time Windows starts<\/em><\/p>\n

Next, the samples phones back to 85.214.204.32 <\/strong>on port 8080, hxxp:\/\/85.214.204.32:8080\/zb\/v_01_b\/in\/<\/strong> in particular.<\/p>\n

More MD5s are known to have phone back to the same command and control C&C server in the past:<\/strong>
\nMD5: aa9b1b6037afaceee96c888c948a20fe<\/strong><\/a> – detected by 14 out of 42 antivirus scanners as Trojan.Generic.KDV.647512<\/p>\n

MD5: 49f91a1597bc4dd25d3d23302125dae7<\/a><\/strong> – detected by 5 out of 41 antivirus scanners as PWS-Zbot.gen.xs<\/p>\n

MD5: 734aadd62d0662256a65510271d40048<\/strong><\/a> – detected by 9 out of 42 antivirus scanners as Troj\/DwnLdr-KAY<\/p>\n

MD5: a444a9a941c1f0d28e5c3de711f04a3c<\/strong><\/a> – detected by 14 out of 42 antivirus scanners as Trojan.Generic.KD.647627<\/p>\n

MD5: 3c87e446ccee826a4707d47f268d705d<\/strong><\/a> – detected by 25 out of 42 antivirus scanners as W32\/AutoRun_Spy_Banker.P<\/p>\n

MD5: cf6f40f1ce37fd8edefc447f68a88e1f<\/strong><\/a> – detected by 32 out of 42 antivirus scanners as Trojan.Win32.Yakes.aemo<\/p>\n

MD5: 179c9ac5c2540a9bca5c0908e589a768<\/strong><\/a> – detected by 28 out of 42 antivirus scanners as Troj\/Bckdr-RLT<\/p>\n

MD5: 83db494b36bd38646e54210f6fdcbc0d<\/strong><\/a> – detected by 33 out of 42 antivirus scanners as PWS-Zbot.gen.aae<\/p>\n

MD5: 462210ddded90ea065829766797b42b7<\/strong><\/a> – detected by 32 out of 42 antivirus scanners as Trojan-Dropper.Win32.Dapato.adpv<\/p>\n

MD5: 712be7239b0e7e47869798658dabd4d0<\/strong><\/a> – detected by 30 out of 42 antivirus scanners as Trojan-Ransom.Win32.PornoAsset.emi<\/p>\n

It’s worth emphasizing on the command and control (C&C) IP –\u00a085.214.204.32<\/strong>.\u00a0Responding to 85.214.204.32 are the following name servers:<\/p>\n

ns3.pistolitnameste.ru<\/strong>
\nns3.puleneprobivaemye.ru<\/strong>
\nns2.spbfotomontag.ru<\/strong>
\nns3.pushkidamki.ru<\/strong>
\nns3.hamlovladivostok.ru<\/strong>
\nns3.saprolaunimaxim.ru<\/strong>
\nns2.uzindexation.ru<\/strong>
\nns2.holigaansongeer.ru<\/strong>
\nns3.paranoiknepjet.ru<\/strong>
\nns2.piloramamoskow.ru<\/strong>
\nns2.girlsnotcryz.ru<\/strong><\/p>\n

Historically, the following domains were also responding to the same IP, part of the botnet’s infrastructure:<\/p>\n

cvredret.ru<\/strong>
\ncxredret.ru<\/strong>
\nopiumdlanaroda.ru<\/strong>
\nporosenokpetya.ru<\/strong>
\ngaremonmystage.ru<\/strong>
\nhoroshovsebudet.ru<\/strong>
\nhmvmgywkvayilcwh.ru<\/strong>
\nwfyusepaxvulfdtn.ru<\/strong>
\nwiwwkvjkinewgycb.ru<\/strong>
\nhjpyvexsutdctjol.ru<\/strong>
\nhbirjhcnsuiwgtrq.ru<\/strong>
\naxwiyyfbraskytvs.ru<\/strong>
\nskjwysujlpedxxsl.ru<\/strong>
\nsumgankorobanns.ru<\/strong>
\nngdvmtwodjjuovsnfj.ru<\/strong>
\nvjcuiqecxaomkytb.ru<\/strong>
\nvaopxjiaphevkfpqdo.ru<\/strong>
\nyhbyqwmrtqxvmpryon.ru<\/strong>
\nqtdlnxbqfohcpwft.ru<\/strong>
\njfhxihwykiuwfknoni.ru <\/strong>
\nkblqegxrumlsrefvmb.ru<\/strong>
\nhngajjkuknzwdliqfj.ru<\/strong>
\nhdylanfzmfngwbwxnc.ru<\/strong>
\ngizosuxwpeujnykjye.ru<\/strong>
\njlkjsxdsvtkygouiix.ru<\/strong>
\nnolwzyzsqkhjkqhomc.ru<\/strong>
\nwbgguucrbkrkjftn.ru<\/strong>
\nusepaxvulfdtnwiwwk.ru<\/strong>
\neoicszuwkjskhvki.ru<\/strong>
\nmceglkuyhzvzjxbj.ru<\/strong><\/p>\n

Historical OSINT on the name servers involved in the campaign, and the botnet’s infrastructure in general:<\/strong><\/p>\n

ns1.girlsnotcryz.ru<\/strong> => 62.213.64.161
\nns2.girlsnotcryz.ru<\/strong> => 85.214.204.32
\nns3.girlsnotcryz.ru<\/strong> => 50.57.88.200
\nns4.girlsnotcryz.ru<\/strong> => 184.106.189.124
\nns5.girlsnotcryz.ru<\/strong> => 50.57.43.49<\/p>\n

ns1.hamlovladivostok.ru<\/strong> => 62.213.64.161
\nns2.hamlovladivostok.ru<\/strong> => 62.76.189.62
\nns3.hamlovladivostok.ru<\/strong> => 85.214.204.32
\nns4.hamlovladivostok.ru<\/strong> => 50.57.88.200
\nns5.hamlovladivostok.ru<\/strong> => 41.66.137.155
\nns6.hamlovladivostok.ru<\/strong> => 50.57.43.49<\/p>\n

ns1.puleneprobivaemye.ru<\/strong> => 62.213.64.161
\nns2.puleneprobivaemye.ru<\/strong> => 62.76.189.62
\nns3.puleneprobivaemye.ru<\/strong> => 85.214.204.32
\nns4.puleneprobivaemye.ru<\/strong> => 50.57.88.200
\nns5.puleneprobivaemye.ru<\/strong> => 41.66.137.155
\nns6.puleneprobivaemye.ru<\/strong> => 50.57.43.49<\/p>\n

ns1.pushkidamki.ru<\/strong> => 62.213.64.161
\nns2.pushkidamki.ru<\/strong> => 62.76.189.62
\nns3.pushkidamki.ru<\/strong> => 85.214.204.32
\nns4.pushkidamki.ru<\/strong> => 50.57.88.200
\nns5.pushkidamki.ru<\/strong> => 41.66.137.155
\nns6.pushkidamki.ru<\/strong> => 50.57.43.49<\/p>\n

ns1.spbfotomontag.r<\/strong>u => 62.213.64.161
\nns2.spbfotomontag.r<\/strong>u => 85.214.204.32
\nns3.spbfotomontag.r<\/strong>u => 50.57.88.200
\nns4.spbfotomontag.r<\/strong>u => 184.106.189.124
\nns5.spbfotomontag.ru<\/strong> => 50.57.43.49<\/p>\n

ns1.piloramamoskow.ru<\/strong> => 62.213.64.161
\nns2.piloramamoskow.ru<\/strong> => 85.214.204.32
\nns3.piloramamoskow.r<\/strong>u => 50.57.88.200
\nns4.piloramamoskow.ru<\/strong> => 184.106.189.124
\nns5.piloramamoskow.ru<\/strong> => 50.57.43.49<\/p>\n

ns1.insomniacporeed.ru<\/strong> => 62.213.64.161
\nns2.insomniacporeed.ru<\/strong> => 85.214.204.32
\nns3.insomniacporeed.ru<\/strong> => 50.57.88.200
\nns4.insomniacporeed.ru<\/strong> => 184.106.189.124
\nns5.insomniacporeed.ru<\/strong> => 50.57.43.49<\/p>\n

ns1.norilsknikeli.ru<\/strong> => 62.213.64.161
\nns2.norilsknikeli.ru<\/strong> => 85.214.204.32
\nns3.norilsknikeli.ru<\/strong> => 50.57.88.200
\nns4.norilsknikeli.ru<\/strong> => 184.106.189.124
\nns5.norilsknikeli.ru<\/strong> => 50.57.43.49<\/p>\n

ns1.mazdaforumi.ru<\/strong> => 62.213.64.161
\nns2.mazdaforumi.ru<\/strong> => 85.214.204.32
\nns3.mazdaforumi.ru<\/strong> => 50.57.88.200
\nns4.mazdaforumi.ru<\/strong> => 184.106.189.124
\nns5.mazdaforumi.ru<\/strong> => 50.57.43.49<\/p>\n

ns1.immerialtv.ru<\/strong> => 62.76.41.3
\nns2.immerialtv.ru<\/strong> => 62.213.64.161
\nns3.immerialtv.ru<\/strong> => 195.88.242.10
\nns4.immerialtv.ru<\/strong> => 41.66.137.155
\nns5.immerialtv.ru<\/strong> => 83.170.91.152
\nns6.immerialtv.ru<\/strong> => 85.214.204.32<\/p>\n

ns1.opimmerialtv.ru<\/strong> => 62.213.64.161
\nns2.opimmerialtv.ru<\/strong> => 85.214.204.32
\nns3.opimmerialtv.r<\/strong>u => 50.57.88.200
\nns4.opimmerialtv.ru<\/strong> => 184.106.189.124
\nns5.opimmerialtv.ru<\/strong> => 50.57.43.49<\/p>\n

ns1.pokeronmep.ru<\/strong> => 62.76.41.3
\nns2.pokeronmep.ru<\/strong> => 62.213.64.161
\nns3.pokeronmep.ru<\/strong> => 195.88.242.10
\nns4.pokeronmep.ru<\/strong> => 41.66.137.155
\nns5.pokeronmep.r<\/strong>u => 83.170.91.152
\nns6.pokeronmep.ru<\/strong> => 85.214.204.32<\/p>\n

ns1.poluicenotgo.ru<\/strong> => 62.76.41.3
\nns2.poluicenotgo.ru<\/strong> => 62.213.64.161
\nns3.poluicenotgo.ru<\/strong> => 195.88.242.10
\nns4.poluicenotgo.ru<\/strong> => 41.66.137.155
\nns5.poluicenotgo.ru<\/strong> => 83.170.91.152
\nns6.poluicenotgo.ru<\/strong> => 85.214.204.32<\/p>\n

ns1.uiwewsecondary.ru<\/strong> => 62.76.41.3
\nns2.uiwewsecondary.ru<\/strong> => 62.213.64.161
\nns3.uiwewsecondary.ru<\/strong> => 195.88.242.10
\nns4.uiwewsecondary.r<\/strong>u => 41.66.137.155
\nns5.uiwewsecondary.r<\/strong>u => 83.170.91.152
\nns6.uiwewsecondary.ru<\/strong> => 85.214.204.32<\/p>\n

ns1.validatoronmee.r<\/strong>u => 62.213.64.161
\nns2.validatoronmee.ru<\/strong> => 195.62.52.69
\nns3.validatoronmee.ru<\/strong> => 62.76.191.172
\nns4.validatoronmee.ru<\/strong> => 41.66.137.155
\nns5.validatoronmee.ru<\/strong> => 83.170.91.152
\nns6.validatoronmee.ru<\/strong> => 85.214.204.32<\/p>\n

ns1.vitalitysomer.ru<\/strong> => 62.213.64.161
\nns2.vitalitysomer.ru<\/strong> => 195.62.52.69
\nns3.vitalitysomer.ru<\/strong> => 62.76.191.172
\nns4.vitalitysomer.ru<\/strong> => 41.66.137.155
\nns5.vitalitysomer.ru<\/strong> => 83.170.91.152
\nns6.vitalitysomer.ru<\/strong> => 85.214.204.32<\/p>\n

ns1.wiskonsintpara.ru<\/strong> => 62.76.41.3
\nns2.wiskonsintpara.ru<\/strong> => 62.213.64.161
\nns3.wiskonsintpara.ru<\/strong> => 195.62.52.69
\nns4.wiskonsintpara.ru<\/strong> => 41.66.137.155
\nns5.wiskonsintpara.ru<\/strong> => 83.170.91.152
\nns6.wiskonsintpara.ru<\/strong> => 85.214.204.32<\/p>\n

ns1.webmastaumuren.ru<\/strong> => 62.76.41.3
\nns2.webmastaumuren.ru<\/strong> => 62.213.64.161
\nns3.webmastaumuren.ru<\/strong> => 195.62.52.69
\nns4.webmastaumuren.ru<\/strong> => 41.66.137.155
\nns5.webmastaumuren.ru<\/strong> => 83.170.91.152
\nns6.webmastaumuren.ru<\/strong> => 85.214.204.32<\/p>\n

ns1.webmastersuon.ru<\/strong> => 62.76.41.3
\nns2.webmastersuon.ru<\/strong> => 62.213.64.161
\nns3.webmastersuon.ru<\/strong> => 195.62.52.69
\nns4.webmastersuon.ru<\/strong> => 41.66.137.155
\nns5.webmastersuon.ru<\/strong> => 83.170.91.152
\nns6.webmastersuon.ru<\/strong> => 85.214.204.32<\/p>\n

ns1.qvzhpiaswhqlswkjit.ru<\/strong> => 62.76.45.241
\nns2.qvzhpiaswhqlswkjit.ru<\/strong> => 62.213.64.161
\nns3.qvzhpiaswhqlswkjit.ru<\/strong> => 85.214.204.32
\nns4.qvzhpiaswhqlswkjit.ru<\/strong> => 216.151.129.198<\/p>\n

ns1.xspisokdomenidgmens.ru<\/strong> => 62.76.45.241
\nns2.xspisokdomenidgmens.ru<\/strong> => 62.76.191.172
\nns3.xspisokdomenidgmens.ru<\/strong> => 62.213.64.161
\nns4.xspisokdomenidgmens.ru<\/strong> => 85.214.204.32
\nns5.xspisokdomenidgmens.ru<\/strong> => 209.114.47.158
\nns6.xspisokdomenidgmens.ru<\/strong> => 78.83.233.242<\/p>\n

Go through related analysis on previously spamvertised malware-serving campaigns:<\/strong><\/p>\n