{"id":7225,"date":"2012-06-25T07:48:52","date_gmt":"2012-06-25T14:48:52","guid":{"rendered":"http:\/\/blog.webroot.com\/?p=7225"},"modified":"2018-10-05T11:08:00","modified_gmt":"2018-10-05T17:08:00","slug":"spamvertised-your-ups-delivery-tracking-emails-serving-client-side-exploits-and-malware","status":"publish","type":"post","link":"https://www.webroot.com/blog/2012\/06\/25\/spamvertised-your-ups-delivery-tracking-emails-serving-client-side-exploits-and-malware\/","title":{"rendered":"Spamvertised ‘Your UPS delivery tracking’ emails serving client-side exploits and malware"},"content":{"rendered":"

Cybercriminals are currently spamvertising millions of emails impersonating United Parcel Service (UPS) in an attempt to trick end and corporate users into clicking on exploits and malware serving links found in the malicious emails. What exploits are they using? How widespread is the campaign? Is it an isolated incident, or is the campaign linked to more malicious activity?<\/p>\n

More details:<\/p>\n

<\/p>\n

Screenshots of the spamvertised campaign:<\/strong><\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

Upon clicking on the link, users are exposed to the following bogus page displaying additional information about the package:<\/strong><\/p>\n

\"\"<\/a><\/p>\n

Sample spamvertised malicious URLs:<\/strong>\u00a0hxxp:\/\/andreascookies.com\/deliv.html<\/em>;\u00a0hxxp:\/\/selcoelectrical.co.uk\/deliv.html<\/em>;\u00a0hxxp:\/\/nepa.com.np\/deliv.html<\/em>;\u00a0hxxp:\/\/it-agency-job-opportunities.com\/\/track.html<\/em>;\u00a0hxxp:\/\/agarcia.tv\/wp-content\/uploads\/fgallery\/track.html<\/em>;\u00a0hxxp:\/\/samsung40lcdtvlnt4061f.uwcblog.com\/spss.html<\/em><\/p>\n

Detection rate for the client-side exploit serving page:\u00a0<\/strong>devil.html – MD5: f9a47465f88bb76d1987fba6ffc72db7<\/strong><\/a> – detected by 2 out of 42 antivirus scanners as JS\/Obfuscus.AACB!tr; HEUR:Trojan.Script.Generic<\/p>\n

\"\"<\/a><\/p>\n

Client-side exploitation chain:<\/strong> hxxp:\/\/savecoralz.net\/main.php?page=2a709dab1e660eaf<\/em> -> hxxp:\/\/savecoralz.net\/Set.jar<\/em><\/p>\n

Second client-side exploitation chain seen in the same campaign:<\/strong> hxxp:\/\/abilenepaint.net\/main.php?page=c3c45bf60719e629<\/em> -> hxxp:\/\/abilenepaint.net\/Half.jar<\/em><\/p>\n

Upon clicking on the link, the campaign is serving client-side exploits using the Black Hole web malware exploitation kit, and in this particular campaign it’s attempting to exploit CVE-2010-1885<\/strong><\/a> and CVE-2012-0507<\/strong><\/a>.<\/p>\n

Once the client-side exploitation takes place, the campaign drops\u00a0MD5: 202d24597758dc5f190bf63527712af0<\/strong><\/a> – detected by 2 out of 42 antivirus scanners as Trojan\/Win32.Hrup; Suspicious.Cloud.5<\/p>\n

Info on the client-side exploit serving domain: <\/strong>savecoralz.net – 109.164.221.176; 46.162.27.165; name servers: NS1.GRAPECOMPUTERS.NET; NS2.GRAPECOMPUTERS.NET – Email: clinicadelta@aol.com<\/p>\n

The following malware-serving domains are also using the same name servers:<\/strong>
\nsynergyledlighting.net
\nstafffire.net
\nthai4me.com
\nenergirans.net
\nhapturing.net
\nhousespect.net
\nsynetworks.net
\n110hobart.com
\nperikanzas.com
\nabc-spain.net
\nmigdaliasbistro.net
\nthemeparkoupons.net
\nicemed.net
\nsony-zeus.net
\nmynourigen.net
\ngeorgekinsman.net
\nekotastic.net
\ntorsax.net
\npopzulu.net
\narizonacentennialmens.com<\/p>\n

Info on the second client-side exploits serving domain observed in the campaign:<\/strong>\u00a0abilenepaint.net – 79.142.67.135 (known to have also responding to 109.169.86.139 (stafffire.net) – Email: ezvalu@live.com Name servers: ns1.asiazmile.net, ns2.asiazmile.net<\/p>\n

More domains known to be using the same name servers as abilenepaint.net<\/strong>
\nstafffire.net
\nalamedapaint.net
\nasiazmile.net<\/p>\n

Client-side exploitation chain:<\/strong>\u00a0hxxp:\/\/abilenepaint.net\/main.php?page=c3c45bf60719e629<\/em> ->\u00a0hxxp:\/\/abilenepaint.net\/Half.jar<\/em><\/p>\n

Upon successful client-side exploitation the second malicious URL drops\u00a0MD5: 5e187c293a563968dd026fae02194cfa<\/strong><\/a>, detected by 3 out of 42 antivirus scanners as PAK_Generic.001.\u00a0Upon execution it creates the following file:<\/p>\n

%AppData%KB00121600.exe – MD5: 5E187C293A563968DD026FAE02194CFA<\/strong><\/a> –\u00a0detected by 3 out of 42 antivirus scanners as PAK_Generic.001<\/p>\n

Upon execution, the sample phones back to\u00a0123.49.61.59\/zb\/v_01_b\/in<\/strong> on port 8080.\u00a0Another sample is known to have phoned back to the same URL, namely, MD5: 108F10F0921F2B4FCA87FE6E620D21EF<\/strong><\/a> which phones back to:<\/p>\n

hxxp:\/\/123.49.61.59:8080\/zb\/v_01_a\/in\/<\/em>
\nhxxp:\/\/91.121.103.143:8080\/zb\/v_01_a\/.upd\/u2006a.exe<\/em><\/p>\n

u2006a.exe<\/strong> has a MD5 of\u00a0MD5: c5fcee018e9b80a2574d98189684ba2a<\/a>, <\/strong>and is detected by 4 out of 42 antivirus scanners as Worm.Win32.AutoRun.dtaf.<\/p>\n

This is the second UPS themed campaign<\/strong><\/a> that we’ve intercepted during June, 2012. In the first campaign, the cybercriminals used malicious .html attachments compared to directly linking to exploits and malware serving sites like we’ve seen in the latest campaign.<\/p>\n

Webroot SecureAnywhere<\/strong><\/a> users are proactively protected from these threats.<\/p>\n

You can find more about Dancho Danchev at his\u00a0LinkedIn Profile<\/a><\/strong>. You can also\u00a0follow him on \u00a0Twitter<\/strong><\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

Cybercriminals are currently spamvertising millions of emails impersonating United Parcel Service (UPS) in an attempt to trick end and corporate users into clicking on exploits and malware serving links found in the malicious emails. What exploits are they using? How widespread is the campaign? Is it an isolated incident, or is the campaign linked to […]<\/p>\n","protected":false},"author":65,"featured_media":17048,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[11087,11073,11089,11075,10907,10897,11069,3871,11079,10185,11085,11081,11071,11077,22935,4027,11083],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/7225"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=7225"}],"version-history":[{"count":2,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/7225\/revisions"}],"predecessor-version":[{"id":25361,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/7225\/revisions\/25361"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17048"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=7225"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=7225"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=7225"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=7225"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}