{"id":7799,"date":"2012-08-21T14:14:37","date_gmt":"2012-08-21T21:14:37","guid":{"rendered":"http:\/\/blog.webroot.com\/?p=7799"},"modified":"2018-10-05T11:17:55","modified_gmt":"2018-10-05T17:17:55","slug":"cybercriminals-spamvertise-bogus-greeting-cards-serve-exploits-and-malware","status":"publish","type":"post","link":"https://www.webroot.com/blog/2012\/08\/21\/cybercriminals-spamvertise-bogus-greeting-cards-serve-exploits-and-malware\/","title":{"rendered":"Cybercriminals spamvertise bogus greeting cards, serve exploits and malware"},"content":{"rendered":"

Think you’ve received an online greeting card from 123greetings.com<\/strong>? Think twice!<\/p>\n

Over the past couple of days, cybercriminals have spamvertised millions of emails impersonating the popular e-card service 123greetings.com<\/strong> in an attempt to trick end and corporate users into clicking on client-side exploits and malware serving links, courtesy of the Black Hole web malware exploitation kit.<\/p>\n

What’s so special about this campaign? Can we connect it to previously spamvertised campaigns profiled at Webroot’s Threat Blog? Let’s find out.<\/p>\n

More details:<\/p>\n

<\/p>\n

Screenshot of the spamvertised email:<\/strong><\/p>\n

\"\"<\/a><\/p>\n

Upon clicking on any of the links found in the malicious emails, users are exposed to the following bogus “Page loading…” page:<\/strong><\/p>\n

\"\"<\/a><\/p>\n

Obfuscated java script redirection:<\/strong><\/p>\n

\"\"<\/a><\/p>\n

Spamvertised malicious URLs:<\/strong>\u00a0hxxp:\/\/bjflm.cn\/postc.html<\/em>; hxxp:\/\/minihotel74.com\/pcard.html<\/em>; hxxp:\/\/wowgame.net.cn\/pcard.html<\/em>; hxxp:\/\/phototula.ru\/postc.html<\/em>; hxxp:\/\/joanjoy.com\/postc.html<\/em>;\u00a0hxxp:\/\/akrepilaclama.org\/wp-content\/plugins\/akismet\/greet.html<\/em>; hxxp:\/\/vinointhevalley.com\/wp-content\/plugins\/akismet\/greet.html<\/em><\/p>\n

Client-side exploits serving URLs:<\/strong>\u00a0hxxp:\/\/remindingwands.org\/main.php?page=861097b084221fd8<\/em> – 78.87.123.114; hxxp:\/\/voicecontroldevotes.info\/main.php?page=6df8994172330e77; hxxp:\/\/immigrationunix.pro\/main.php?page=28677a727aff0456<\/em><\/p>\n

Client-side exploits served:<\/strong>\u00a0CVE-2010-1885<\/em><\/a><\/p>\n

Upon sucessful exploitation, the campaign drops MD5: 42307705ad637c615a6ed5fbf1e755d1<\/strong><\/a> – detected by 25 out of 42 antivirus scanners as Trojan.Win32.Yakes.ansm; Mal\/Katusha-I.<\/p>\n

Upon successful execution, the sample phones back to 87.120.41.155:8080\/mx5\/B\/in<\/strong><\/p>\n

More MD5s are known to have phoned back to the same command and control server, such as for instance:<\/p>\n

MD5: b11421acddbfc94544482d1846ba6d97<\/strong><\/a>
\nMD5: 4e0053fe00b65627c07dc8c85c85a351<\/strong><\/a>
\nMD5: 90d1b3367e97f384af029b0f1674f7ff<\/strong><\/a>
\nMD5: d2be252de958b7435279c6e8f270de4e<\/strong><\/a><\/p>\n

87.120.41.155<\/strong> is actually a name server offering DNS resolving services to related malicious and command and control servers part of the campaign such as:
\nspb-koalitia.ru<\/strong>
\nonerussiaboard.ru<\/strong>
\nmysqlfordummys.ru<\/strong>
\nonline-gaminatore.ru<\/strong>
\nleprisoruim.ru<\/strong>
\nswitched-games.ru<\/strong>
\nipadvssonyx.ru<\/strong>
\nonline-cammunity.ru<\/strong>
\nzenedin-zidane.ru<\/strong>
\nporschedesignrussia.ru<\/strong><\/p>\n

Associated malicious name servers part of the campaign’s infrastructure:
\nns1.spb-koalitia.ru<\/strong> – 62.76.190.208
\nns2.spb-koalitia.ru<\/strong> – 203.172.140.202
\nns3.spb-koalitia.ru<\/strong> – 87.120.41.155
\nns4.spb-koalitia.ru<\/strong> – 173.224.208.60
\nns5.spb-koalitia.ru<\/strong> – 62.76.188.138<\/p>\n

ns1.onerussiaboard.ru<\/strong> – 62.76.190.208
\nns2.onerussiaboard.ru<\/strong> – 203.172.140.202
\nns3.onerussiaboard.ru<\/strong> – 87.120.41.155
\nns4.onerussiaboard.ru<\/strong> – 173.224.208.60
\nns5.onerussiaboard.ru<\/strong> – 62.76.188.138<\/p>\n

ns1.mysqlfordummys.ru<\/strong> – 62.76.190.208
\nns2.mysqlfordummys.ru<\/strong> – 203.172.140.202
\nns3.mysqlfordummys.ru<\/strong> – 87.120.41.155
\nns4.mysqlfordummys.ru<\/strong> – 173.224.208.60
\nns5.mysqlfordummys.ru<\/strong> – 62.76.188.138<\/p>\n

ns1.online-gaminatore.ru<\/strong> – 62.213.64.161
\nns2.online-gaminatore.ru<\/strong> – 85.143.166.243
\nns3.online-gaminatore.ru<\/strong> – 41.66.137.155
\nns4.online-gaminatore.ru<\/strong> – 184.106.189.124
\nns5.online-gaminatore.ru<\/strong> – 203.172.140.202
\nns6.online-gaminatore.ru<\/strong> – 87.120.41.155<\/p>\n

ns1.leprisoruim.ru<\/strong> – 62.76.190.208
\nns2.leprisoruim.ru<\/strong> – 203.172.140.202
\nns3.leprisoruim.ru<\/strong> – 87.120.41.155
\nns4.leprisoruim.ru<\/strong> – 173.224.208.60
\nns5.leprisoruim.ru<\/strong> – 62.76.188.138<\/p>\n

ns1.switched-games.ru<\/strong> – 62.213.64.161
\nns2.switched-games.ru<\/strong> – 85.143.166.243
\nns3.switched-games.ru<\/strong> – 41.66.137.155
\nns4.switched-games.ru<\/strong> – 184.106.189.124
\nns5.switched-games.ru<\/strong> – 203.172.140.202
\nns6.switched-games.ru<\/strong> – 87.120.41.155<\/p>\n

ns1.ipadvssonyx.ru<\/strong> => 62.76.190.208
\nns2.ipadvssonyx.ru<\/strong> => 203.172.140.202
\nns3.ipadvssonyx.ru<\/strong> => 87.120.41.155
\nns4.ipadvssonyx.ru<\/strong> => 173.224.208.60
\nns5.ipadvssonyx.ru<\/strong> => 62.76.188.138<\/p>\n

ns1.online-cammunity.ru<\/strong> – 62.76.190.208
\nns2.online-cammunity.ru<\/strong> – 203.172.140.202
\nns3.online-cammunity.ru<\/strong> – 87.120.41.155
\nns4.online-cammunity.ru<\/strong> – 173.224.208.60
\nns5.online-cammunity.ru<\/strong> – 62.76.188.138<\/p>\n

ns1.zenedin-zidane.ru<\/strong> – 62.213.64.161
\nns2.zenedin-zidane.ru<\/strong> – 85.143.166.243
\nns3.zenedin-zidane.ru<\/strong> – 41.66.137.155
\nns4.zenedin-zidane.ru<\/strong> – 184.106.189.124
\nns5.zenedin-zidane.ru<\/strong> – 203.172.140.202
\nns6.zenedin-zidane.ru<\/strong> – 87.120.41.155<\/p>\n

ns1.porschedesignrussia.ru<\/strong> – 62.213.64.161
\nns2.porschedesignrussia.ru<\/strong> – 85.143.166.243
\nns3.porschedesignrussia.ru<\/strong> – 41.66.137.155
\nns4.porschedesignrussia.ru<\/strong> – 184.106.189.124
\nns5.porschedesignrussia.ru<\/strong> – 203.172.140.202
\nns6.porschedesignrussia.ru<\/strong> – 87.120.41.155<\/p>\n

Related client-side exploits and malware serving URLs spamvertised in the same campaign, also drop MD5: cd0aac6df71fa28d4564406a24f7e1a2<\/strong><\/a> – detected by 28 out of 42 antivirus scanners as Gen:Variant.Zusy.15382; P2P-Worm.Win32.Palevo.fbvx<\/p>\n

The second sample phones back to 87.204.199.100:8080\/mx5\/B\/in\/<\/strong> not surprisingly, we’ve already seen this command and control server used in numerous profiled campaigns, such as, for instance, the AT&T Billing Center impersonation<\/strong><\/a> one, the Craigslist spam campaign<\/strong><\/a>, the PayPal spam campaign<\/strong><\/a>, the eBay spam campaign<\/strong><\/a>, and the American Airlines themed spam campaign<\/strong><\/a>.<\/p>\n

Webroot SecureAnywhere<\/strong><\/a>\u00a0users are proactively protected from these threats.<\/p>\n

You can find more about Dancho Danchev at his\u00a0LinkedIn Profile<\/strong><\/a>. You can also\u00a0follow him on \u00a0Twitter<\/strong><\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

Think you’ve received an online greeting card from 123greetings.com? Think twice! Over the past couple of days, cybercriminals have spamvertised millions of emails impersonating the popular e-card service 123greetings.com in an attempt to trick end and corporate users into clicking on client-side exploits and malware serving links, courtesy of the Black Hole web malware exploitation […]<\/p>\n","protected":false},"author":65,"featured_media":17048,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[11803,10907,10897,11801,3871,3881,9563,10103,11129,4863,8965,11809,10109,11077,11153,5717,11807,11805,7077,3471],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/7799"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=7799"}],"version-history":[{"count":2,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/7799\/revisions"}],"predecessor-version":[{"id":25407,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/7799\/revisions\/25407"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17048"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=7799"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=7799"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=7799"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=7799"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}