{"id":8257,"date":"2012-10-15T12:00:36","date_gmt":"2012-10-15T19:00:36","guid":{"rendered":"http:\/\/blog.webroot.com\/?p=8257"},"modified":"2018-10-05T11:29:39","modified_gmt":"2018-10-05T17:29:39","slug":"cybercriminals-impersonate-ups-serve-client-side-exploits-and-malware","status":"publish","type":"post","link":"https://www.webroot.com/blog/2012\/10\/15\/cybercriminals-impersonate-ups-serve-client-side-exploits-and-malware\/","title":{"rendered":"Cybercriminals impersonate UPS, serve client-side exploits and malware"},"content":{"rendered":"

Over the past 24 hours, cybercriminals spamvertised millions of email addresses, impersonating UPS, in an attempt to trick end users into viewing the malicious .html attachment. Upon viewing, the file loads a tiny iFrame attempting to serve client-side exploit served by the latest version of the Black Hole Exploit kit, which ultimately drops malware on the affected host.<\/p>\n

More details:<\/p>\n

<\/p>\n

Sample screenshot of the spamvertised email:<\/p>\n

\"\"<\/a><\/p>\n

Sample malicious iFrame URLs found in multiple malicious .html files:<\/strong>\u00a0hxxp:\/\/denegnashete.ru:8080\/forum\/links\/column.php<\/em>; hxxp:\/\/soisokdomen.ru:8080\/forum\/links\/column.php<\/em>; hxxp:\/\/diareuomop.ru:8080\/forum\/links\/column.php<\/em>; hxxp:\/\/omahabeachs.ru:8080\/forum\/links\/column.php<\/em> ;hxxp:\/\/penelopochka.ru:8080\/forum\/showthread.php?page<\/em>; hxxp:\/\/furnitura-forums.ru:8080\/forum\/showthread.php?page<\/em>; hxxp:\/\/onerussiaboard.ru:8080\/forum\/showthread.php?page<\/em>; hxxp:\/\/online-gaminatore.ru:8080\/forum\/showthread.php<\/em>; hxxp:\/\/bmwforummsk.ru:8080\/forum\/showthread.php?page<\/em><\/p>\n

Sample detection rate for a malicious .html file found in the spamvertised emails<\/strong>:\u00a0UPS_N21489880.htm – MD5: 38a2a54d6e7391d7cd00b50ed76b9cfb<\/strong><\/a> – detected by 26 out of 43 antivirus scanners as Trojan.Iframe.BCK; Trojan-Downloader.JS.Iframe.dbh<\/p>\n

\"\"<\/a><\/p>\n

Client-side exploits serving URL:<\/strong>\u00a0hxxp:\/\/denegnashete.ru:8080\/forum\/data\/java.jar<\/em> – MD5:\u00a086946ec2d2031f2b456e804cac4ade6d<\/strong><\/a> – detected by 25 out of 43 antivirus scanners as\u00a0Java\/Cve-2012-1723;\u00a0Exploit:Java\/CVE-2012-4681.H<\/p>\n

denegnashete.ru<\/strong> is currently responding to the following IPs – 84.22.100.108; 190.10.14.196; 203.80.16.81; 61.17.76.12; 213.135.42.98<\/p>\n

\"\"<\/a><\/p>\n

Related malicious domains part of the campaign’s infrastructure:<\/strong>
\nrumyniaonline.ru<\/strong> – 84.22.100.108
\ndenegnashete.ru<\/strong> – 84.22.100.108
\ndimabilanch.ru<\/strong> – 84.22.100.108
\nioponeslal.ru<\/strong> – 84.22.100.108
\nmoskowpulkavo.ru<\/strong> – 84.22.100.108
\nomahabeachs.ru<\/strong> – 84.22.100.108
\nuzoshkins.ru<\/strong> – 84.22.100.108
\nsectantes-x.ru<\/strong> – 84.22.100.108<\/p>\n

Name servers part of the campaign’s infrastructure:<\/strong>
\nns1.denegnashete.ru<\/strong> – 62.76.190.50
\nns2.denegnashete.ru<\/strong> – 87.120.41.155
\nns3.denegnashete.ru<\/strong> – 132.248.49.112
\nns4.denegnashete.ru<\/strong> – 91.194.122.8
\nns5.denegnashete.ru<\/strong> – 62.76.188.246
\nns6.denegnashete.ru<\/strong> – 178.63.51.54<\/p>\n

This isn’t the first time that cybercriminals have impersonated UPS. Go through related analysis of previous campaigns impersonating the company:<\/p>\n