{"id":8577,"date":"2012-11-07T00:00:58","date_gmt":"2012-11-07T07:00:58","guid":{"rendered":"http:\/\/blog.webroot.com\/?p=8577"},"modified":"2018-10-05T11:43:25","modified_gmt":"2018-10-05T17:43:25","slug":"fwd-scan-from-a-xerox-w-pro-themed-emails-lead-to-black-hole-exploit-kit","status":"publish","type":"post","link":"https://www.webroot.com/blog/2012\/11\/07\/fwd-scan-from-a-xerox-w-pro-themed-emails-lead-to-black-hole-exploit-kit\/","title":{"rendered":"‘Fwd: Scan from a Xerox W. Pro’ themed emails lead to Black Hole Exploit Kit"},"content":{"rendered":"

On a periodic basis, malicious cybercriminals spamvertise millions of emails<\/strong><\/a> attempting to trick end users into thinking that they’ve received a scanned document<\/strong><\/a>. Upon clicking on the links found in these emails, or viewing the malicious .html attachment, users are automatically exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit<\/strong><\/a>.<\/p>\n

In this post, I will profile two currently circulating malicious campaigns. The first is mimicking a Xerox Pro printer, and the second is claiming to be a legitimate Wire Transfer. Both of these campaigns point to the same client-side exploits serving URL, indicating that they’ve been launched by the same cybercriminal\/gang of cybercriminals.<\/p>\n

More details: Sample screenshots of the spamvertised emails:<\/strong><\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

Client-side exploits serving URLs:<\/strong> hxxp:\/\/panalkinew.ru:8080\/forum\/links\/column.php<\/em>; hxxp:\/\/panalkinew.ru:8080\/forum\/links\/column.php?rcgeyqil=0406080806&qkped=36&kwtgtko=3307093738070736060b&ucu=02000200020002<\/em><\/p>\n

Spamvertised compromised URL used in the Wire Transfer themed campaign:<\/strong> hxxp:\/\/www.mm4management.com\/indeaxo.htm<\/em><\/p>\n

Upon loading, the URLs exploit\u00a0CVE-2010-0188<\/strong><\/a> in an attempt to drop a malicious PDF file on the affected host. The sample then drops additional malware.<\/p>\n

Detection rate for a sample javascript obfuscation:<\/strong> MD5: 0a8a06770836493a67ea2e9a1af844bf<\/strong><\/a> – detected by 15 out of 43 antivirus scanners as Mal\/JSRedir-M<\/p>\n

Detection rate for the dropped malware:<\/strong> MD5: 194655f7368438ab01e80b35a5293875<\/strong><\/a> – detected by 25 out of 43 antivirus scanners as Trojan-Ransom.Win32.PornoAsset.avzz<\/p>\n

panalkinew.ru<\/strong> responds to the following IPs – 203.80.16.81, AS24514; 209.51.221.247, AS10297; 213.251.171.30, AS16276<\/p>\n

Responding to the same IPs are also the following malicious domains part of the campaign’s infrastructure:<\/strong>
\nmanekenppa.ru<\/strong>
\nkiladopje.ru<\/strong>
\nlemonadiom.ru<\/strong>
\nfinitolaco.ru<\/strong>
\nfidelocastroo.ru<\/strong>
\nponowseniks.ru<\/strong>
\npanasonicviva.ru<\/strong>
\ngeforceexlusive.ru<\/strong>
\nlimonadiksec.ru<\/strong>
\nlinkrdin.ru<\/strong>
\nsonatanamore.ru<\/strong>
\nsecondhand4u.ru<\/strong>
\nwindowonu.ru<\/strong><\/p>\n

Deja vu! We’ve already seen one of these domains (sonatanamore.ru<\/strong>) used in the recently profiled “\u2018Regarding your Friendster password\u2019 themed emails lead to Black Hole exploit kit<\/strong><\/a>” campaign, indicating that these campaigns have been launched by the same malicious party.<\/p>\n

Name servers used in the campaign’s infrastructure:<\/strong>
\nns1.panalkinew.ru<\/strong> – 62.76.186.190
\nns2.panalkinew.ru<\/strong> – 84.22.100.108
\nns3.panalkinew.ru<\/strong> – 50.22.102.132
\nns4.panalkinew.ru<\/strong> – 213.251.171.30
\nns1.manekenppa.ru<\/strong> – 85.143.166.170
\nns2.manekenppa.ru<\/strong> – 132.248.49.112
\nns3.manekenppa.ru<\/strong> – 84.22.100.108
\nns4.manekenppa.ru<\/strong> – 213.251.171.30
\nns1.kiladopje.ru<\/strong> – 85.143.166.170
\nns2.kiladopje.ru<\/strong> – 132.248.49.112
\nns3.kiladopje.ru<\/strong> – 84.22.100.108
\nns4.kiladopje.ru<\/strong> – 213.251.171.30
\nns1.lemonadiom.ru<\/strong> – 85.143.166.170
\nns2.lemonadiom.ru<\/strong> – 132.248.49.112
\nns3.lemonadiom.ru<\/strong> – 84.22.100.108
\nns4.lemonadiom.ru<\/strong> – 213.251.171.30
\nns1.finitolaco.ru<\/strong> – 85.143.166.170
\nns2.finitolaco.ru<\/strong> – 132.248.49.112
\nns3.finitolaco.ru<\/strong> – 84.22.100.108
\nns4.finitolaco.ru<\/strong> – 213.251.171.30
\nns1.fidelocastroo.ru<\/strong> – 85.143.166.170
\nns2.fidelocastroo.ru<\/strong> – 132.248.49.112
\nns3.fidelocastroo.ru<\/strong> – 84.22.100.108
\nns4.fidelocastroo.ru<\/strong> – 213.251.171.30
\nns1.ponowseniks.ru<\/strong> – 85.143.166.170
\nns2.ponowseniks.ru<\/strong> – 132.248.49.112
\nns3.ponowseniks.ru<\/strong> – 84.22.100.108
\nns4.ponowseniks.ru<\/strong> – 213.251.171.30
\nns1.panasonicviva.ru<\/strong> – 132.248.49.112
\nns2.panasonicviva.ru<\/strong> – 84.22.100.108
\nns3.panasonicviva.ru<\/strong> – 62.76.47.51
\nns1.geforceexlusive.ru<\/strong> – 62.76.47.51
\nns2.geforceexlusive.ru<\/strong> – 132.248.49.112
\nns3.geforceexlusive.ru<\/strong> – 84.22.100.108
\nns4.geforceexlusive.ru<\/strong> – 79.98.27.9
\nns1.limonadiksec.ru<\/strong> – 62.76.46.195
\nns2.limonadiksec.ru<\/strong> – 87.120.41.155
\nns3.limonadiksec.ru<\/strong> – 132.248.49.112
\nns4.limonadiksec.ru<\/strong> – 91.194.122.8
\nns5.limonadiksec.ru<\/strong> – 62.76.188.246
\nns1.linkrdin.ru<\/strong> – 85.143.166.170
\nns2.linkrdin.ru<\/strong> – 132.248.49.112
\nns3.linkrdin.ru<\/strong> – 84.22.100.108
\nns4.linkrdin.ru<\/strong> – 79.98.27.9
\nns1.sonatanamore.ru<\/strong> – 62.76.47.51
\nns2.sonatanamore.ru<\/strong> – 132.248.49.112
\nns3.sonatanamore.ru<\/strong> – 84.22.100.108
\nns1.secondhand4u.ru<\/strong> – 85.143.166.170
\nns2.secondhand4u.ru<\/strong> – 132.248.49.112
\nns3.secondhand4u.ru<\/strong> – 84.22.100.108
\nns4.secondhand4u.ru<\/strong> – 79.98.27.9
\nns1.windowonu.ru<\/strong> – 85.143.166.170
\nns2.windowonu.ru<\/strong> – 132.248.49.112
\nns3.windowonu.ru<\/strong> – 84.22.100.108
\nns4.windowonu.ru<\/strong> – 79.98.27.9
\nns1.panalkinew.ru<\/strong> – 62.76.186.190
\nns2.panalkinew.ru<\/strong> – 84.22.100.108
\nns3.panalkinew.ru<\/strong> – 50.22.102.132
\nns4.panalkinew.ru<\/strong> – 213.251.171.30<\/p>\n

Webroot SecureAnywhere<\/strong><\/a>\u00a0users are proactively protected from these threats.<\/p>\n

You can find more about Dancho Danchev at his\u00a0LinkedIn Profile<\/strong><\/a>. You can also\u00a0follow him on \u00a0Twitter<\/strong><\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

On a periodic basis, malicious cybercriminals spamvertise millions of emails attempting to trick end users into thinking that they’ve received a scanned document. Upon clicking on the links found in these emails, or viewing the malicious .html attachment, users are automatically exposed to the client-side exploits served by the latest version of the Black Hole […]<\/p>\n","protected":false},"author":65,"featured_media":17048,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[12457,12459,12263,12303,12461,11341,6187,6177,9563,6193,11733,11729,4911,11343,6189,11737,11735,11731,11747,11745],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/8577"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=8577"}],"version-history":[{"count":2,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/8577\/revisions"}],"predecessor-version":[{"id":25503,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/8577\/revisions\/25503"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17048"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=8577"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=8577"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=8577"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=8577"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}