Cybercriminals are currently spamvertising millions of emails impersonating the Windstream Corporation, in an attempt to trick end and corporate users into clicking on links found in the malicious email.

Upon clicking on the links hosted on compromised web sites, users are exposed to client-side exploits served by the BlackHole web malware exploitation kit.

More details:

Screenshot of a sample malicious email used by the cybercriminals:

Spamvertised URL: hxxp://madaboutleisure.wsini.com/Ua8ndKkr/index.html?s=883&lid=2325&elq=11f7b1b5179f45b09737bdf10d0fe61f

Redirects to: hxxp://108.170.18.39/search.php?q=fa16f5d3def51288 (responding to mx39.diplomaconnection.org), AS20454, ASN-HIGHHO

Client-side exploits served: CVE-2010-1885

Redirection chain for the client-side exploit: hxxp://madaboutleisure.wsini.com/Ua8ndKkr/index.html?s=883&lid=2325&elq=11f7b1b5179f45b09737bdf10d0fe61 ->
hxxp://icanquit.co.uk/wvGCntXp/js.js -> hxxp://108.170.18.39/search.php?q=fa16f5d3def51288 -> hxxp://108.170.18.39/Set.jar -> hxxp://108.170.18.39/data/ap2.phpi

Upon successful exploitation, two executables are dropped on the infected hosts, MD5: 088ff8b667d3e6a6f968ad6b41aa4fb0 and MD5: 1b1bbf726902beb3b25d11fbdc58720f – detected by 11 out of 42 antivirus scanners as Worm:Win32/Gamarue.I; Gen:Variant.Kazy.72780.

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This