Spamvertised ‘Wire Transfer Confirmation’ themed emails lead to Black Hole exploit kit

Over the past 24 hours, cybercriminals started spamvertising millions of emails impersonating the United Parcel Service (UPS) in an attempt to trick end and corporate users into previewing a malicious .html attachment. Upon previewing it, a tiny iFrame attempts to contact a client-side exploits serving a landing URL, courtesy of the Black Hole web malware exploitation kit.

More details:

Sample screenshot of the spamvertised email:

Sample client-side exploits serving URL: hxxp://mskoblastionline.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c

Sample exploits served: CVE-2010-0188; CVE-2010-1885

Upon successful client-side exploitation, the campaign drops MD5: 7fe4d2e52b6f3f22b2f168e8384a757e – detected by 28 out of 42 antivirus scanners as Worm:Win32/Cridex.E; Trojan.Win32.Buzus.lxwt

mskoblastionline.ru – 50.56.92.47; 190.120.228.92; 203.80.16.81

Name servers part of the campaign’s infrastructure:
ns1.mskoblastionline.ru – 85.143.166.186
ns2.mskoblastionline.ru – 203.172.140.202
ns3.mskoblastionline.ru – 87.120.41.155
ns4.mskoblastionline.ru – 173.224.208.60
ns5.mskoblastionline.ru – 132.248.49.112

Responding to these IPs are also the following malicious command and control servers:

penelopochka.ru
sergikgorec.ru
kolmykiaonline.ru
mskoblastionline.ru
panalki.ru
anapoli.ru
flumifrator2unix.ru

We’ve already seen these domains and IPs used in previously profiled campaigns such as the “Spamvertised ‘Fwd: Scan from a Hewlett-Packard ScanJet’ emails lead to Black Hole exploit kit“, and the “Cybercriminals impersonate Intuit Market, mass mail millions of exploits and malware serving emails” campaign.

This isn’t the first time we’ve profiled malicious campaigns impersonating the United Parcel Service. Consider going through related posts profiling the dynamics of related campaigns:

• Cybercriminals impersonate UPS in client-side exploits and malware serving spam campaign
• Spamvertised ‘UPS Delivery Notification’ emails serving client-side exploits and malware
• Spamvertised ‘Your UPS delivery tracking’ emails serving client-side exploits and malware

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.