Cybercriminals are currently spamvertising tens of thousands of emails in an attempt to impersonate the recipients’ bank, tricking them into thinking that the Ministry of Finance in their country has introduced new rules for records keeping, and that they need to print and sign a non-existent document.
Once users click on the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit.
More details:
Sample screenshot of the spamvertised email:
Sample spamvertised compromised URLs: hxxp://procenter.se/stats/mail.htm?RANDOM_CHARACTERS ; hxxp://epk.cm.ru/sites/default/files/mail.htm?RANDOM_CHARACTERS
Sample client-side exploits serving URL: hxxp://apendiksator.ru:8080/forum/links/column.php
Malicious domain name reconnaissance:
apendiksator.ru – 91.224.135.20; 210.71.250.131; 187.85.160.106
Name server: ns1.apendiksator.ru – 62.76.186.24
Name server: ns2.apendiksator.ru – 110.164.58.250
Name server: ns3.apendiksator.ru – 42.121.116.38
Name server: ns4.apendiksator.ru – 41.168.5.140
Responding to the same IPs are also the following malicious domains part of the campaign’s infrastructure:
afjdoospf.ru – 91.224.135.20
angelaonfl.ru – 91.224.135.20
akionokao.ru – 91.224.135.20
The following malicious domains/URLs have also been known to respond to 187.85.160.106:
hxxp://bunakaranka.ru/
hxxp://bumarazhkaio.ru:8080/forum/links/public_version.php
hxxp://seledkindoms.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c
hxxp://mazdaforumi.ru:8080/forum/w.php?f=182b5&e=2
hxxp://immerialtv.ru:8080/forum/files/182b5
Although we couldn’t reproduce the malicious payload at apendiksator.ru, we found that the malicious payload served by immerialtv.ru (known to have responded to the same IP) is identical to the MD5 (MD5: 83db494b36bd38646e54210f6fdcbc0d – detected by 34 out of 42 antivirus scanners as VirTool:Win32/CeeInject.). This MD5 was dropped in a previously profiled campaign – “Spamvertised ‘Your Amazon.com order confirmation’ emails serving client-side exploits and malware“, indicating that both of these campaigns are launched by the same cybercriminal/gang of cybercriminals.
Webroot SecureAnywhere users are proactively protected from these threats.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.
