Cybercriminals are currently spamvertising millions of emails impersonating United Parcel Service (UPS) in an attempt to trick end and corporate users into clicking on exploits and malware serving links found in the malicious emails. What exploits are they using? How widespread is the campaign? Is it an isolated incident, or is the campaign linked to more malicious activity?
More details:
Screenshots of the spamvertised campaign:
Upon clicking on the link, users are exposed to the following bogus page displaying additional information about the package:
Sample spamvertised malicious URLs: hxxp://andreascookies.com/deliv.html; hxxp://selcoelectrical.co.uk/deliv.html; hxxp://nepa.com.np/deliv.html; hxxp://it-agency-job-opportunities.com//track.html; hxxp://agarcia.tv/wp-content/uploads/fgallery/track.html; hxxp://samsung40lcdtvlnt4061f.uwcblog.com/spss.html
Detection rate for the client-side exploit serving page: devil.html – MD5: f9a47465f88bb76d1987fba6ffc72db7 – detected by 2 out of 42 antivirus scanners as JS/Obfuscus.AACB!tr; HEUR:Trojan.Script.Generic
Client-side exploitation chain: hxxp://savecoralz.net/main.php?page=2a709dab1e660eaf -> hxxp://savecoralz.net/Set.jar
Second client-side exploitation chain seen in the same campaign: hxxp://abilenepaint.net/main.php?page=c3c45bf60719e629 -> hxxp://abilenepaint.net/Half.jar
Upon clicking on the link, the campaign is serving client-side exploits using the Black Hole web malware exploitation kit, and in this particular campaign it’s attempting to exploit CVE-2010-1885 and CVE-2012-0507.
Once the client-side exploitation takes place, the campaign drops MD5: 202d24597758dc5f190bf63527712af0 – detected by 2 out of 42 antivirus scanners as Trojan/Win32.Hrup; Suspicious.Cloud.5
Info on the client-side exploit serving domain: savecoralz.net – 109.164.221.176; 46.162.27.165; name servers: NS1.GRAPECOMPUTERS.NET; NS2.GRAPECOMPUTERS.NET – Email: clinicadelta@aol.com
The following malware-serving domains are also using the same name servers:
synergyledlighting.net
stafffire.net
thai4me.com
energirans.net
hapturing.net
housespect.net
synetworks.net
110hobart.com
perikanzas.com
abc-spain.net
migdaliasbistro.net
themeparkoupons.net
icemed.net
sony-zeus.net
mynourigen.net
georgekinsman.net
ekotastic.net
torsax.net
popzulu.net
arizonacentennialmens.com
Info on the second client-side exploits serving domain observed in the campaign: abilenepaint.net – 79.142.67.135 (known to have also responding to 109.169.86.139 (stafffire.net) – Email: ezvalu@live.com Name servers: ns1.asiazmile.net, ns2.asiazmile.net
More domains known to be using the same name servers as abilenepaint.net
stafffire.net
alamedapaint.net
asiazmile.net
Client-side exploitation chain: hxxp://abilenepaint.net/main.php?page=c3c45bf60719e629 -> hxxp://abilenepaint.net/Half.jar
Upon successful client-side exploitation the second malicious URL drops MD5: 5e187c293a563968dd026fae02194cfa, detected by 3 out of 42 antivirus scanners as PAK_Generic.001. Upon execution it creates the following file:
%AppData%KB00121600.exe – MD5: 5E187C293A563968DD026FAE02194CFA – detected by 3 out of 42 antivirus scanners as PAK_Generic.001
Upon execution, the sample phones back to 123.49.61.59/zb/v_01_b/in on port 8080. Another sample is known to have phoned back to the same URL, namely, MD5: 108F10F0921F2B4FCA87FE6E620D21EF which phones back to:
hxxp://123.49.61.59:8080/zb/v_01_a/in/
hxxp://91.121.103.143:8080/zb/v_01_a/.upd/u2006a.exe
u2006a.exe has a MD5 of MD5: c5fcee018e9b80a2574d98189684ba2a, and is detected by 4 out of 42 antivirus scanners as Worm.Win32.AutoRun.dtaf.
This is the second UPS themed campaign that we’ve intercepted during June, 2012. In the first campaign, the cybercriminals used malicious .html attachments compared to directly linking to exploits and malware serving sites like we’ve seen in the latest campaign.
Webroot SecureAnywhere users are proactively protected from these threats.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.
