Over the last couple of hours, cybercriminals have started spamvertising millions of emails pretending to be coming from HP ScanJet scanner, in an attempt to trick end and and corporate users into downloading and viewing the malicious .html attachment.
Upon viewing, the document loads the invisible iFrame script, ultimately redirecting the user to a landing URL courtesy of the Black Hole web malware exploitation kit.
More details:
The ongoing spam campaign is using both, zip attachments containing a malicious executable, and a malicious iFrame loading .html file. Let’s take a closer look at the dynamics behind the campaigns.
Spamvertised subject: Scan from a Hewlett-Packard ScanJet #[random number]
Client-side exploits serving URls: hxxp://mirdymas.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c; hxxp://anapoli.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c
Client-side exploits served: CVE-2010-0188; CVE-2010-1885
Detection rate for a sample malicious .html attachment: MD5: 2e12ae0e2472bcd43e4f08e82faaf561 – detected by 16 out of 42 antivirus scanners as Trojan-Clicker.JS.Iframe.gr; Trojan:JS/BlacoleRef.W
Detection rate for a sample spamvertised malicious .zip archive: MD5: 41f6cd9df05fa7d880061651235d50e0 – detected by 30 out of 41 antivirus scanners as Trojan-Ransom.Win32.PornoAsset!IK; TrojanDownloader.Win32.Deliver.st.
Upon successful client-side exploitation, the campaign drops MD5: 4e0053fe00b65627c07dc8c85c85a351 – detected by 31 out of 42 antivirus scanners as Trojan.Generic.KDV.696365; Trojan.Win32.Yakes.antc; and MD5: 7fe4d2e52b6f3f22b2f168e8384a757e – detected by 28 out of 42 antivirus scanners as Trojan.Win32.Buzus.lxwt; Worm:Win32/Cridex.E.
Once executed, the samples phones back to 87.120.41.155:8080/mx5/in. In fact, we already seen another campaign using the same command and control server, namely, the malicious spam campaign impersonating 123greetings.com. Clearly, both of these campaigns are launched by the same cybercriminal/gang of cybercriminals.
Now let’s take a deeper look into the malicious Black Hole exploit kit landing URLs.
anapoli.ru – 50.56.92.47; 190.120.228.92; 203.80.16.81
Name servers part of the campaign’s infrastructure:
ns1.anapoli.ru – 85.143.166.186
ns2.anapoli.ru – 203.172.140.202
ns3.anapoli.ru – 87.120.41.155
ns4.anapoli.ru – 173.224.208.60
ns5.anapoli.ru – 132.248.49.112
Responding to the same IPs are the following malicious domains and command and control servers:
penelopochka.ru
sergikgorec.ru
kolmykiaonline.ru
mskoblastionline.ru
panalki.ru
flumifrator2unix.ru
mirdymas.ru – 71.89.140.153; 46.51.218.71; 203.80.16.81
Name servers part of the campaign’s infrastructure:
ns1.mirdymas.ru – 85.143.166.186
ns2.mirdymas.ru – 203.172.140.202
ns3.mirdymas.ru – 87.120.41.155
ns4.mirdymas.ru – 173.224.208.60
ns5.mirdymas.ru – 132.248.49.112
Responding to 71.89.140.153 are also the following malicious domains and command and control servers:
gorysevera.ru
pussyriotss.ru
spb-koalitia.ru
ashanrestaurant.ru
panamamoskow.ru
onerussiaboard.ru
We’ve already seen some of these domains in the recently profiled spam campaign that was impersonating 123greetings.com in an attempt to trick end and corporate users into clicking on exploits and malware serving links.
Related name servers used in the campaign’s infrastructure:
gorysevera.ru
ns1.gorysevera.ru – 62.76.190.208
ns2.gorysevera.ru – 203.172.140.202
ns3.gorysevera.ru – 87.120.41.155
ns4.gorysevera.ru – 173.224.208.60
ns5.gorysevera.ru – 132.248.49.112
pussyriotss.ru
ns1.pussyriotss.ru – 62.76.190.208
ns2.pussyriotss.ru – 203.172.140.202
ns3.pussyriotss.ru – 87.120.41.155
ns4.pussyriotss.ru – 173.224.208.60
ns5.pussyriotss.ru – 62.76.188.138
spb-koalitia.ru
ns1.spb-koalitia.ru – 62.76.190.208
ns2.spb-koalitia.ru – 203.172.140.202
ns3.spb-koalitia.ru – 87.120.41.155
ns4.spb-koalitia.ru – 173.224.208.60
ns5.spb-koalitia.ru – 62.76.188.138
ashanrestaurant.ru
ns1.ashanrestaurant.ru – 62.76.190.208
ns2.ashanrestaurant.ru – 203.172.140.202
ns3.ashanrestaurant.ru – 87.120.41.155
ns4.ashanrestaurant.ru – 173.224.208.60
ns5.ashanrestaurant.ru – 132.248.49.112
panamamoskow.ru
ns1.panamamoskow.ru – 62.76.190.208
ns2.panamamoskow.ru – 203.172.140.202
ns3.panamamoskow.ru – 87.120.41.155
ns4.panamamoskow.ru – 173.224.208.60
ns5.panamamoskow.ru – 62.76.188.138
onerussiaboard.ru
ns1.onerussiaboard.ru – 62.76.190.208
ns2.onerussiaboard.ru – 203.172.140.202
ns3.onerussiaboard.ru – 87.120.41.155
ns4.onerussiaboard.ru – 173.224.208.60
ns5.onerussiaboard.ru – 62.76.188.138
The last time we intercepted and profiled a similar campaign, was in March 2012. Back then, the malicious domains were fast-fluxed.
We’ll continue monitoring the development of the campaign, and update this post as soon as new developments emerge.
Webroot SecureAnywhere users are proactively protected from these threats.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.
As of yesterday I can not open my email accounts. I have your product on my computer. Should I call comcast to fix or can you do that? TY
I may have downloaded a Adobe flash yesterday. Since then I have been having difficulty opening my email.