By Dancho Danchev
Cybercriminals are currently spamvertising millions of emails impersonating United Parcel Service (UPS) in an attempt to trick end and corporate users into clicking on exploits and malware serving links found in the malicious emails. What exploits are they using? How widespread is the campaign? Is it an isolated incident, or is the campaign linked to more malicious activity?
Screenshots of the spamvertised campaign:
Upon clicking on the link, users are exposed to the following bogus page displaying additional information about the package:
Sample spamvertised malicious URLs: hxxp://andreascookies.com/deliv.html; hxxp://selcoelectrical.co.uk/deliv.html; hxxp://nepa.com.np/deliv.html; hxxp://it-agency-job-opportunities.com//track.html; hxxp://agarcia.tv/wp-content/uploads/fgallery/track.html; hxxp://samsung40lcdtvlnt4061f.uwcblog.com/spss.html
Detection rate for the client-side exploit serving page: devil.html – MD5: f9a47465f88bb76d1987fba6ffc72db7 – detected by 2 out of 42 antivirus scanners as JS/Obfuscus.AACB!tr; HEUR:Trojan.Script.Generic
Client-side exploitation chain: hxxp://savecoralz.net/main.php?page=2a709dab1e660eaf -> hxxp://savecoralz.net/Set.jar
Second client-side exploitation chain seen in the same campaign: hxxp://abilenepaint.net/main.php?page=c3c45bf60719e629 -> hxxp://abilenepaint.net/Half.jar
Upon clicking on the link, the campaign is serving client-side exploits using the Black Hole web malware exploitation kit, and in this particular campaign it’s attempting to exploit CVE-2010-1885 and CVE-2012-0507.
Once the client-side exploitation takes place, the campaign drops MD5: 202d24597758dc5f190bf63527712af0 – detected by 2 out of 42 antivirus scanners as Trojan/Win32.Hrup; Suspicious.Cloud.5
Info on the client-side exploit serving domain: savecoralz.net – 188.8.131.52; 184.108.40.206; name servers: NS1.GRAPECOMPUTERS.NET; NS2.GRAPECOMPUTERS.NET – Email: firstname.lastname@example.org
The following malware-serving domains are also using the same name servers:
Info on the second client-side exploits serving domain observed in the campaign: abilenepaint.net – 220.127.116.11 (known to have also responding to 18.104.22.168 (stafffire.net) – Email: email@example.com Name servers: ns1.asiazmile.net, ns2.asiazmile.net
More domains known to be using the same name servers as abilenepaint.net
Client-side exploitation chain: hxxp://abilenepaint.net/main.php?page=c3c45bf60719e629 -> hxxp://abilenepaint.net/Half.jar
Upon successful client-side exploitation the second malicious URL drops MD5: 5e187c293a563968dd026fae02194cfa, detected by 3 out of 42 antivirus scanners as PAK_Generic.001. Upon execution it creates the following file:
%AppData%\KB00121600.exe – MD5: 5E187C293A563968DD026FAE02194CFA – detected by 3 out of 42 antivirus scanners as PAK_Generic.001
Upon execution, the sample phones back to 22.214.171.124/zb/v_01_b/in on port 8080. Another sample is known to have phoned back to the same URL, namely, MD5: 108F10F0921F2B4FCA87FE6E620D21EF which phones back to:
u2006a.exe has a MD5 of MD5: c5fcee018e9b80a2574d98189684ba2a, and is detected by 4 out of 42 antivirus scanners as Worm.Win32.AutoRun.dtaf.
This is the second UPS themed campaign that we’ve intercepted during June, 2012. In the first campaign, the cybercriminals used malicious .html attachments compared to directly linking to exploits and malware serving sites like we’ve seen in the latest campaign.
Webroot SecureAnywhere users are proactively protected from these threats.