Spamvertised ‘Wire Transfer Confirmation’ themed emails lead to Black Hole exploit kit


By Dancho Danchev

Over the past 24 hours, cybercriminals started spamvertising millions of emails impersonating the United Parcel Service (UPS) in an attempt to trick end and corporate users into previewing a malicious .html attachment. Upon previewing it, a tiny iFrame attempts to contact a client-side exploits serving a landing URL, courtesy of the Black Hole web malware exploitation kit.

More details:

Sample screenshot of the spamvertised email:

Sample client-side exploits serving URL: hxxp://mskoblastionline.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c

Sample exploits served: CVE-2010-0188; CVE-2010-1885

Upon successful client-side exploitation, the campaign drops MD5: 7fe4d2e52b6f3f22b2f168e8384a757e – detected by 28 out of 42 antivirus scanners as Worm:Win32/Cridex.E; Trojan.Win32.Buzus.lxwt

mskoblastionline.ru – 50.56.92.47; 190.120.228.92; 203.80.16.81

Name servers part of the campaign’s infrastructure:
ns1.mskoblastionline.ru – 85.143.166.186
ns2.mskoblastionline.ru – 203.172.140.202
ns3.mskoblastionline.ru – 87.120.41.155
ns4.mskoblastionline.ru – 173.224.208.60
ns5.mskoblastionline.ru – 132.248.49.112

Responding to these IPs are also the following malicious command and control servers:

penelopochka.ru
sergikgorec.ru
kolmykiaonline.ru
mskoblastionline.ru
panalki.ru
anapoli.ru
flumifrator2unix.ru

We’ve already seen these domains and IPs used in previously profiled campaigns such as the “Spamvertised ‘Fwd: Scan from a Hewlett-Packard ScanJet’ emails lead to Black Hole exploit kit“, and the “Cybercriminals impersonate Intuit Market, mass mail millions of exploits and malware serving emails” campaign.

This isn’t the first time we’ve profiled malicious campaigns impersonating the United Parcel Service. Consider going through related posts profiling the dynamics of related campaigns:

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

4 thoughts on “Spamvertised ‘Wire Transfer Confirmation’ themed emails lead to Black Hole exploit kit

  1. Pingback: Spamvertised ‘Your Fedex invoice is ready to be paid now’ themed emails lead to Black Hole Exploit kit « Webroot Threat Blog

  2. Pingback: ניהול תיק השקעות באינטרנט

  3. Pingback: Cybercriminals impersonate UPS, serve client-side exploits and malware « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  4. Pingback: Spamvertised AICPA themed emails serve client-side exploits and malware « Webroot Threat Blog – Internet Security Threat Updates from Around the World

Join the Conversation

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s