By Dancho Danchev
Over the past 24 hours, cybercriminals started spamvertising millions of emails impersonating the United Parcel Service (UPS) in an attempt to trick end and corporate users into previewing a malicious .html attachment. Upon previewing it, a tiny iFrame attempts to contact a client-side exploits serving a landing URL, courtesy of the Black Hole web malware exploitation kit.
Sample screenshot of the spamvertised email:
Sample client-side exploits serving URL: hxxp://mskoblastionline.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c
Upon successful client-side exploitation, the campaign drops MD5: 7fe4d2e52b6f3f22b2f168e8384a757e – detected by 28 out of 42 antivirus scanners as Worm:Win32/Cridex.E; Trojan.Win32.Buzus.lxwt
mskoblastionline.ru – 22.214.171.124; 126.96.36.199; 188.8.131.52
Name servers part of the campaign’s infrastructure:
ns1.mskoblastionline.ru – 184.108.40.206
ns2.mskoblastionline.ru – 220.127.116.11
ns3.mskoblastionline.ru – 18.104.22.168
ns4.mskoblastionline.ru – 22.214.171.124
ns5.mskoblastionline.ru – 126.96.36.199
Responding to these IPs are also the following malicious command and control servers:
We’ve already seen these domains and IPs used in previously profiled campaigns such as the “Spamvertised ‘Fwd: Scan from a Hewlett-Packard ScanJet’ emails lead to Black Hole exploit kit“, and the “Cybercriminals impersonate Intuit Market, mass mail millions of exploits and malware serving emails” campaign.
This isn’t the first time we’ve profiled malicious campaigns impersonating the United Parcel Service. Consider going through related posts profiling the dynamics of related campaigns:
- Cybercriminals impersonate UPS in client-side exploits and malware serving spam campaign
- Spamvertised ‘UPS Delivery Notification’ emails serving client-side exploits and malware
- Spamvertised ‘Your UPS delivery tracking’ emails serving client-side exploits and malware
Webroot SecureAnywhere users are proactively protected from this threat.