Cybercriminals impersonate UPS, serve client-side exploits and malware


By Dancho Danchev

Over the past 24 hours, cybercriminals spamvertised millions of email addresses, impersonating UPS, in an attempt to trick end users into viewing the malicious .html attachment. Upon viewing, the file loads a tiny iFrame attempting to serve client-side exploit served by the latest version of the Black Hole Exploit kit, which ultimately drops malware on the affected host.

More details:

Sample screenshot of the spamvertised email:

Sample malicious iFrame URLs found in multiple malicious .html files: hxxp://denegnashete.ru:8080/forum/links/column.php; hxxp://soisokdomen.ru:8080/forum/links/column.php; hxxp://diareuomop.ru:8080/forum/links/column.php; hxxp://omahabeachs.ru:8080/forum/links/column.php ;hxxp://penelopochka.ru:8080/forum/showthread.php?page; hxxp://furnitura-forums.ru:8080/forum/showthread.php?page; hxxp://onerussiaboard.ru:8080/forum/showthread.php?page; hxxp://online-gaminatore.ru:8080/forum/showthread.php; hxxp://bmwforummsk.ru:8080/forum/showthread.php?page

Sample detection rate for a malicious .html file found in the spamvertised emails: UPS_N21489880.htm – MD5: 38a2a54d6e7391d7cd00b50ed76b9cfb – detected by 26 out of 43 antivirus scanners as Trojan.Iframe.BCK; Trojan-Downloader.JS.Iframe.dbh

Client-side exploits serving URL: hxxp://denegnashete.ru:8080/forum/data/java.jarMD5: 86946ec2d2031f2b456e804cac4ade6d – detected by 25 out of 43 antivirus scanners as Java/Cve-2012-1723; Exploit:Java/CVE-2012-4681.H

denegnashete.ru is currently responding to the following IPs – 84.22.100.108; 190.10.14.196; 203.80.16.81; 61.17.76.12; 213.135.42.98

Related malicious domains part of the campaign’s infrastructure:
rumyniaonline.ru – 84.22.100.108
denegnashete.ru – 84.22.100.108
dimabilanch.ru – 84.22.100.108
ioponeslal.ru – 84.22.100.108
moskowpulkavo.ru – 84.22.100.108
omahabeachs.ru – 84.22.100.108
uzoshkins.ru – 84.22.100.108
sectantes-x.ru – 84.22.100.108

Name servers part of the campaign’s infrastructure:
ns1.denegnashete.ru – 62.76.190.50
ns2.denegnashete.ru – 87.120.41.155
ns3.denegnashete.ru – 132.248.49.112
ns4.denegnashete.ru – 91.194.122.8
ns5.denegnashete.ru – 62.76.188.246
ns6.denegnashete.ru – 178.63.51.54

This isn’t the first time that cybercriminals have impersonated UPS. Go through related analysis of previous campaigns impersonating the company:

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

3 thoughts on “Cybercriminals impersonate UPS, serve client-side exploits and malware

  1. Pingback: American Airlines themed emails lead to the Black Hole Exploit Kit « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  2. Pingback: ‘Your UPS Invoice is Ready’ themed emails serve malware « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  3. Pingback: Spamvertised AICPA themed emails serve client-side exploits and malware « Webroot Threat Blog – Internet Security Threat Updates from Around the World

Join the Conversation

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s