By Dancho Danchev
Cybercriminals are currently spamvertising tens of thousands of emails in an attempt to impersonate the recipients’ bank, tricking them into thinking that the Ministry of Finance in their country has introduced new rules for records keeping, and that they need to print and sign a non-existent document.
Once users click on the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit.
Sample screenshot of the spamvertised email:
Sample spamvertised compromised URLs: hxxp://procenter.se/stats/mail.htm?RANDOM_CHARACTERS ; hxxp://epk.cm.ru/sites/default/files/mail.htm?RANDOM_CHARACTERS
Sample client-side exploits serving URL: hxxp://apendiksator.ru:8080/forum/links/column.php
Malicious domain name reconnaissance:
apendiksator.ru – 126.96.36.199; 188.8.131.52; 184.108.40.206
Name server: ns1.apendiksator.ru – 220.127.116.11
Name server: ns2.apendiksator.ru – 18.104.22.168
Name server: ns3.apendiksator.ru – 22.214.171.124
Name server: ns4.apendiksator.ru – 126.96.36.199
Responding to the same IPs are also the following malicious domains part of the campaign’s infrastructure:
afjdoospf.ru – 188.8.131.52
angelaonfl.ru – 184.108.40.206
akionokao.ru – 220.127.116.11
The following malicious domains/URLs have also been known to respond to 18.104.22.168:
Although we couldn’t reproduce the malicious payload at apendiksator.ru, we found that the malicious payload served by immerialtv.ru (known to have responded to the same IP) is identical to the MD5 (MD5: 83db494b36bd38646e54210f6fdcbc0d – detected by 34 out of 42 antivirus scanners as VirTool:Win32/CeeInject.). This MD5 was dropped in a previously profiled campaign – “Spamvertised ‘Your Amazon.com order confirmation’ emails serving client-side exploits and malware“, indicating that both of these campaigns are launched by the same cybercriminal/gang of cybercriminals.
Webroot SecureAnywhere users are proactively protected from these threats.