‘Attention! Changes in the bank reports!’ themed emails lead to Black Hole Exploit Kit

By Dancho Danchev

Cybercriminals are currently spamvertising tens of thousands of emails in an attempt to impersonate the recipients’ bank, tricking them into thinking that the Ministry of Finance in their country has introduced new rules for records keeping, and that they need to print and sign a non-existent document.

Once users click on the links found in the malicious emails, they’re automatically exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit.

More details:

Sample screenshot of the spamvertised email:


Sample spamvertised compromised URLs: hxxp://procenter.se/stats/mail.htm?RANDOM_CHARACTERS ; hxxp://epk.cm.ru/sites/default/files/mail.htm?RANDOM_CHARACTERS

Sample client-side exploits serving URL: hxxp://apendiksator.ru:8080/forum/links/column.php

Malicious domain name reconnaissance:
apendiksator.ru –;;
Name server: ns1.apendiksator.ru –
Name server: ns2.apendiksator.ru –
Name server: ns3.apendiksator.ru –
Name server: ns4.apendiksator.ru –

Responding to the same IPs are also the following malicious domains part of the campaign’s infrastructure:
afjdoospf.ru –
angelaonfl.ru –
akionokao.ru –

The following malicious domains/URLs have also been known to respond to

Although we couldn’t reproduce the malicious payload at apendiksator.ru, we found that the malicious payload served by immerialtv.ru (known to have responded to the same IP) is identical to  the MD5 (MD5: 83db494b36bd38646e54210f6fdcbc0d – detected by 34 out of 42 antivirus scanners as VirTool:Win32/CeeInject.). This MD5 was dropped in a previously profiled campaign – “Spamvertised ‘Your Amazon.com order confirmation’ emails serving client-side exploits and malware“, indicating that both of these campaigns are launched by the same cybercriminal/gang of cybercriminals.

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Join the Conversation

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s