Malicious ‘RE: Your Wire Transfer’ themed emails serve client-side exploits and malware


By Dancho Danchev

Over the last couple of days, we’ve been monitoring a persistent attempt to infect tens of thousands of users with malware through a systematic rotation of multiple social engineering themes. What all of these campaigns have in common is the fact that they all share the same malicious infrastructure.

Let’s profile one of the most recently spamvertised campaigns, and expose the cybercriminals’ complete portfolio of malicious domains, their related name servers, dropped MD5 and its associated run time behavior.

More details:

Sample screenshot of the spamvertised email:

Email_Spam_Malware_Exploits_Wire_Transfer_Fake_Black_Hole_Exploit_Kit

Sample spamvertised compromised URLs:
hxxp://2555.ruksadindan.com/page-329.htm
hxxp://www.athenassoftware.com.br/page-329.htm
hxxp://www.sweetgarden.ca/page-329.htm
hxxp://lab.monohrom.uz/page-329.htm
hxxp://easy2winpoker.com/page-329.htm
hxxp://ideashtor.ru/page-329.htm

Sample client-side exploits serving URL:
hxxp://202.72.245.146:8080/forum/links/public_version.php

The following malicious domains also respond to the same IP (202.72.245.146) and are part of multiple campaigns spamvertised over the past couple of days:
enakinukia.ru
dekamerionka.ru
evskindarka.ru
exibonapa.ru
esigbsoahd.ru
dmssmgf.ru
epianokif.ru
elistof.ru
dmpsonthh.ru
esekundi.ru
egihurinak.ru
exiansik.ru
ewinhdutik.ru
efjjdopkam.ru
eipuonam.ru
emaianem.ru
epionkalom.ru
disownon.ru
estipaindo.ru
ejiposhhgio.ru
epilarikko.ru
damagalko.ru
emalenoko.ru
epiratko.ru
evujalo.ru
bananamamor.ru
eminakotpr.ru
dfudont.ru

Related Name Servers (part of the infrastructure of these campaigns):
Name server: ns1.enakinukia.ru – 85.143.166.174
Name server: ns2.enakinukia.ru – 41.168.5.140
Name server: ns3.enakinukia.ru – 42.121.116.38
Name server: ns4.enakinukia.ru – 110.164.58.250
Name server: ns5.enakinukia.ru – 210.71.250.131
Name server: ns1.dekamerionka.ru – 62.76.185.169
Name server: ns2.dekamerionka.ru – 41.168.5.140
Name server: ns3.dekamerionka.ru – 42.121.116.38
Name server: ns4.dekamerionka.ru – 110.164.58.250
Name server: ns5.dekamerionka.ru – 210.71.250.131
Name server: ns1.evskindarka.ru – 85.143.166.174
Name server: ns2.evskindarka.ru – 41.168.5.140
Name server: ns3.evskindarka.ru – 42.121.116.38
Name server: ns4.evskindarka.ru – 110.164.58.250
Name server: ns5.evskindarka.ru – 210.71.250.131
Name server: ns1.exibonapa.ru – 85.143.166.174
Name server: ns2.exibonapa.ru – 41.168.5.140
Name server: ns3.exibonapa.ru – 42.121.116.38
Name server: ns4.exibonapa.ru – 110.164.58.250
Name server: ns5.exibonapa.ru – 210.71.250.131
Name server: ns1.esigbsoahd.ru – 62.76.40.244
Name server: ns2.esigbsoahd.ru – 41.168.5.140
Name server: ns3.esigbsoahd.ru – 110.164.58.250
Name server: ns4.esigbsoahd.ru – 210.71.250.131
Name server: ns5.esigbsoahd.ru – 203.171.234.53
Name server: ns1.dmssmgf.ru – 62.76.185.169
Name server: ns2.dmssmgf.ru – 41.168.5.140
Name server: ns3.dmssmgf.ru – 42.121.116.38
Name server: ns4.dmssmgf.ru – 110.164.58.250
Name server: ns5.dmssmgf.ru – 210.71.250.131
Name server: ns1.epianokif.ru – 62.76.40.244
Name server: ns2.epianokif.ru – 41.168.5.140
Name server: ns3.epianokif.ru – 110.164.58.250
Name server: ns4.epianokif.ru – 210.71.250.131
Name server: ns1.elistof.ru – 62.76.40.244
Name server: ns2.elistof.ru – 41.168.5.140
Name server: ns3.elistof.ru – 110.164.58.250
Name server: ns4.elistof.ru – 210.71.250.131
Name server: ns1.dmpsonthh.ru – 62.76.185.169
Name server: ns2.dmpsonthh.ru – 41.168.5.140
Name server: ns3.dmpsonthh.ru – 42.121.116.38
Name server: ns4.dmpsonthh.ru – 110.164.58.250
Name server: ns5.dmpsonthh.ru – 210.71.250.131
Name server: ns1.esekundi.ru – 85.143.166.174
Name server: ns2.esekundi.ru – 41.168.5.140
Name server: ns3.esekundi.ru – 42.121.116.38
Name server: ns4.esekundi.ru – 110.164.58.250
Name server: ns5.esekundi.ru – 210.71.250.131
Name server: ns1.egihurinak.ru – 85.143.166.174
Name server: ns2.egihurinak.ru – 41.168.5.140
Name server: ns3.egihurinak.ru – 42.121.116.38
Name server: ns4.egihurinak.ru – 110.164.58.250
Name server: ns5.egihurinak.ru – 210.71.250.131
Name server: ns1.exiansik.ru – 85.143.166.174
Name server: ns2.exiansik.ru – 41.168.5.140
Name server: ns3.exiansik.ru – 42.121.116.38
Name server: ns4.exiansik.ru – 110.164.58.250
Name server: ns5.exiansik.ru – 210.71.250.131
Name server: ns1.ewinhdutik.ru – 62.76.40.244
Name server: ns2.ewinhdutik.ru – 41.168.5.140
Name server: ns3.ewinhdutik.ru – 110.164.58.250
Name server: ns4.ewinhdutik.ru – 210.71.250.131
Name server: ns5.ewinhdutik.ru – 203.171.234.53
Name server: ns1.efjjdopkam.ru – 62.76.40.244
Name server: ns2.efjjdopkam.ru – 41.168.5.140
Name server: ns3.efjjdopkam.ru – 110.164.58.250
Name server: ns4.efjjdopkam.ru – 210.71.250.131
Name server: ns5.efjjdopkam.ru – 203.171.234.53
Name server: ns1.eipuonam.ru – 62.76.40.244
Name server: ns2.eipuonam.ru – 41.168.5.140
Name server: ns3.eipuonam.ru – 110.164.58.250
Name server: ns4.eipuonam.ru – 210.71.250.131
Name server: ns5.eipuonam.ru – 203.171.234.53
Name server: ns1.emaianem.ru – 62.76.40.244
Name server: ns2.emaianem.ru – 41.168.5.140
Name server: ns3.emaianem.ru – 110.164.58.250
Name server: ns4.emaianem.ru – 210.71.250.131
Name server: ns1.epionkalom.ru – 62.76.40.244
Name server: ns2.epionkalom.ru – 41.168.5.140
Name server: ns3.epionkalom.ru – 110.164.58.250
Name server: ns4.epionkalom.ru – 210.71.250.131
Name server: ns5.epionkalom.ru – 203.171.234.53
Name server: ns1.disownon.ru – 62.76.185.169
Name server: ns2.disownon.ru – 41.168.5.140
Name server: ns3.disownon.ru – 42.121.116.38
Name server: ns4.disownon.ru – 110.164.58.250
Name server: ns5.disownon.ru – 210.71.250.131
Name server: ns1.estipaindo.ru – 62.76.40.244
Name server: ns2.estipaindo.ru – 41.168.5.140
Name server: ns3.estipaindo.ru – 110.164.58.250
Name server: ns4.estipaindo.ru – 210.71.250.131
Name server: ns1.ejiposhhgio.ru – 62.76.40.244
Name server: ns2.ejiposhhgio.ru – 41.168.5.140
Name server: ns3.ejiposhhgio.ru – 110.164.58.250
Name server: ns4.ejiposhhgio.ru – 210.71.250.131
Name server: ns5.ejiposhhgio.ru – 203.171.234.53
Name server: ns1.epilarikko.ru – 85.143.166.174
Name server: ns2.epilarikko.ru – 41.168.5.140
Name server: ns3.epilarikko.ru – 42.121.116.38
Name server: ns4.epilarikko.ru – 110.164.58.250
Name server: ns5.epilarikko.ru – 210.71.250.131
Name server: ns1.damagalko.ru – 62.76.185.169
Name server: ns2.damagalko.ru – 41.168.5.140
Name server: ns3.damagalko.ru – 42.121.116.38
Name server: ns4.damagalko.ru – 110.164.58.250
Name server: ns5.damagalko.ru – 210.71.250.131
Name server: ns1.emalenoko.ru – 62.76.40.244
Name server: ns2.emalenoko.ru – 41.168.5.140
Name server: ns3.emalenoko.ru – 110.164.58.250
Name server: ns4.emalenoko.ru – 210.71.250.131
Name server: ns1.epiratko.ru – 85.143.166.174
Name server: ns2.epiratko.ru – 41.168.5.140
Name server: ns3.epiratko.ru – 42.121.116.38
Name server: ns4.epiratko.ru – 110.164.58.250
Name server: ns5.epiratko.ru – 210.71.250.131
Name server: ns1.evujalo.ru – 85.143.166.174
Name server: ns2.evujalo.ru – 41.168.5.140
Name server: ns3.evujalo.ru – 42.121.116.38
Name server: ns4.evujalo.ru – 110.164.58.250
Name server: ns5.evujalo.ru – 210.71.250.131
Name server: ns1.bananamamor.ru – 62.76.186.24
Name server: ns2.bananamamor.ru – 41.168.5.140
Name server: ns3.bananamamor.ru – 42.121.116.38
Name server: ns4.bananamamor.ru – 110.164.58.250
Name server: ns5.bananamamor.ru – 210.71.250.131
Name server: ns1.eminakotpr.ru – 62.76.40.244
Name server: ns2.eminakotpr.ru – 41.168.5.140
Name server: ns3.eminakotpr.ru – 110.164.58.250
Name server: ns4.eminakotpr.ru – 210.71.250.131
Name server: ns5.eminakotpr.ru – 203.171.234.53
Name server: ns1.dfudont.ru – 62.76.185.169
Name server: ns2.dfudont.ru – 41.168.5.140
Name server: ns3.dfudont.ru – 42.121.116.38
Name server: ns4.dfudont.ru – 110.164.58.250
Name server: ns5.dfudont.ru – 210.71.250.131

Sample malicious payload dropping URL:
hxxp://202.72.245.146:8080/forum/links/public_version.php?mmltejvt=1g:2v:33:2v:2w&pstvw=3d&xrej=1j:33:32:1l:1g:1i:1o:1n:1o:1i&vczaspnq=1n:1d:1f:1d:1f:1d:1j:1k:1l

Sample client-side exploits served: CVE-2010-0188

Upon successful client-side exploitation, the campaign drops MD5: 04e9d4167c9a1b82e622e04ad85f8e99 – detected by 31 out of 46 antivirus scanners as Trojan.Win32.Yakes.cdxy.

Once executed, the sample creates the following Registry Keys:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\msvideo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo
HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib

And modifies them in the following way:
[HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib] -> vga.drv 640x480x32(BGR 0) = “31,31,31,31”
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] -> shell = “explorer.exe,%AppData%\skype.dat”

Once executed, the sample phones back to the following URLs:
hxxp://gpbxn.ru/rzprxtgxtyebms-qtda-nmxt-ndfvohvndd-cbdh-qtorpp-fprg-sdqj-yszh-vnamvylalipbpyykeawkdastftukky.php
hxxp://jhlxk.su/oyxioyxi-oyxioyxibcvnosrqqrprar-nbjk-ndelquqjoheyowmsndxp-ltwgysxixsnnceksdm_rzbi_aumr-ysix.php
hxxp://gpbxn.ru/itqukqcbkydftmysmrrqfqnbptfpxlyedapffv-uqxfakkoqp-orzmsd-cupz-atqc_ybeh_ohtfsi-ykjz_prdmuq-yk.php
hxxp://jhlxk.su/cnpmezeamv-kort-ioou_wkzjvr-alpb-cuqsfv-lipt_nhuk-jzgx-acix_abgn-fvca-oept-zhgjtmqtdnkg-pvzo-zauuqk-.php
hxxp://gpbxn.ru/rkow-pvpz-turnndgkgnrueglazvrdqzmvdhsukgcuzjyxofuynn-kkhj-wpli-lxca-auwbybppplyjouiivnno_xf.php
hxxp://jhlxk.su/qnjt-ixjxqnjtixjxyeppoycn-qzgb-gbihspkftiqu-syqtdhxydk_zozm_dkgbsprnxljz-quplhcpixo-rzdm-zvyx-.php
hxxp://gpbxn.ru/rnnd-gkjkpp-phacuypfsrhcawshpi-prmx-nfuyqzdnxopygt-pyko-acus-tugaxfiqegybqcdheabi-zmiirkculi.php
hxxp://jhlxk.su/my-nsoe-exjlbwipnafquq-nbqk-cglx-cexcdaykcn_baohzaiirkfy-qzdn-gdva_yhlzif-jtca-cgclrcnlgkpvfcxx.php
hxxp://gpbxn.ru/piqjteitqukqcbkyvyteptofxpxsyerksrfmvp-jpjxej-uswi-kkjl-xytewpegnezjsuon-ownq-xcbt_xqyb_uxeh.php
hxxp://jhlxk.su/lajutfofnoygfq-uomyor-lxpqnqwpzvawsn-kyst-nfmpmpsuarkdsulz-lgtmnwabjtcj-aueblmifioiqvkoarn.php
hxxp://gpbxn.ru/ebmsqtusqzukwgrgky-shpicusygkppuavaca-cnfq-ddsu_ynorjkllgoon-juns-goyhcgyjzmlg-rzpq-qpjt_xvuq.php
hxxp://jhlxk.su/ip-nadw-wipqne-ytmx_bldr-lzht-cjro-lgty-qcky-coprzrjwalpz-myteez-owwk-suab_bcjt_nojt_ysnakb-jkos-fyzj-.php
hxxp://gpbxn.ru/vy_vlcu-opvk-dgks-babc-ixgsuy-nqey-cjjh-eaxtzriioasd-jgnd_rcea_fcoudf-kktiezfpwp-phon_jtea_dgamzhga.php
hxxp://jhlxk.su/hjyqybti-sddn-xocq-ohlx-osgt-gdhcrnyqvqukclyx-fyjk-oxoy-nwsn_oxmr_glwk-nmqn-vyac-pbrtmyvafappnlea.php
hxxp://gpbxn.ru/igyhva-xlsyft-xplx-rizh-yszn-ltli-wpnstmspdanqmy_qsqj-cqjkfzgdwfuy-garalabwyear_ouabdhldcbuqjp.php
hxxp://jhlxk.su/jutf-ofnoygfquobi-jtbilmrdpixp-pabcdnstos-dhti_ohjp_pyqt-mvkdsiqttykfgs-lirkfc-zhxl-gjyhzvhelx.php
hxxp://gpbxn.ru/pt-ptptptptptptptuqmpbhjlstusplfmgtdh_xyuyms-ofvizovqqcxohemp-mpzv-vlit-nhne_htuqvl-yxph-zjuu-.php
hxxp://jhlxk.su/ipna-dwwi_pqneytmxbldrlzht-cjro-lgtyqckycoprzrjwalpzmyte-ezowwk-suabbcjtno-jtys-nakb-jkos-fyzj-.php
hxxp://gpbxn.ru/uqfplgsncexczjddtybaonfcybioiisimyprmvxvea-laxvjvfzpv-oatu-gdoe-bafrqkstkgowitbfblsujguo-.php
hxxp://jhlxk.su/sncexczjddongdqkpaoyvnxtdm-qtqu-yvvpbtgxfrynwg_dkspqposoaohqt-ouvqtixoxxvacg-xqte_ofzj-xcfr-.php
hxxp://gpbxn.ru/mpfmgnlt-blcrkgoxopelar-uaop-vtrp-lmcd-juosvalzoaqt-xplx-siwkcokqnssu_nskq_uavi_jhvpca-owdgab-jz.php
hxxp://jhlxk.su/bihc-kkrq-shgscdnbuulx-qcipvtcaaw-lxzm_ygxt-ygyxpacenosdvybhnbwinaixoykdxqduxpdunwnhxlyvbi.php
hxxp://gpbxn.ru/cd-nbvpherovnvy-vlxsrnitlzorjthtldkoxqfccd-frjuzmgtjp-dmbc-bwau-bccdsnohezwidmduqtzhbqrn-nn.php
hxxp://jhlxk.su/vqsrznyjbqricoarxplasiuu_fqye_dfuq-qcrtddfzroxowgowix-ygnmllrpabus-gkfzjxoxjxopplitzvkfla.php
hxxp://gpbxn.ru/nfwfmrhttwwp-wbjg_bwms-iqdwqcliop-nlos-qpuanfmrndzo-kots-ppjt-akzmgncjgdorouohabfv-bhhtrpaccn.php
hxxp://jhlxk.su/jkpp-phacuyqckfouvlznkg-rquxjgstybditmbwtmixacyehe-uaejcbvpxfjkgdgxiffzxtfaebbwviqj-qsip-.php
hxxp://gpbxn.ru/zh-rubt-oahjyqybtiybnesncnofstdforqn-awpf-ptcqfmsuqzgdlxusif-ftybuozacnvnsnosnfnaneye_akea.php
hxxp://jhlxk.su/ppph-acuy-qckfougjlznw_bipbnf-ifgdvylzshsdigsuuynmqrybptzm_kkxttm-ioqsfyrchcvrop-kdip_oajvpi.php
hxxp://gpbxn.ru/zv-yxpajheluqfp-lgii-ynyvvpjkoaeg-ksxi-tsioygzrxcytvqzvhezmjtmppftmosit_qrks_xotf_ptnaqugbcq.php
hxxp://jhlxk.su/itqukqcbkydf-tmysmr-rqfq-nbpt-fpxl_yeda_pffv_uqxfak-koqporzmsdcupzatqcybehohtfsiykjzprdm-uqyk.php
hxxp://gpbxn.ru/zmfrqsrafyabdiii-xpkkxj-exsu-pbbtuk-oait-llar_rukf_jtsi_yttsjw-fvfr-qzsplgtuosdwjh-ruyb-rtne-kgif-.php
hxxp://jhlxk.su/oa-hjyqybtisddnxojgtskorpvqvrdgksauqkddxxrc-elpaehsdceal-alfz_oyoamr-dgqs_xjyt-cnxignohzhqt.php
hxxp://gpbxn.ru/vl-cuopvkdgksba_fvux-ytfpygzvbtbidg-dadrlxacmxjponvtfvcbfr-dnprauzmsrnfdk-ltju-alkbpqxlcqll.php
hxxp://jhlxk.su/mynsoeexjlbwip-nafquqnbqkcglxcexcda_ykcn_baohza-iirkfyqzdngdva-yhlzifjtcacgcl-rcnl_gkpvfc-xx.php
hxxp://gpbxn.ru/ux-mpfmgnltblcrkg-tinf-rpty-jhynuyhctycuzmtfzmspatipky-qkmrtuauzallcj-kqftkytwmrgl-zvfvey-sy.php
hxxp://jhlxk.su/ougjyv-xvak-uakbegmvezzafabieyoszmpfnwcb-tmgari-tyrnjzcaqsgs_mswfnd-dhkqzv-snptpynqldbqioxt.php
hxxp://gpbxn.ru/uxmpfmgnltbl-crkg-tinfrptyjhyn-uyhcty-cuzm-tfzmspatipkyqkmrtuauzallcjkqftky-twmrglzvfveysy.php
hxxp://jhlxk.su/ar-zmfr-qsra-fyabdimvzvmsyxuojz-laebalcuzryeyeuqrnrk-pyzj-fzqnqkzadiihtugoxl-tufthealmsvasn.php
hxxp://gpbxn.ru/sddn-xocq-piqjteitdwyvfmatqc_akgn-xqsnmxqzcahtjzyjftznqz-yjor-kdrqdrakvyms-cbdwrncolljhjuam.php
hxxp://jhlxk.su/vaxlsyft-xplx-stzhit-qnzn-vaea-wfbwihytzjfp-ehehnlhtiivy-zjcaorjzyttempli_kovy_pfkddk-abht-opxf-.php
hxxp://gpbxn.ru/wfmrht-twwp-wbjgnfgnebwbjpkoxc-prkdyv-jptm_ejzh_pyxoehpvgkbh_jhgkdivqzaoygsammxakdw_fmixzoez.php
hxxp://jhlxk.su/kk_rqshgs-cdnb-vphe-rprd_pqez_bwalbquqjtradnejtsak-lamsfvqcmrejifqkbtkfeh_prnbuk-ykzo-zjkf-viyh.php
hxxp://gpbxn.ru/xyawrkowpvpztu-rnjp-cjopouzasnxcjgyjiogbna_nnix_xtkbcu-bijgbqjxvtositpzxypq-gapvejrdmyoxfy.php
hxxp://jhlxk.su/ih_zovr_dmih-zovrdmxcnwrialroju-iocu-rulaga-gbeh-kqnornvionpisyspxqruyeyvpixlvifmft-kygkawjx.php
hxxp://gpbxn.ru/teitqukqcbkydftm_htra_eygo-usgnlmzhtevlrk-owxyiojuehcj-wksh_auoy-rpbajxrocgdrvajxitlidr-exip_.php
hxxp://jhlxk.su/mynsoeexjlbwipnafq_uqnb-qkcg-lxce_xcda_ykcnba-ohzaiirkfy-qzdngdvayhlzifjtcacgclrcnlgkpvfcxx.php
hxxp://gpbxn.ru/kq-cbky-dftmys-glga_ohtm-vrqswprpvqmslmatdwgtzmbhkggtukuu-cbyt-yquu-wfptjkpflxmxkq-qjllhcrgko.php
hxxp://jhlxk.su/ygfquobihc-kkrq-shjppf-ifytxf-wixv_gtxp-bfceoxyvht-ddshqs-pbfq_rcli-gbalxcauriebhtxyqkwfprwgkd.php
hxxp://gpbxn.ru/opvk-dgksbafvsudu-jhvinsrogojlnhsikgofgbuyqkkfrixvfrdmvnsuhtehifnsky-jxwk_dniiys-bwraeb-of.php
hxxp://jhlxk.su/exjlbwip-nadwwipqrqtswblmfp-vifayqwfioxtyquabi-cnfm-osel-fcli_rqjtearzhcac-vkoaxqpypp-qnnnlm-.php
hxxp://gpbxn.ru/vaxlsyftxplxstzhitqnzn-vaea-wfbwihytzjfp-eheh-nlhtiivyzjcaorjzytte_mpli_kovypf-kddk-abht-opxf-.php
hxxp://jhlxk.su/ifej_dapl_jvzvyxpaoaih_pqgx_ipiisilipmohowoewiacxxplshsntiuoxopyhelisybhsn-kkms-vlbc-ukmxfp.php
hxxp://gpbxn.ru/ygfquobihckk-rqshjppfifytxf-wixvgtxpbfceoxyvhtdd_shqspbfqrcligbalxcauriebhtxyqkwfprwgkd.php
hxxp://jhlxk.su/lz-lipbux-mpfmgnltwpdmmpli_dudf-tfih-oari_bhgo_elixawdnrgcdzjra-jgsd-yjnw-korojuysdh-ykpynekqlt.php
hxxp://gpbxn.ru/bqricoarzmfrqsracewg-paruoxhjmy-oxvi_ptopbajpehgsnl-culg-eaxfli-lagdcaptrgfq_itvasd-gtwk-gaqn-.php
hxxp://jhlxk.su/jgnf-wfmrhttwwp-wbxo_hjii-xfbh-kqfcjujkgacg-zngt-vnce-xvwkjwnsgd-godu-pmqzceftrgcrkqjgdgnn_mxfq-.php
hxxp://gpbxn.ru/noygfquobihckkrqwfuocllgdh-zrouipdurqlililakyzvsrcjjurqxopfipauabqu-wfba-kbegzjyvqjbhvl.php
hxxp://jhlxk.su/gjyv-xvakuakbeg-nldg_zmexcunhwiosxfsugspqearomy_pycu-dwys-xvvykseyfr_spuq_dnfc_osjthtllkdonxj.php
hxxp://gpbxn.ru/kfougj-yvxv_akuakbigohzhxowiezzjbigddh-ytxsbwexsy-exdmcbatehgnyqcnjxsujl_hjpzglfpzhdkkb-ih.php
hxxp://jhlxk.su/nnrpfaau-xfjwbheynblxqt-gofqtmqcnmignhhceluujgaclzvpawyvpikykqykoullzvlzclbteh-nliivqoy.php
hxxp://gpbxn.ru/kydf-tmysglgajzqrdrtwjtqtoehjnlllzvuastnsmrakiixcsuxscqrdgoppjxoreakq-mytsamwfpq-qczjgj.php
hxxp://jhlxk.su/opvkdgksbafvsudujh-vins-rogo-jlnhsikgofgbuyqkkfrixvfrdmvnsuhtehifnskyjxwkdn-iiys-bwra-ebof.php
hxxp://gpbxn.ru/on-gdqk-kdvttsorqpamqp_zvysxs-nmqc-rgyx-fvhj-zrrnbtatfcqcawquvkwfej-gncjit-vtsn-fqpi-bcyn-yxclgb-.php
hxxp://jhlxk.su/hjyqybtisddnxocqohlxosgtgdhcrnyqvqukclyx-fyjkox-oynwsnoxmrglwknmqnvyacpbrtmyvafa-ppnl-ea.php
hxxp://gpbxn.ru/kb_egnlxj-igyh-vaxltyegnwtwykyhtsifoegdglxf-xixliquqdnqpfcxpfapf-ebvl_earqqu-lmmsqp-kfnemynd.php
hxxp://jhlxk.su/nwamrdmynsoeexjlliiolt-bqvnebpytico_oxua-egig-linbllcornxjowzrgkrztuexux-ebop-qnjxaratuqvi.php
hxxp://gpbxn.ru/nn_rpfaau-xfjwbheynblxqtgo-fqtm-qcnm-ignh-hcel-uujgaclzvpawyvpikykqykoullzvlz-clbtehnliivqoy.php
hxxp://jhlxk.su/ba-fvsuducalaju-tfig_ampvkqyxfyuu-uszvbc-nodkjkdusp-rtla-xcey-amlm-jwzmdiuonfno-xjglvlusigtfpm.php
hxxp://gpbxn.ru/yvxvakuakbeg_nlxj_caoy_vpkdjxqsdfnwfzhecoshegussi-dkcr-nfjw-cjfm-btii_fqjgxq-jvftqr-rduqjzoapb.php
hxxp://jhlxk.su/dg_ksba_fvsu_duca_layxlitmuqxoynfqpmpf_xvty-rceacdcnrq-vnco-rkwb_nqyt-blfvukoftwks-cjlauu-eaqp-mv.php
hxxp://gpbxn.ru/bcgocnpmez-eamv-kons-ksaw_yjvl-xpyb-gkjw-nwjukbcbsh_bqfy_ebxoyv-ykbqatdirkoejtqj_pbpq_lzdk-jkrq-bh.php
hxxp://jhlxk.su/amrdmy-nsoeex-jlbwndftcajvgnabjgfqvtsnfc-nhyt_gtejshfcdgsu-rnuypzduns_egye-mpgojhoekfnnyjhc-.php
hxxp://gpbxn.ru/bafvsuducala-jutf-igampv-kqyxfyuuuszvbcnodkjkdusprtla-xceyamlmjwzmdiuonfnoxjglvlus-igtfpm.php
hxxp://jhlxk.su/owpvpzturn-ndgkjkdhro_fyfzzokbofoaxlbfonsngbkdwgbl-ofqzfmoakf-yjqr-dfro_osvl-rggbouplallt-rg.php
hxxp://gpbxn.ru/yv_xvakuakbegnlxj_caoy_vpkdjx-qsdfnw-fzheco-sheg-ussi-dkcr_nfjw-cjfm-btii_fqjg-xqjvftqrrduq-jzoapb-.php
hxxp://jhlxk.su/gocnpm_ezea_mvkortcdranq-jvtuqjuodmbqiifpca-dwptpqpioa_xcsh-lxgbmrwigbakpvrg-pisyegnoxymp_ru.php
hxxp://gpbxn.ru/xo-cqpi-qjteitqukqrz-zjqrxfxqgjuy-cnns_ihuo_nlxxda-oukk-tsbauq-uykb_uudi-bwiqbwynof-jkuo-znawkgux.php
hxxp://jhlxk.su/bqricoarzmfrqs-racewg-paru-oxhjmy-oxviptopbajpeh-gsnl-culgeaxflilagdcaptrg-fqitvasdgt_wkga_qn.php
hxxp://gpbxn.ru/egnl-xjig-yhva_xlsy_uyruvr-uoyq-pyrp-ynht-gkce-cejkbhmsxliq-phatlzgnfcxlpa-fzxp-ukwbeayhrkzmnlit.php
hxxp://jhlxk.su/ndgkjkppphacuyqcipduyhmy-ladr-fcbayh-cdcn_tmppft-gxyt-pvvkkkrqartsorquxxrannygiicnkfyq-owjv.php
hxxp://gpbxn.ru/calajutf_ofnoyg-fqih-wgti-ehjg-ybdm-jvcaru-tmwiybnsnb-jzey_mrowxl-bljh_jlpm-bfof-gsnq-cncq-ybzm-fyvr.php
hxxp://jhlxk.su/ihzo-vrdmihzovrdmxc-nwrialroju-iocurulagagbeh-kqnornvion_pisy-spxq-ruyeyvpixlvi-fmftkygkawjx-.php
hxxp://gpbxn.ru/rd-mynsoeexjlbwiptivtynddlgcdllusmrqngkac-pzjwjwblpaihkq-lgmpifiqbans-almrtiplop-ybsd-xpuo-.php
hxxp://jhlxk.su/wkcl-albc-gocnpmezsycqxqftuy-tuqz-qkampyytcbfmio-pikq-xilmpaihcagbmpzayv-ytvq_vayx_cjxjjz-jxdw.php
hxxp://gpbxn.ru/atrz_prxtgxtyebmsjwop-phkd-dayedavyqsyx-mxmy-kodw-ndfclldadrna-ebybtsqnrkifcojzqsbwuq-xfheuy.php
hxxp://jhlxk.su/rafy-abdi_iiye_ohif-syph-vtmvyjohhetmnolg_kopvqkfzgoejaw-qrvl-fyuumvawph_vrwkvliimpuqwbfyraht-.php
hxxp://gpbxn.ru/btoahjyq-ybti-sddn-tugl-koty-nbvq-dfjvrodhejgajxkqpaoaspnbkkkfcartgxnexozhoyuarg_nlpa_expq-rt.php
hxxp://jhlxk.su/rp-faau-xfjw-bhey_vixv-rpld-vripyh-cgvicq-orcjam-awegihrgyqphvp-kbam-qtvq-fykq-jubqlxfysusivqht-ft.php
hxxp://gpbxn.ru/rnnd-gkjkppphacuypfsrhcawsh-pipr-mxnfuyqzdnxo-pygt-pykoacustu_gaxf-iqegybqcdheabizmiirkculi.php
hxxp://jhlxk.su/uobihckkrqsh_gscdpt-yxuu-spwi-xitept-gngauomsvamrph-hcmypy-ldnn-rnzrkyjkosel-mpoujuvtsidizjkf.php
hxxp://gpbxn.ru/my-nsoe-exjl-bwipnafquqnbqkcglxcexc-daykcnbaoh_zaiirk-fyqz-dngdva-yhlzif-jtca-cgcl_rcnlgk-pvfc-xx.php
hxxp://jhlxk.su/jpfc-gtdh-xsdknqzapzvqzrteejixuaplpbtivpcjvpyh-qkeb_sdnoqr-oeca-biorehsrbt-ehuy-tmybza-wipfcj-.php
hxxp://gpbxn.ru/fplgsncexc_zjddonjufzna-gdfrtycjukonxvruuqawpmti-yjnawbgarc-xcsh-rgqzzvjlexrkmxzofckgdi-di.php
hxxp://jhlxk.su/duca-laju-tfofno-ygsi-exnd-wfjt-banafqpbpmos_oskyaknstiqtehjziqukfqltba-ykmvnniosdlzzncg-fqju-.php
hxxp://gpbxn.ru/akua-kbegnl-xjig-yhclpq-sypa-runo-plpmcq-gadk-ruramrkdvnfq-ohjh-mvxleg-ukcdsy-ofox-onqz-syqt-ksxf-ts.php
hxxp://jhlxk.su/dftm-ysglgajzqrpftfoaxj-fzco-uofp-dwon-jtrpqtnmlllxoeuoga-itwk-rngkfrzrxpptcqfcuujplixc-ykvr.php
hxxp://gpbxn.ru/rq_shgscdnbvphero-pyga_vnnete-fmkk_rgiivkfaxjfpejoy-bczokqatno-mvdk-zmbf-cbtf_itnsxoqznenopl-vq.php
hxxp://jhlxk.su/jxqn_jtixjxqnjtixjkcqstll-elvpgn-jplikqbluu-dicbukitiokq-xonh-iioynovnbqtedd_xlbt_jtwi-ipmyal.php
hxxp://gpbxn.ru/calajutfofnoygfqihwgtiehjgybdmjv-caru_tmwi_ybnsnb-jzeymrowxlbljhjlpmbfofgsnqcn-cqybzmfyvr.php
hxxp://jhlxk.su/bihckkrqshgs-cdnb_uulx_qcipvtcaawlxzm-ygxtygyxpace-nosdvybhnbwinaixoykdxqduxpdu-nwnh-xlyv-bi.php

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

2 thoughts on “Malicious ‘RE: Your Wire Transfer’ themed emails serve client-side exploits and malware

  1. Pingback: Cybercriminals resume spamvertising ‘Re: Fwd: Wire Transfer’ themed emails, serve client-side exploits and malware | Webroot Threat Blog - Internet Security Threat Updates from Around the World

  2. Pingback: Fake ‘CNN Breaking News Alerts’ themed emails lead to Black Hole Exploit Kit | Webroot Threat Blog - Internet Security Threat Updates from Around the World

Join the Conversation

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s