By Dancho Danchev
Cybercriminals newest spamvertised malware campaign is brand-jacking Verizon Wireless in an attempt to trick end users into clicking on the malicious links embedded in the email.
More details:
The campaign is relying on thousands of compromised legitimate web sites, where a tiny javascript file (.js) is hosted in an attempt to trick Web reputation filters into thinking the content is served from a legitimate web sites. The campaign is ultimately redirecting to a BlackHole web malware exploitation kit at hxxp://slickcurve.com/showthread.php?t=d7ad916d1c0396ff which drops the following MD5:99FAB94FD824737393F5184685E8EDF2.
It’s being launched by the same cybercriminals that launched last week’s “Malicious USPS-themed emails circulating in the wild” campaign, as both campaigns share the same directory/exploit-serving structure.
The MD5 is using the following dropzone for sending back the intercepted accounting data from the infected PCs - hxxp://176.28.18.135:8080/pony/gate.php Now where have we seen this IP before? In last week’s “Spamvertised LinkedIn notifications serving client-side exploits and malware” malware campaign where 176.28.18.135 was serving client-side exploits through the BlackHole web malware exploitation kit.
The MD5 also attempts to contact the following dropzones is 176.28.18.135 is unavailable:
- hxxp://85.214.243.87:8080/pony/gate.php
- hxxp://88.85.99.44:8080/pony/gate.php
It also downloads a copy of the ZeuS crimeware, using the following MD5:86A548CADA5636B4A8ED7DE5F654FF96
Webroot security researchers will continue monitoring the campaign, to ensure that Webroot SecureAnywhere customers are protected from this ongoing threat.
You can find more about Dancho Danchev at his . You can also .