Fake Fedex email invoice lead to BlackHole Exploit kit
Sep 14, 2012 - "... cybercriminals have launched yet another massive spam run, this time impersonating FedEx in an attempt to trick its customers into clicking on a malware and exploits-serving URL found in the malicious email...
Screenshot of the spamvertised email:
> https://webrootblog.files.wordpress....xploit_kit.png
... Sample client-side exploits serving URLs: hxxp ://studiomonahan .net/main.php?page=2bfd5695763b6536 (, AS10481;, AS6921); hxxp ://gsigallery .net/main.php?page=2bfd5695763b6536 (, AS40034)
Sample client-side exploits served: CVE-2010-1885
Detection rate for a sample Java script redirector: MD5: 32a74240c7e1a34a2a8ed8749758ef15* ...
JS/Iframe.FR; Trojan-Downloader.JS.Iframe.dbe; JS/Exploit-Blacole.hd
Upon successful client-side exploitation, the campaign drops MD5: f9904f305de002ad5c0ad4b4648d0ca7** ... Trojan.Win32.Obfuscated.aopm; Worm:Win32/Cridex.E
... and MD5: 0e2c968865d34c8570bb69aa6156b915*** Worm.Win32.Cridex.jb
The first sample phones back to :8080/mx/5/B/in/ (AS1955) and to :8080/mx/5/B/in (AS13147), and the second sample initiates DNS queries to droppinlever .pro; lambolp700tuning .ru and it also produces TCP traffic to on port 443, as well as to again on port 443.
... We’ve already seen numerous malicious campaigns phoning back one of these command and control servers, :8080/mx/5/B/in in particular..."
File name: Fedex.html
Detection ratio: 8/41
Analysis date: 2012-09-13
File name: f9904f305de002ad5c0ad4b4648d0ca7.malware
Detection ratio: 30/42
Analysis date: 2012-09-13
File name: a36fc381c480e4e7ee09c89d950195c2
Detection ratio: 24/42
Analysis date: 2012-09-11