By Dancho Danchev

Remember the recently profiled 123greetings.com themed malicious campaign?

It appears that over the past 24 hours, the cybercriminals behind it have resumed spamvertising millions of emails pointing to additional compromised URls in a clear attempt to improve their click-through rates.

More details:

Sample screenshot of the spamvertised email:

Sample screenshot of the Java script redirection:

Sample spamvertised compromised URls: hxxp://sheregesh-nsk.ru/modules/mod_wp/capo.html; hxxp://avto-optic.ru/modules/mod_wp/gree.html; hxxp://anime-nsk.ru/modules/mod_wp/gree.html; hxxp://115.47.73.66/gree.html; hxxp://bjflm.cn/gree.html; hxxp://qichepeijianwang.com/gree.html; hxxp://avtodicki.ru/modules/mod_wp/capo.html

Sample Black Hole exploit kit landing URL: hxxp://monstercompanionsbonuses.info/main.php?page=18bd34ba262669f3

Detection rate for a sample Java script redirection: MD5: 75e030e741875d29f12b179f2657e5fd – detected by 5 out of 42 antivirus scanners as Trojan.JS.Iframe.aby; Trojan.Webkit!html

Upon successful client-side exploitation, the campaign drops MD5: 864e1dec051cbd800ed59f6f91554597 – detected by 3 out of 42 antivirus scanners as W32/Yakes.AP!tr

Once executed, the malware phones back to 216.38.12.158:8080/mx/5/B/in (recipe.devrich.com, AS32181). Another domain is known to have been responding to the same IP in the past, namely, hxxp://imanuilletapchenko.ru:8080/html/yveveqduclirb1.php

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.