By Dancho Danchev
Cybercriminals are currently spamvertising millions of emails impersonating U.S Airways, in an attempt to trick users into clicking on the malicious links found in the legitimately looking emails. Let’s dissect the malicious campaign, and expose its dynamics.
Sample screenshot of the spamvertised US Airways themed email:
Spamvertised compromised URL: hxxp://raintree.on.ca/depdetails.html
Sample client-side exploits serving URL: hxxp://blue-lotusgrove.net/main.php?page=559e008e5ed98bf7 – 18.104.22.168 (AS24559); Email: email@example.com
Sample client-side exploits served: CVE-2010-1885
Responding to the same IP 22.214.171.124 (AS24559), are also the following malicious domains:
Detection rate for a sample Java script redirection: MD5: 5c5a3c6e91c1c948c735e90009886e37 – detected by 3 out of 42 antivirus scanners as Mal/Iframe-W
Upon successful client-side exploitation, the campaign drops MD5: 9069210d0758b34d8ef8679f712b48aa on the infected hosts, detected by 6 out of 42 antivirus scanners as Trojan.Winlock.6049; W32/Cridex.R
Upon execution, the sample phones back to 126.96.36.199:8080/mx/5/B/in/ (AS40676).
More MD5′s are known to have phoned back to the same IP, for instance:
These MD5s also phone back to related command control servers part of the malicious campaign, such as:
The last time we intercepted the same HTML template being used in the wild, was in April 2012. Back then, we found an identical campaign structure between the US Airways themed campaign and the “Spamvertised Verizon-themed ‘Your Bill Is Now Available’ emails lead to ZeuS crimeware” ; “Spamvertised LinkedIn notifications serving client-side exploits and malware“ campaigns, leading us to the conclusion that it’s the same cybercriminal/gang of cybercriminals launching these attacks.
Webroot SecureAnywhere users are proactively protected from these threats.