Sponsored by..

Tuesday 18 June 2013

UPS Spam / rmacstolp.net

This fake UPS spam leads to malware on rmacstolp.net:

Date:      Tue, 18 Jun 2013 01:21:34 -0800 [05:21:34 EDT]
From:      UPSBillingCenter@upsmail.net
Subject:      Your UPS Invoice is Ready

UPS Billing Center
   
This is an automatically generated email. Please do not reply to this email address.

Dear UPS Customer,

Thank you for your business.

New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center.

Please visit the UPS Billing Center to view your paid invoice.



Questions about your charges? To get a better understanding of surcharges on your invoice, click here.


Discover more about UPS:
Visit ups.com
Explore UPS Freight Services
Learn About UPS Companies
Sign Up For Additional Email From UPS
Read Compass Online

© 2013 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will not receive any reply message.
For questions or comments, visit Contact UPS.

This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Policy
Contact UPS


The link in the email goes through a legitimate hacked site but then ends up on a malicious payload at [donotclick]rmacstolp.net/news/fishs_grands.php (report here and here). The payload appears to be the Blackhole Exploit kit, but the site seems to be either not working or (more likely) is being resistant to analysis.

If not called properly, the malware appears to serve up random payload pages.. I think they may be fake ones to evade detection. Here are some of them:
[donotclick]shop.babeta.ru/ftyxsem.php
[donotclick]kontra-antiabzocker.net/cpdedlp.php
[donotclick]www.cyprusivf.net/iabsvkc.php
[donotclick]clubempire.ru/ayrwoxt.php
[donotclick]artstroydom.com/rwlqqtq.php
[donotclick]www.masthotels.gr/ysmaols.php

rmacstolp.net is hosted on the following IPs:
186.215.126.52 (Global Village Telecom, Brazil)
190.93.23.10 (Greendot, Trinidad and Tobago)
193.254.231.51 (Universitatea Transilvania Brasov, Romania)
202.147.169.211 (LINKdotNET Telecom Limited, Pakistan)

Recommended blocklist:
186.215.126.52
190.93.23.10
193.254.231.51
202.147.169.211
balckanweb.com
buyparrots.net
condalinarad72234652.ru
condalinneuwu5.ru
condalinra2735.ru
condalnuas34637.ru
condalnuashyochetto.ru
diamondbearingz.net
drivesr.com
eheranskietpj.ru
ehnutidalvchedu.ru
ejoingrespubldpl.ru
ergopets.com
ermitajohrmited.ru
federal-credit-union.com
ghroumingoviede.ru
giwmmasnieuhe.ru
gnunirotniviepj.ru
gondatskenbiehu.ru
gromimolniushed.ru
gurieojgndieoj.ru
haicut.com
jetaqua.com
nipiel.com
oxfordxtg.net
oydahrenlitutskazata.ru
ozonatorz.com
pnpnews.net
profurnituree.com
rmacstolp.net
safe-browser.biz
safe-time.net
smartsecurityapp2013.com
televisionhunter.com
teszner.net
theislandremembered.com
trleaart.net
usforclosedhomes.net
winudpater.com
ww2.condalinneuwu5.ru
ww2.gnunirotniviepj.ru
zurcherarchitectz.com


No comments: