Websense researchers have been following several recent email spam campaigns targeting users of popular services such as Skype and Evernote, and believe them to be initiated by the infamous ru:8080 gang, which a history of similar spam runs impersonating legitimate Internet services such as Pinterest, Dropbox, etc.
These latest campaigns start with spoofed emails purportedly alerting the recipients to a message/image they have received on Skype and Evernote, offering an embedded link that leads to compromised sites hosting an exploit kit.
In the past, the aforementioned gang’s preferred exploit kit was Blackhole, but with the arrest and prosecution of its creator, Blackhole does not longer cut it, and they have switched first to using the Magnitude, then the Angler and, finally, the Goon exploit kit.
This group is currently focusing more on UK users, but targets US and German users as well.
“We have seen evidence and reports of the ‘ru:8080’ gang switching to Angler Exploit Kit as far back as December 2013 […] but we have not noticed any large scale email attacks until recently,” the Websense team noted.
This gang typically pushes information-stealing trojans such as Cridex, Zeus GameOver, and click-fraud trojans like ZeroAccess onto the users, but they have also been known to deliver ransomware and worms.
In this last few cases, the delivered malware is a Zeus variant that was initially detected by just a handful of commercial AV solutions.
“The switch from one exploit kit to the other indicates several possibilities, one being that continuing to use a single Malware-as-a-Service for a long period is deemed too risky to maintain a profitable operation,” the researchers speculate. “Alternatively, the attackers are evaluating multiple exploit kits to determine which works the best, or multiple attackers may be leveraging the same bot-net and redirect structures.”