The BlackHole Exploit Kit (BHEK) spam run has already assumed various disguises for the past months. It has taken the form of very convincing but fake bank notice, cable provider email update, social networking email, and courier notification among others. Lately, we have seen a slew of spam that crafted as an email notice from the popular store Walmart. However, this spam run offers something different.
In this spam campaign, the perpetrators used punycode, in particular applied to the links contained in these message to make detection difficult. These techniques are not new, but seeing them used in a campaign is unusual. Users who click on the link are redirected to several sites until they are lead to a malware (detected as TROJ_PIDIEF.SMXY).