And they're back (Gumblar or RUmblar due to the extensive use of .ru domains) for a decent start of the weekend - switching social engineering themes one more time, this time impersonating Amazon.com
- NOTE: A summary of the malicious payload served will be posted at a later stage. Meanwhile, in order to facilitate quicker response, a complete list of the domains participating will be featured/disseminated across the appropriate parties.
- Sample message: "Dear email, You recently changed your e-mail address at Amazon.com. Since you are a subscriber of Amazon.com Delivers E-mail Subscriptions, you will need to verify your new e-mail address. Please verify that the e-mail address email belongs to you. You can click on the link below to complete the verification process. Alternatively, you can type or paste the following link into your Web browser: http://www.amazon.com"
Client-side exploitation is taking place through, for instance, crystalrobe.ru: 8080/index.php?pid=14 and hillchart.com: 8080/index.php?pid=14. As seen in previous campaigns, this one is also sharing an identical directory structure, such as:
malicious-domain.com :8080/index.php?pid=2
malicious-domain.com :8080/Notes1.pdf (Notes1-to-Notes10.pdf)
malicious-domain.com :8080/NewGames.jar
malicious-domain.com :8080/Games.jar
malicious-domain.com :8080/Applet1.html (Applet1-to-Applet10.html)
malicious-domain.com :8080/welcome.php?id=6&pid=1&hello=503
crystalrobe.ru :8080/index.php?pid=14
crystalrobe.ru :8080/jquery.jxx?v=5.3.4
crystalrobe.ru :8080/new/controller.php
crystalrobe.ru :8080/js.php
crystalrobe.ru :8080/welcome.php?id=6&pid=1&hello=503
crystalrobe.ru :8080/welcome.php?id=0&pid=1
Client-side exploits serving domains (94.23.231.140; 91.121.115.208; 94.23.11.38; 94.23.224.221; 94.23.229.220) part of the campaign:
applecorn.com - Email: es@qx8.ru
areadrum.com - Email: qx@freenetbox.ru
busyspade.com - Email: baffle@freenetbox.ru
cafemack.com - Email: soy@qx8.ru
clanday.com - Email: elope@fastermail.ru
dnsofthost.com - Email: depot@infotorrent.ru
drunkjeans.com - Email: runway@5mx.ru
earlymale.com - Email: amply@maillife.ru
galslime.com - Email: soy@qx8.ru
gigasofa.com - Email: grind@fastermail.ru
hillchart.com - Email: soy@qx8.ru
hugejar.com - Email: runway@5mx.ru
ionicclock.com - Email: kin@maillife.ru
lasteye.com - Email: amply@maillife.ru
luckysled.com - Email: kin@maillife.ru
macrotub.com - Email: dodge@5mx.ru
oldgoal.com - Email: kin@maillife.ru
outerrush.com - Email: amply@maillife.ru
quietzero.com - Email: grind@fastermail.ru
radiomum.com - Email: es@qx8.ru
roundstorm.com - Email: es@qx8.ru
sadute.com - Email: grind@fastermail.ru
sheepbody.com - Email: es@qx8.ru
shinytower.com - Email: cord@maillife.ru
splatspa.com - Email: elope@fastermail.ru
tanspice.com - Email: dodge@5mx.ru
tanyear.com - Email: grind@fastermail.ru
tightsales.com - Email: runway@5mx.ru
tuneblouse.com - Email: es@qx8.ru
validplan.com - Email: dodge@5mx.ru
waxyblock.com - Email: cord@maillife.ru
allnext.ru - Email: swipe@maillife.ru
barnsoftware.ru - Email: people@bigmailbox.ru
bestbidline.ru - Email: jody@fastermail.ru
bestexportsite.ru - Email: orphan@qx8.ru
bittag.ru - Email: tips@freenetbox.ru
boozelight.ru - Email: ole@bigmailbox.ru
brandnewnet.ru - Email: orphan@qx8.ru
cangethelp.ru - Email: liver@freenetbox.ru
chainjoke.ru - Email: ole@bigmailbox.ru
comingbig.ru - Email: swipe@maillife.ru
countypath.ru - Email: liver@freenetbox.ru
crystalrobe.ru - Email: people@bigmailbox.ru
cupjack.ru - Email: tips@freenetbox.ru
dealyak.ru - Email: people@bigmailbox.ru
eyesong.ru - Email: tips@freenetbox.ru
familywater.ru - Email: ole@bigmailbox.ru
funsitedesigns.ru - Email: orphan@qx8.ru
galneed.ru - Email: people@bigmailbox.ru
girllab.ru - Email: tips@freenetbox.ru
greedford.ru - Email: ole@bigmailbox.ru
guntap.ru - Email: tips@freenetbox.ru
heroguy.ru - Email: ole@bigmailbox.ru
homecarenation.ru - Email: orphan@qx8.ru
homesitecam.ru - Email: orphan@qx8.ru
hookdown.ru - Email: crag@maillife.ru
horsedoctor.ru - Email: ole@bigmailbox.ru
jarpub.ru - Email: ole@bigmailbox.ru
liplead.ru - Email: ole@bigmailbox.ru
livesitedesign.ru - Email: orphan@qx8.ru
mansbestsite.ru - Email: orphan@qx8.ru
marketholiday.ru - Email: people@bigmailbox.ru
metalspice.ru - Email: ole@bigmailbox.ru
mingleas.ru - Email: crag@maillife.ru
motherfire.ru - Email: people@bigmailbox.ru
musicbestway.ru - Email: jody@fastermail.ru
musicsiteguide.ru - Email: crag@maillife.ru
netbesthelp.ru - Email: liver@freenetbox.ru
netwebinternet.ru - Email: dibs@freemailbox.ru
newagedirect.ru - Email: orphan@qx8.ru
newhomelady.ru - Email: orphan@qx8.ru
newinfoworld.ru - Email: orphan@qx8.ru
newworldunion.ru - Email: orphan@qx8.ru
ourfreesite.ru - Email: orphan@qx8.ru
panlip.ru - Email: tips@freenetbox.ru
pantscow.ru - Email: ole@bigmailbox.ru
problemdollars.ru - Email: people@bigmailbox.ru
raceobject.ru - Email: people@bigmailbox.ru
silencepill.ru - Email: ole@bigmailbox.ru
sisterqueen.ru - Email: ole@bigmailbox.ru
slaveday.ru - Email: ole@bigmailbox.ru
stareastwork.ru - Email: next@fastermail.ru
superblenderworld.ru - Email: crag@maillife.ru
superhoppie.ru - Email: soft@bigmailbox.ru
supertruelife.ru - Email: edsel@fastermail.ru
superwestcoast.ru - Email: crag@maillife.ru
theantimatrix.ru - Email: ole@bigmailbox.ru
tintie.ru - Email: swipe@maillife.ru
topmediasite.ru - Email: tips@freenetbox.ru
treecorn.ru - Email: tips@freenetbox.ru
trueblueally.ru - Email: soft@bigmailbox.ru
trueblueberyl.ru - Email: soft@bigmailbox.ru
tunemug.ru - Email: tips@freenetbox.ru
ushead.ru - Email: crag@maillife.ru
westbendonline.ru - Email: edsel@fastermail.ru
yaktrack.ru - Email: ole@bigmailbox.ru
yournewonline.ru - Email: orphan@qx8.ru
yourtolltag.ru - Email: orphan@qx8.ru
yourtruecrime.ru - Email: soft@bigmailbox.ru
zooneed.ru - Email: ole@bigmailbox.ru
Name servers of notice:
ns1.dnsofthost.com - 81.2.210.98
ns2.dnsofthost.com - 194.79.88.121
ns3.dnsofthost.com - 67.223.233.101
ns4.dnsofthost.com - 85.214.29.9
The NAUNET-REG-RIPN domain registrar, although, having already registered over a 100 ZeuS crimeware friendly domains, there's little chance they'll take action. Updates, including take down/remediation actions will be posted as soon as they emerge.
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
No comments:
Post a Comment