Yesterday's campaign is still ongoing, with new MD5's in the wild. Here are the details.
Sample subjects: DHL notification #random number
Sample message: Dear customer! The parcel was send your home address. And it will arrice within 7 bussness day. More information and the tracking number are attached in document below. Thank you. 2011 DHL International GmbH. All rights reserverd.
Sample filenames: DHL_tracking.zip; doc.zip
doc.exe - Trojan-Spy.SpyEy!IK - Result: 18/ 43 (41.9%)
MD5: 83db662187dd7cd58fc4a368ea27775d
SHA1 : 4edb2d95c0570a36f6cb992e55111cdd7c3eda69
SHA256: 99f1e003bbf1025b0bbe257ece65d1704852fd1ba48e6cc79bd39cde6e6d14c3
DHL_tracking.exe - Win-Trojan/Spyeyes.45568 - Result: 29/ 43 (67.4%)
MD5 : 81fc09b014617bce59f678374b486512
SHA1 : 3d92a768f58b2900b98c9f97ce2753d27a4749ae
SHA256: 24b23bf7ebd03bf5feb0c637ea1e64661e27c78c66684dd49f074af2b2505bb7
Upon execution phones back to:
adobe.com/geo/productid.php
elsoplongt.com/rk`,jopbh/qwq - Email: redaccion@elsoplongt.com
accuratefiles.com/rk`,jopbh/qwq
lulango.com/rk`,jopbh/qwq - Email: lulango@gmail.com
erherg34gsafwe.com/xgate.php - AS49469, Email: admin@erherg34gsafwe.com
- erherg34gsafwe.com/ftp/base.bin
- erherg34gsafwe.com/ftp/ftpplug2.dll
- erherg34gsafwe.com/ftp/base.bin
Domains responding to:
192.150.16.117
72.41.115.170
74.117.180.216
87.106.193.21
94.63.244.56
Additional malicious activity within AS49469 (SA-NOVA-TELECOM-GRUP-SRL Sa Nova Telecom Grup SRL, courtesy of the ZeusTracker and the SpyEye Tracker:
bigupdate.ru - Email: admin@hotupdaters.ru
bigupdatings.ru - Email: admin@bigupdatings.ru
bigupdater.ru - Email: admin@bigupdater.ru
bigupdates.ru - Email: admin@istuplenie.ru
bigupdating.ru - Email: admin@bigupdating.ru
bigupdaters.ru - Email: admin@bigupdaters.ru
94.63.244.30
metamphcrystal.com - Email: admin@metamphcrystal.com
Related malware-serving domains within AS49469, SA-NOVA-TELECOM-GRUP-SRL Sa Nova Telecom Grup SRL
xppclapgirl.com - 89.114.9.33
natnatraoi.com - 12.211.117.127 - Email: barbarasorber@yahoo.com
d34ghqarfrgad.com - 94.63.244.56 - Email: admin@d34ghqarfrgad.com
g3u4g.net - 89.114.9.33 - Email: G3U4G.NET@domainservice.com
suhi4hr.net - 89.114.9.60 - Email: SUHI4HR.NET@domainservice.com
mialedot.ru - 94.63.244.44 - Email: abuse@mialedot.ru
blackmemoso.com - Email: grasp@yourisp.ru
This post has been reproduced from Dancho Danchev's blog.
Independent Contractor. Bitcoin: 15Zvie1j8CjSR52doVSZSjctCDSx3pDjKZ Email: dancho.danchev@hush.com OMEMO: ddanchev@conversations.im | OTR: danchodanchev@xmpp.jp | TOX ID: 2E6FCA35A18AA76B2CCE33B55404A796F077CADA56F38922A1988AA381AE617A15D3D3E3E6F1
Friday, March 11, 2011
More Spamvertised DHL Notifications Spread Malware
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment