Spamvertised "Reqest Rejected" Campaign Serving Scareware

0
April 12, 2011

A currently spamvertised scareware-serving campaign is enticing end users into downloading and executing a malicious binary, which drops a scareware variant.

Sample subject: Reqest rejected
Sample message: "Dear Sirs, Thank you for your letter! Unfortunately we can not confirm your request! More information attached in document below. Thank you Best regards."
Sample attachments: EX-38463.pdf.zip; EX-38463.pdf.exe

Detection rate:
EX-38463.pdf.exe - TrojanDownloader:Win32/Chepvil.J - Result: 11/41 (26.8%)
MD5   : 5085794e6c283ebcfa3878805b9e7be7
SHA1  : 1fbd8d3b0a3479274d8f09543452bf724bcb245c
SHA256: c03711dbafae9b296daed8720f997d84caa5e5a5407a689926050a061d67b932

Upon execution downloads hdjfskh.net/ pusk.exe - 208.43.90.48 - Email: admin@firtryt.biz

Detection rate:
pusk.exe - FakeAlert-CN.gen.aa - Result: 13/42 (31.0%)
MD5   : a50a91176b5aeb96b8b77b99d587c485
SHA1  : c56b7ab2123dbd49902446ffcc0cf59d6a865857
SHA256: c912a975e3c2fc911d6550d86e8fd89dbd30e3d1e07d788b45aac0d6cf61e83c

Upon execution phones back to the following domains and ASs:


Phones back to : AS19875; AS8001; AS24940; AS32475; AS32097; AS19875
2bemojewedowigo.com - 78.46.105.205
bemolaqijicy.com - 99.198.114.206 - Email: vista@free-id.ru
celisesuho.com - 99.198.114.202 - Email: hush@bz3.ru
cixovatywo.com - 78.46.105.205 - Email: frenzy@ca4.ru
fytypoqywu.com - 64.46.38.94 - Email: fy4371215910301@domainidshield.com
gicyxepomer.com - 78.46.105.205 - Email: tabs@yourisp.ru
gopilezavyxiro.com - 78.46.105.205 - Email: hush@bz3.ru
hivanedak.com - 188.95.54.242 - Email: steps@ppmail.ru
hotilosire.com - 208.110.67.122 - Email: lathe@maillife.ru
jerakidukojoz.com - 78.46.105.205 - Email: wrap@cheapbox.ru
kupeqobujohaq.com - 64.46.38.145 - Email: soup@fastermail.ru
kytevaviqopoci.com - 78.46.105.205 - Email: fs@free-id.ru
pikilokykizanu.com - 65.254.54.77 - Email: dawn@free-id.ru
punajytapaci.com - 209.97.213.105 - Email: mire@maillife.ru
qisacugugu.com - 64.46.38.129 - Email: as@free-id.ru
qupajubica.com - 78.46.105.205 - Email: heard@bz3.ru
reruravobosila.com - 67.196.13.96 - Email: mon@ppmail.ru
rorodarof.com - 99.198.114.204 - Email: hush@bz3.ru
ruqydahec.com - 67.196.13.97 - Email: mon@ppmail.ru
sakafiduzipame.com - 78.46.105.205 - Email: build@ca4.ru
sykobodyducib.com - 208.110.67.102 - Email: lathe@maillife.ru
tetagyjaj.com - 78.46.105.205 - Email: kilt@bz3.ru
tibehewuk.com - 209.97.213.102 - Email: mon@ppmail.ru
tisatosyhimidy.com - 188.95.54.243 - Email: jan@free-id.ru
tyhiqymiwufuj.com - 208.110.67.121 - Email: dawn@free-id.ru
vakyditefo.com - 99.198.114.203 - Email: vista@free-id.ru
wamojafadezy.com - 78.46.105.205 - Email: acts@free-id.ru
wetotyger.com - 78.46.105.205 - Email: acts@free-id.ru
wixecyhobovy.com - 64.46.38.130 - Email: soup@fastermail.ru
wolycunanoqe.com - 72.9.233.98 - Email: lathe@maillife.ru
zajatimibuj.com - 208.110.67.119 - Email: bark@cheapbox.ru
zequcitamado.com - 99.198.114.205 - Email: vista@free-id.ru
punajytapaci.com/1017000412 - 209.97.213.105 - Email: mire@maillife.ru
tibehewuk.com/1017000412 - 209.97.213.102 - Email: mon@ppmail.ru

Monitoring of the campaign is ongoing.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

About the author

Donec non enim in turpis pulvinar facilisis. Ut felis. Praesent dapibus, neque id cursus faucibus. Aenean fermentum, eget tincidunt.

0 Comments:

Subscribe to: Post Comments (Atom)