A currently spamvertised scareware-serving campaign is enticing end users into downloading and executing a malicious binary, which drops a scareware variant.
Sample subject: Reqest rejected
Sample message: "Dear Sirs, Thank you for your letter! Unfortunately we can not confirm your request! More information attached in document below. Thank you Best regards."
Sample attachments: EX-38463.pdf.zip; EX-38463.pdf.exe
Detection rate:
EX-38463.pdf.exe - TrojanDownloader:Win32/Chepvil.J - Result: 11/41 (26.8%)
MD5 : 5085794e6c283ebcfa3878805b9e7be7
SHA1 : 1fbd8d3b0a3479274d8f09543452bf724bcb245c
SHA256: c03711dbafae9b296daed8720f997d84caa5e5a5407a689926050a061d67b932
Upon execution downloads hdjfskh.net/ pusk.exe - 208.43.90.48 - Email: admin@firtryt.biz
Detection rate:
pusk.exe - FakeAlert-CN.gen.aa - Result: 13/42 (31.0%)
MD5 : a50a91176b5aeb96b8b77b99d587c485
SHA1 : c56b7ab2123dbd49902446ffcc0cf59d6a865857
SHA256: c912a975e3c2fc911d6550d86e8fd89dbd30e3d1e07d788b45aac0d6cf61e83c
Upon execution phones back to the following domains and ASs:
Phones back to : AS19875; AS8001; AS24940; AS32475; AS32097; AS19875
2bemojewedowigo.com - 78.46.105.205
bemolaqijicy.com - 99.198.114.206 - Email: vista@free-id.ru
celisesuho.com - 99.198.114.202 - Email: hush@bz3.ru
cixovatywo.com - 78.46.105.205 - Email: frenzy@ca4.ru
fytypoqywu.com - 64.46.38.94 - Email: fy4371215910301@domainidshield.com
gicyxepomer.com - 78.46.105.205 - Email: tabs@yourisp.ru
gopilezavyxiro.com - 78.46.105.205 - Email: hush@bz3.ru
hivanedak.com - 188.95.54.242 - Email: steps@ppmail.ru
hotilosire.com - 208.110.67.122 - Email: lathe@maillife.ru
jerakidukojoz.com - 78.46.105.205 - Email: wrap@cheapbox.ru
kupeqobujohaq.com - 64.46.38.145 - Email: soup@fastermail.ru
kytevaviqopoci.com - 78.46.105.205 - Email: fs@free-id.ru
pikilokykizanu.com - 65.254.54.77 - Email: dawn@free-id.ru
punajytapaci.com - 209.97.213.105 - Email: mire@maillife.ru
qisacugugu.com - 64.46.38.129 - Email: as@free-id.ru
qupajubica.com - 78.46.105.205 - Email: heard@bz3.ru
reruravobosila.com - 67.196.13.96 - Email: mon@ppmail.ru
rorodarof.com - 99.198.114.204 - Email: hush@bz3.ru
ruqydahec.com - 67.196.13.97 - Email: mon@ppmail.ru
sakafiduzipame.com - 78.46.105.205 - Email: build@ca4.ru
sykobodyducib.com - 208.110.67.102 - Email: lathe@maillife.ru
tetagyjaj.com - 78.46.105.205 - Email: kilt@bz3.ru
tibehewuk.com - 209.97.213.102 - Email: mon@ppmail.ru
tisatosyhimidy.com - 188.95.54.243 - Email: jan@free-id.ru
tyhiqymiwufuj.com - 208.110.67.121 - Email: dawn@free-id.ru
vakyditefo.com - 99.198.114.203 - Email: vista@free-id.ru
wamojafadezy.com - 78.46.105.205 - Email: acts@free-id.ru
wetotyger.com - 78.46.105.205 - Email: acts@free-id.ru
wixecyhobovy.com - 64.46.38.130 - Email: soup@fastermail.ru
wolycunanoqe.com - 72.9.233.98 - Email: lathe@maillife.ru
zajatimibuj.com - 208.110.67.119 - Email: bark@cheapbox.ru
zequcitamado.com - 99.198.114.205 - Email: vista@free-id.ru
punajytapaci.com/1017000412 - 209.97.213.105 - Email: mire@maillife.ru
tibehewuk.com/1017000412 - 209.97.213.102 - Email: mon@ppmail.ru
Monitoring of the campaign is ongoing.
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
No comments:
Post a Comment