Sponsored by..

Friday, 6 August 2010

"Thanks for planning your event with Evite" mail leads to malware

We're seeing a batch of fake emails "from" Evite [info@mailva.evite.com] with the subject "Thanks for planning your event with Evite"

Hi [victim],
Did you and your guests take photos at your event:
Curt's 30th Birthday!?
Click the button below to create an email asking your guests to share their photos.

Or click the button below to upload your own photos.


The link in the email leads to a hacked site (so far beroemdnaakt.net/x.html and www.myadexpert.org/x.html) but these are just intermediate steps, the payload site is at yummyeyes.ru:8080/index.php?pid=10 which then tries to download a poorly detected version of the Bredolab trojan.

yummyeyes.ru is multihomed on the OVH network:
188.165.95.133
188.165.192.106
188.165.212.54
91.121.108.61
91.121.122.81

Best bet is to block evite.com at your mail gateway, block yummyeyes.ru and monitor your outbound web logs files for hits to .ru:8080 and /x.html.

No comments: