Sponsored by..

Thursday, 29 March 2012

"Scan from a Xerox WorkCentre Pro #25825448" spam / samsonikonyou.ru

Another malicious HTML-in-ZIP attack, this time leading to malware on samsonikonyou.ru

From: ROSALBA Poe [mailto:victimname@hotmail.com]
Sent: 28 March 2012 19:34
Subject: Scan from a Xerox WorkCentre Pro #25825448

Please open the attached document. It was scanned and sent

to you using a Xerox Center Pro .
Sent by: Guest
Number of Images: 8
Attachment File Type: .HTML

Device Name: XR550PDD9SM84547752

In the ZIP is an HTML file called Invoice_NO_Mailen.htm which contains obfuscated javascript leading to a malware site on samsonikonyou.ru:8080/navigator/jueoaritjuir.php (report here). This is hosted on a similar set of IPs to this attack yesterday. (AfricaINX, South Africa) (Neotel Pty, South Africa) (ChinaNet Hunan, China) (Microlink, Latvia) (Spectrum Net JSC, Bulgaria) (Bharti Infotel Ltd, India) (Ardh Global, Indonesia) (Ministry of Education, Thailand) (Satata Neka Tama, Indonesia) (Commission For Science And Technology, Pakistan) (Commission For Science And Technology, Pakistan) (Sejong Telecom, Korea) (SK Broadband Co Ltd, Korea) (Psychz Networks, US) (Sakura Internet, Japan)

Plain list for copy-and-pasting:

No comments: