Sponsored by..

Tuesday 20 November 2012

"Don't forget about meeting tomorrow" spam / hamasutra.ru

This spam leads to malware on hamasutra.ru:

From: Lula Stevens [mailto:JolieWright@shaw.ca]
Sent: 20 November 2012 05:57
Subject: Don't forget about meeting tomorrow

Don't forget this report for meeting tomorrow.
See attached file. (Internet Explorer file) 

In the sample I have seen, there is an attachment called Report.htm with some obfuscated javascript leading to a malicious payload at [donotclick]hamasutra.ru:8080/forum/links/column.php hosted on the following IPs:

82.165.193.26 (1&1, Germany)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
216.24.196.66 (Psychz Networks, US)

Plain list:
82.165.193.26
202.180.221.186
203.80.16.81
216.24.196.66

No comments: