Sponsored by..

Thursday, 24 January 2013

"Efax Corporate" spam / epimarkun.ru

This fake eFax spam leads to malware on epimarkun.ru:

Date:      Thu, 24 Jan 2013 04:04:42 +0600
From:      Habbo Hotel [auto-contact@habbo.com]
Subject:      Efax Corporate
Attachments:     Efax_Corporate.htm



Fax Message [Caller-ID: 963153883]

You have received a 28 pages fax at Thu, 24 Jan 2013 04:04:42 +0600, (157)-194-4168.

* The reference number for this fax is [eFAX-009228416].

View attached fax using your Internet Browser.


� 2013 j2 Global Communications, Inc. All rights reserved.
eFax � is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax � Customer Agreement.
There is an attachment called Efax_Corporate.htm leading to a malicious payload at [donotclick]epimarkun.ru:8080/forum/links/column.php which is hosted on the following IPs:

50.31.1.104 (Steadfast Networks, US)
94.23.3.196 (OVH, France)
202.72.245.146 (Mongolian Railway Commercial Center, Mongolia)

These IPs and domains are all malicious:
50.31.1.104
94.23.3.196
202.72.245.146
dmssmgf.ru
esekundi.ru
esenstialin.ru
disownon.ru
epimarkun.ru
damagalko.ru
dumarianoko.ru
epiratko.ru
dfudont.ru

1 comment:

Mandy Blanchett said...

The malware download is redirected to:

hxxp://108.178.59.30/links/cleared-brought_nowhere.php?jio=0735070402&paiccq=060936020b0b37080236&mnehio=04&vwbubo=agwibu&jrmtup=fbsxgqu

This is shown in the javescript after it has be deobfuscated