Sponsored by..

Thursday 17 January 2013

"Wire Transfer Confirmation" spam / dfudont.ru

This spam leads to malware on dfudont.ru:

Date:      Fri, 18 Jan 2013 08:58:56 +0600 [21:58:56 EST]
From:      SUMMERDnIKYkatTerry@aol.com
Subject:      Fwd: Wire Transfer Confirmation (FED_59983S76643)

Dear Bank Account Operator,
WIRE TRANSFER: FED86180794682707910
CURRENT STATUS: PENDING

Please REVIEW YOUR TRANSACTION as soon as possible.

The malicious payload is at [donotclick]dfudont.ru:8080/forum/links/column.php hosted on:

89.111.176.125 (Garant-Park-Telecom, Russia)
91.224.135.20 (Proservis UAB, Lithunia)
212.112.207.15 (ip4 GmbH, Germany)

These IPs have been used in several malware attacks recently blocking them is a good idea. The following malicious domains are also present on these servers:
dekamerionka.ru
dmssmgf.ru
dmpsonthh.ru
dmeiweilik.ru
belnialamsik.ru
demoralization.ru
damagalko.ru
dozakialko.ru
dumarianoko.ru
dimanakasono.ru
bananamamor.ru
dfudont.ru

Update:  there is also a fake Sendspace spam sending visitors to the same payload

Date:      Thu, 17 Jan 2013 03:03:55 +0430
From:      Badoo [noreply@badoo.com]
Subject:      You have been sent a file (Filename: [redacted]_N584581.pdf)

Sendspace File Delivery Notification:

You've got a file called [redacted]_N390.pdf, (973.39 KB) waiting to be downloaded at sendspace.(It was sent by JOHNETTE ).

You can use the following link to retrieve your file:

Download

Thank you,

Sendspace, the best free file sharing service.


1 comment:

unixfreaxjp said...

Hello, just finsished analyzing infection via Blackhole at domain/port dfudont.ru:8080, you will see the result in here: http://malwaremustdie.blogspot.jp/2013/01/cridex-fareit-infection-analysis.html#new
The malware payload is the same as previous infection in the domain dozakialko.ru:8080 is a Trojan Cridex dropping Trojan PWS Win32/Fareit the credential stealer analyzed previously.

Regards - #MalwareMustDie!