Monday, 17 February 2014

Fake Evernote "Image has been sent" spam with RU:8080 payload

I've know that the RU:8080 gang appears to have been back for a while, but I haven't had a lot of samples.. here's a new one however.

Date:      Mon, 17 Feb 2014 16:19:40 -0700 [18:19:40 EST]
Subject:      Image has been sent

Image has been sent.
DSC_990341.jpg 33 Kbytes
Go To Evernote

Copyright 2014 Evernote Corporation. All rights reserved
The links in the email go to:

Which in turn loads a script from:

That in turn attempts to load a script from [donotclick] which is multihomed on the following IPs: (Rackspace, UK) (OVH, France) (Amazon Data Services, Singapore) (Majordomo LLC, Russia) (Iomart Hosting, UK) (TANET, Taiwan) (PT Telkom Indonesia, Indonesia) (Broadband ADSL, New Caledonia)

The URLquery report on the landing site indicates a possible Angler Exploit Kit, although the code itself is hardened against analysis.

There are a number of other hostile sites on those same IPs (listed below in Italics). I would recommend blocking the following IPs and domains:

No comments: