Monday, 17 February 2014

Fake Evernote "Image has been sent" spam with RU:8080 payload

I've know that the RU:8080 gang appears to have been back for a while, but I haven't had a lot of samples.. here's a new one however.

Date:      Mon, 17 Feb 2014 16:19:40 -0700 [18:19:40 EST]
From:      accounts@pcfa.co.in
Subject:      Image has been sent

Image has been sent.
DSC_990341.jpg 33 Kbytes
Go To Evernote

Copyright 2014 Evernote Corporation. All rights reserved
The links in the email go to:
[donotclick]www.aka-im.org/1.html
[donotclick]bluebuddha.us/1.html

Which in turn loads a script from:
[donotclick]merdekapalace.com/1.txt
[donotclick]www.shivammehta.com/1.txt

That in turn attempts to load a script from [donotclick]opheevipshoopsimemu.ru:8080/dp2w4dvhe2 which is multihomed on the following IPs:
31.222.178.84 (Rackspace, UK)
37.59.36.223 (OVH, France)
54.254.203.163 (Amazon Data Services, Singapore)
78.108.93.186 (Majordomo LLC, Russia)
78.129.184.4 (Iomart Hosting, UK)
140.112.31.129 (TANET, Taiwan)
180.244.28.149 (PT Telkom Indonesia, Indonesia)
202.22.156.178 (Broadband ADSL, New Caledonia)

The URLquery report on the landing site indicates a possible Angler Exploit Kit, although the code itself is hardened against analysis.

There are a number of other hostile sites on those same IPs (listed below in Italics). I would recommend blocking the following IPs and domains:
31.222.178.84
37.59.36.223
54.254.203.163
78.108.93.186
78.129.184.4
140.112.31.129
180.244.28.149
202.22.156.178
afrikanajirafselefant.biz
bakrymseeculsoxeju.ru
boadoohygoowhoononopee.biz
bydseekampoojopoopuboo.biz
jolygoestobeinvester.ru
noaphoapofoashike.biz
opheevipshoopsimemu.ru
ozimtickugryssytchook.org
telaceeroatsorgoatchel.biz
ypawhygrawhorsemto.ru

aka-im.org
bluebuddha.us
merdekapalace.com
shivammehta.com



No comments: