Sponsored by..

Wednesday, 21 May 2014

Something evil on 93.171.173.173 (Sweet Orange EK)

93.171.173.173 (Alfa Telecom, Russia) is currently distributing the Sweet Orange EK via a bunch of hijacked GoDaddy subdomains. The malware is being spread through code injected into legitimate but hacked websites.

For example [donotclick]www.f1fanatic.co.uk is a compromised website that tries to redirect visitors to two different exploit kits:

[donotclick]adv.atlanticcity.house:13014/sysadmin/wap/fedora.php?database=3
[donotclick]fphgyw.myftp.biz/kfafyfztzhtwvjhpr37ffn9qi7w0ali5rhczqxcgif3d4

The second one is an attempt to load the Fiesta EK although the payload site is currently down. But the .house domain appears to be Sweet Orange (incidentally this is the first time that I've seen one of the new TLDs abused in this way).


The server on 93.171.173.173 hosts a number of subdomains that are hijacked from GoDaddy customers. I recommend that you block either the subdomain or domains themselves:

img.carmelakaiser.com
img.fortunerealtyli.com
img.realtyconnectli.com
yim.nwcreferrals.com
img.mwinsulationllc.info
img.michaelvallone.com
img.mwinsulationllc.com
adv.davetalbert.com
img.nwcreferrals.com
adv.ajs.club
adv.boisecity.house
adv.catskills.house
adv.atlanticcity.house
adv.beachrental.house
adv.chattanooga.house
adv.beachcottage.house
adv.beachrentals.house
adv.breckenridge.house
adv.coppermountain.house

The EK page itself has a VirusTotal detection rate of 0/53, although hopefully some of the components it installs will trigger a warning.


2 comments:

PC.Tech said...

Also see:

93.171.173.173:
- https://www.virustotal.com/en-gb/ip-address/93.171.173.173/information/

.

Robin Norris said...

I have seen hosts reaching out to this IP on port 13014/tcp, usually associated with PsychWard RAT. We have yet to analyze a system directly. However, considering the reputation of the IP, seeing traffic reach out to it on that port is highly suspect.