Sponsored by..

Monday 22 December 2014

Angler EK on 193.109.69.59

193.109.69.59 (Mir Telematiki Ltd, Russia) is hosting what appears to be the Angler Exploit Kit.

The infection chain that I have seen is as follows (don't click those links, obviously):

[donotclick]www.opushangszer.hu/hora-at-200-b-csiptetos-gitarhangolo/1-864-359
-->
[donotclick]bettersaid.net/7b614b6f9fb62682c46d303fea879a38.swf
-->
[donotclick]www.smallbusinesssnapshot.com/

a6107b69be5422d82da0c2109cc7f20f.php?q=7a7581fad469383e7313d27d1cedf2d3
-->
[donotclick]qwe.holidayspeedfive.biz/em3t8gxum0
-->
[donotclick]qwe.holidayspeedfive.biz/

KuCRwb_Bwr38O4rT6dqEUCT9x5K26Bw_PNEHE3DJ_U9vgmcD31TZILN2BlAmHabL

The last step is where the badness happens, hosted on 193.109.69.59 (Mir Telematiki Ltd, Russia) which is also being used to host the following malicious domains:

qwe.holidayspeedsix.biz
qwe.holidayspeedfive.biz
qwe.holidayspeedseven.biz


A quick look at the contents of 193.109.68.0/23 shows some other questionable sites. A look at the sites hosted in this /23 indicates that most of them appear to be selling counterfeit goods, so blocking the entire /23 will probably be no great loss.

Recommended minimum blocklist:
193.109.69.59
holidayspeedsix.biz
holidayspeedfive.biz
holidayspeedseven.biz

No comments: