From: "Ambrose Clements"Attached is a ZIP file with a name similar to debit_card_93765d0d7.zip containing a malicious .WSF script with a random name. These scripts (according to my source) download from one of the following locations:
Subject: Temporarily blocked
Date: Thu, 29 Sep 2016 13:37:53 +0400
Dear [redacted]
this is to inform you that your Debit Card is temporarily blocked as there were unknown transactions made today.
We attached the scan of transactions. Please confirm whether you made these transactions.
0793mobile.com/jetg2
109.73.234.241/dgq01p
18901350711.com/ll0wdsu
365jtoo.com/qw3r7arg
3ddentalimage.com/ytouk6
489ean.com/r2jdxy
51steel.org/s4b5ztgc
59jd.com/ggha9
5i5k.net/j0g1jk3
5iroom.com/vqv5yibr
91ise.info/pcre0ri4
abbiholland.com/f5ioimw
aldohuaman.com/52y3am
antamduc.com/ttbysvp
a-we.com/o0m5ayu
baankonkoh.com/hhon5mma
cielitodrive.com/x8vqc6
columbiaprintingservices.com/u542pjoi
cranioactive.com/l7vb0
cyprusnike.com/kkpno
domaks-dom.ru/mugr3gb1
exonbalai.com/1r1y6so
exonbalai.com/4dnv8
fhgmediaent.com/66aslu
hastarim.com/nyyjoec
immewrood.net/2j4z9px
immewrood.net/52y3am
inspirationbydesire.com/lfmlspp
jetpcl.com/m23gz0tv
joventa.sk/25fkt
jscompuserve.com/sqa5iq4
kayooo.net/67mxndh
khasitez.net/0a5lma5
khasitez.net/2m01898x
kidzvidz.com/miwn5
kitamachiweek.com/khcg0ta4
knigoboz.ru/nessj4k8
londonmusicclub.com/j6ln7cl
mayurinkorat.com/igxbat
ogeedfungo.net/0zqoae
ogeedfungo.net/3n4pwk
olimp-otel.ru/vevfq
pthcu.org/vnqdve7
redegamb.com/25fkt
redegamb.com/4gwca5b
rglogistic.com/var79sa
sewingwholesale.com/o8hn4
supplyglassess.com/gbnfsmh
szaloncukor.net/jelxoi
tolgaustun.com/drnag
touchasoul.org/nha0pkom
unwantedtattoos.co.uk/e1mbgfej
vaidia.com/y6m3en
viptabien.com/al9n7nh
web4-magento.com/cdlp4o
websitedesigncourse.net/p9580
wikichemicals.com/v1x7cfd
wirelessdd.com/692lrr
womenepic.com/89spy93v
The decoded malware then phones home to:
195.123.210.11/apache_handler.php [hostname: by-f.org] (Mobicom Ltd, Latvia)
91.200.14.93/apache_handler.php [hostname: ef4bykov.example.com] (SKS-LUGAN, Ukraine)
185.117.155.20/apache_handler.php [hostname: v-jc.pro] (Marosnet, Russia)
xpcwwlauo.pw/apache_handler.php [hostname: vjc.kz] [91.234.33.132] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
gqackht.biz/apache_handler.php [hostname: vjc.kz] [91.234.33.132] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
bgldptjuwwq.org/apache_handler.php
cxnlxkdkxxxt.xyz/apache_handler.php
rcahcieii.work/apache_handler.php
uxaoooxqqyuslylw.click/apache_handler.php
vwktvjgpmpntoso.su/apache_handler.php
upsoxhfqut.work/apache_handler.php
nqchuuvgldmxifjg.click/apache_handler.php
ofoclobdcpeeqw.biz/apache_handler.php
kfvigurtippypgw.pl/apache_handler.php
toescilgrgvtjcac.work/apache_handler.php
Recommended blocklist:
195.123.210.11
91.200.14.93
185.117.155.20
91.234.33.132
No comments:
Post a Comment