Sponsored by..

Showing posts with label Sweet Orange. Show all posts
Showing posts with label Sweet Orange. Show all posts

Tuesday 2 September 2014

Something evil on 95.163.121.188 (Sweet Orange EK)

95.163.121.188 is currently hosting the Sweet Orange Exploit Kit (hat tip). The IP is allocated to Digital Networks CJSC (aka DINETHOSTING) that has featured on this blog many times before.

Currently I can see the following domains active on this IP address. Ones highlighted are flagged as malicious by Google.

cdn2.sefu.co
cdn3.sefu.co
cdn4.sefu.co
cdn5.sefu.co
cdn.seefu.co
cdn2.seefu.co
cdn3.seefu.co
cdn.seefoo.co
cdn2.seefoo.co
cdn3.seefoo.co
cdn.critico.co
cdn.easynet.co
cdn.networkguys.co
cdn.tequilacritico.es
cdn2.tequilacritico.es
cdn3.tequilacritico.es
cdn4.tequilacritico.es
cdn5.tequilacritico.es
cdn.critico.com.mx
cdn.critico.mx
cdn.thecritico.mx
cdn2.thecritico.mx
cdn4.thecritico.mx
cdn5.thecritico.mx
cdn.tequilacritico.mx
cdn2.tequilacritico.mx
cdn3.tequilacritico.mx
cdn4.tequilacritico.mx
cdn5.tequilacritico.mx
cdn.sweetip.uk.com
cdn2.sweetip.uk.com
cdn3.sweetip.uk.com
cdn4.sweetip.uk.com
cdn5.sweetip.uk.com
cdn.sweetip.com
cdn2.sweetip.com
cdn3.sweetip.com
cdn4.sweetip.com
cdn5.sweetip.com
cdn.brazitel.com
cdn.thecritico.com
cdn2.thecritico.com
cdn3.thecritico.com
cdn4.thecritico.com
cdn5.thecritico.com
google.chagwichita.com
cdn.tequilatimes.com
cdn2.tequilatimes.com
cdn3.tequilatimes.com
cdn4.tequilatimes.com
cdn5.tequilatimes.com
google.ajdistributor.com
cdn.netguysglobal.com
cdn.tequilacritics.com
cdn2.tequilacritics.com
cdn3.tequilacritics.com
cdn4.tequilacritics.com
cdn5.tequilacritics.com
cdn.mcelectricalinc.com
cdn.tequilaspectator.com
cdn2.tequilaspectator.com
cdn3.tequilaspectator.com
cdn4.tequilaspectator.com
cdn5.tequilaspectator.com
cdn.primrosebrentwood.com
cdn.tequilaguildofamerica.com
cdn2.tequilaguildofamerica.com
cdn3.tequilaguildofamerica.com
cdn4.tequilaguildofamerica.com
cdn5.tequilaguildofamerica.com
cdn.primrosenashvillemidtown.com
cdn.seefu.net
cdn2.seefu.net
cdn3.seefu.net
cdn4.seefu.net
cdn5.seefu.net
cdn.seefoo.net
cdn2.seefoo.net
cdn3.seefoo.net
cdn.sweetip.net
cdn2.sweetip.net
cdn3.sweetip.net
cdn4.sweetip.net
cdn5.sweetip.net
cdn.networkguys.net
cdn2.networkguys.net
cdn3.networkguys.net
cdn.tequilacritico.net
cdn2.tequilacritico.net
cdn3.tequilacritico.net
cdn4.tequilacritico.net
cdn5.tequilacritico.net
cdn.gandco.pro
cdn.primrosebrentwood.xyz
cdn.tequilatimes.info
cdn2.tequilatimes.info
cdn3.tequilatimes.info
cdn4.tequilatimes.info
cdn5.tequilatimes.info
cdn.georgicasweets.info
cdn.sefu.mobi
cdn2.sefu.mobi
cdn3.sefu.mobi
cdn4.sefu.mobi
cdn5.sefu.mobi
cdn.seefu.mobi
cdn2.seefu.mobi
cdn3.seefu.mobi
cdn4.seefu.mobi
cdn5.seefu.mobi
cdn.seefoo.mobi
cdn2.seefoo.mobi
cdn3.seefoo.mobi

cdn.georgika.co
cdn.georgicasuites.com
cdn.georgicasweets.com
google.vctelectronics.com
cdn.limodog.net
cdn2.limodog.net
cdn3.limodog.net
cdn4.limodog.net
cdn5.limodog.net
cdn.soundpet.net
cdn2.soundpet.net
cdn3.soundpet.net
cdn4.soundpet.net
cdn5.soundpet.net
cdn.georgicas.net
cdn.georgicasweets.net
cdn.georgicasweets.org
cdn.limodog.xyz
cdn2.limodog.xyz
cdn3.limodog.xyz
cdn4.limodog.xyz
cdn5.limodog.xyz
cdn.georgicas.mobi
cdn.georgicasweets.mobi
cdn.georgika.net

The domains appear to be legitimates ones that have been hijacked in some way.

95.163.121.188 forms part of a large netblock of 95.163.64.0/18 - I have had half of this (95.163.64.0/19) blocked for several years which has stopped a great deal of badness, so I recommend that you block either the /19 or /18 and/or the following domains:

sweetip.uk.com
critico.com.mx
critico.co
easynet.co
georgika.co
networkguys.co
seefoo.co
seefu.co
sefu.co
ajdistributor.com
brazitel.com
chagwichita.com
georgicasuites.com
georgicasweets.com
mcelectricalinc.com
netguysglobal.com
primrosebrentwood.com
primrosenashvillemidtown.com
sweetip.com
tequilacritics.com
tequilaguildofamerica.com
tequilaspectator.com
tequilatimes.com
thecritico.com
vctelectronics.com
tequilacritico.es
georgicasweets.info
tequilatimes.info
georgicas.mobi
georgicasweets.mobi
seefoo.mobi
seefu.mobi
sefu.mobi
critico.mx
tequilacritico.mx
thecritico.mx
georgicas.net
georgicasweets.net
georgika.net
limodog.net
networkguys.net
seefoo.net
seefu.net
soundpet.net
sweetip.net
tequilacritico.net
georgicasweets.org
gandco.pro
limodog.xyz
primrosebrentwood.xyz

Wednesday 21 May 2014

Something evil on 93.171.173.173 (Sweet Orange EK)

93.171.173.173 (Alfa Telecom, Russia) is currently distributing the Sweet Orange EK via a bunch of hijacked GoDaddy subdomains. The malware is being spread through code injected into legitimate but hacked websites.

For example [donotclick]www.f1fanatic.co.uk is a compromised website that tries to redirect visitors to two different exploit kits:

[donotclick]adv.atlanticcity.house:13014/sysadmin/wap/fedora.php?database=3
[donotclick]fphgyw.myftp.biz/kfafyfztzhtwvjhpr37ffn9qi7w0ali5rhczqxcgif3d4

The second one is an attempt to load the Fiesta EK although the payload site is currently down. But the .house domain appears to be Sweet Orange (incidentally this is the first time that I've seen one of the new TLDs abused in this way).


The server on 93.171.173.173 hosts a number of subdomains that are hijacked from GoDaddy customers. I recommend that you block either the subdomain or domains themselves:

img.carmelakaiser.com
img.fortunerealtyli.com
img.realtyconnectli.com
yim.nwcreferrals.com
img.mwinsulationllc.info
img.michaelvallone.com
img.mwinsulationllc.com
adv.davetalbert.com
img.nwcreferrals.com
adv.ajs.club
adv.boisecity.house
adv.catskills.house
adv.atlanticcity.house
adv.beachrental.house
adv.chattanooga.house
adv.beachcottage.house
adv.beachrentals.house
adv.breckenridge.house
adv.coppermountain.house

The EK page itself has a VirusTotal detection rate of 0/53, although hopefully some of the components it installs will trigger a warning.


Thursday 11 July 2013

"WTX Media INC" spam / dajizzum.com

This fake invoice spam from the nonexistant "WTX Media" leads to a malware landing page on dajizzum.com:

From: Rebecca Media [mailto:support@rebeccacella.com]
Sent: 11 July 2013 07:46
To: [redacted]
Subject: Subscription Details

We hereby inform you that your subscription has been activated, your login information is as follows:

Username: IX9322130
Password: X#(@kIE04N
Login Key: 839384

Please do not share the login information with anyone as this account is only for your use, sharing the account will result in account termination without a refund.
The credit card on file submited by you will be billed within 24 hours, in the amount of 499.00 GBP, amount equal to one year unlimited subscription.
Your bank statement will show up as being billed by "WTX Media INC".

If you have any questions or issues with your login as well as requests to upgrade or cancel your membership please contact us using the form at:

[donotclick]www.rebeccacella.com/wp-content/plugins/subscribe/


Any feedback is appreciated as we strive to improve our services constantly.
WTX Media Team
The link in the email goes through a legitimate but hacked website (rebeccacella.com) and lands on a malware landing page at [donotclick]dajizzum.com/team/administration/admin4_colon/fedora.php?view=44 (report here) which contains an exploit kit.

dajizzum.com is hosted on 109.123.100.219 (UK2.NET, UK) which appears to be a hijacked server. At the moment I can only see that one site hosted on this box, but blacklisting the IP as a precaution may be wise.

The spam originates from another malware server on 188.138.89.106 (more of this later) but it appears to use a compromised 1&1 account as the spamvertised domain, sender's address and SMTP relay of 212.227.29.10 all belong to that provider.