Sponsored by..

Thursday 19 January 2012

Wire transfer malicious spam / monikabestolucci.ru:8801 and

More malicious spam doing the rounds, but this time it's more complicated than before.

From: accounting@victimdomain.com [mailto:accounting@victimdomain.com]
Sent: 18 January 2012 02:14
Subject: Re: Wire Transfer Confirmation (FED_93711S15719)

Dear Bank Account Operator,
WIRE TRANSACTION: FWD-7563133392175652

Please Review your transaction as soon as possible.

The link goes to a legitimate hacked site containing some heavily obfuscated javascript, in turn this points to monikabestolucci.ru:8801 and then downloads further code from (Netdirect, Germany) - the Wepawet report is here, there also an Anubis report on the binary here.

monikabestolucci.ru is massively multihomed (a raw list is at the end of the post) presumably on legitimate hacked servers. (Videotron, Canada) (OVH Systems, Italy) (Slicehost, Texas) (Slicehost, Texas) (Linode, New Jersey) (1&1, US) (Hetzner, Germany) (Webfusion, UK) (Master Internet, Czech Republic) (1&1, Germany) (UK2.NET, UK) (Infortelecom, Spain) (Dedibox SAS, France) (GoDaddy, Arizona) (TFN, Taiwan) (Web24, Australia) (Oxford University, UK) (GoDaddy, Arizona) (Linode, Florida) (Linode, New Jersey) (ThePlanet, Texas) (Endurance International, Massachusetts) (SK Broadband, Korea)

Blocking these IPs might be a pain, but it would block any other malicious sites on the same servers.

Raw list:

No comments: