A slightly different spam from the usual Xerox rubbish, but with a similar malicious payload.. this time on the domains coajsfooioas.ru and tuberkulesneporok.ru.Date: Tue, 13 Feb 2012 04:59:42 +0900
From: "DELL AVILES" Arch Coal Corp . [AfinaGuridi@auburn.edu]
Subject: Re: Intercompany inv. from Arch Coal Corp.
Attachments: Invoice_02_7_h158329.htm
Good day
Attached the intercompany inv. for the period Dec. 2011 til Jan.. 2012.
Thanks a lot for supporting this process
DELL AVILES
Arch Coal Corp.
The obfuscated javascript in the attachment attempts to download malicious code from coajsfooioas.ru:8080/images/aublbzdni.php followed by more code from tuberkulesneporok.ru:8080/images/jw.php?i=8 (Wepawet report here).
These domains are multihosted on the same IPs as listed here. Blocking access to those IPs should stop further malware attacks from being successful.
1 comment:
Another variant -
Time: Tue, 14 Feb 2012 06:21
Received: from [182.182.24.67] From: "Rios9YEmRDayami@aol.com"
Subject: Re: Inter-company inv. from AMR Corporation Corp.
Attachment Name: Invoice_02_8_Z032999.htm
Hallo
Attached the intercompany invoice for the period Dec. 2011 til Jan.. 2012
Thanks a lot for support setting up this process.
Dayami Rios
AMR Corporation Corp.
Post a Comment