Sponsored by..

Tuesday 14 February 2012

"Arch Coal Corp" spam lead to malware / coajsfooioas.ru and tuberkulesneporok.ru

A slightly different spam from the usual Xerox rubbish, but with a similar malicious payload.. this time on the domains coajsfooioas.ru and tuberkulesneporok.ru.

Date:      Tue, 13 Feb 2012 04:59:42 +0900
From:      "DELL AVILES" Arch Coal Corp . [AfinaGuridi@auburn.edu]
Subject:      Re: Intercompany inv. from Arch Coal Corp.
Attachments:     Invoice_02_7_h158329.htm

Good day

Attached the intercompany inv. for the period Dec. 2011 til Jan.. 2012.

Thanks a lot for supporting this process


Arch Coal Corp. 

The obfuscated javascript in the attachment attempts to download malicious code from coajsfooioas.ru:8080/images/aublbzdni.php followed by more code from tuberkulesneporok.ru:8080/images/jw.php?i=8 (Wepawet report here).

These domains are multihosted on the same IPs as listed here. Blocking access to those IPs should stop further malware attacks from being successful.

1 comment:

dionysec said...

Another variant -

Time: Tue, 14 Feb 2012 06:21
Received: from [] From: "Rios9YEmRDayami@aol.com"
Subject: Re: Inter-company inv. from AMR Corporation Corp.
Attachment Name: Invoice_02_8_Z032999.htm


Attached the intercompany invoice for the period Dec. 2011 til Jan.. 2012

Thanks a lot for support setting up this process.
Dayami Rios
AMR Corporation Corp.