Sponsored by..

Thursday 5 April 2012

Malicious spam / Invoice_N{DIG}.zip

We're seeing a huge spam run at the moment with various subject and attachments, but typically using an HTML-in-ZIP attack with an attachment called Invoice_N{DIG}.zip

Subjects include:
DHL: DELIVER CONFIRMATION - FAILED 113996
FW: End of Aug. Statement
FW: Scan from a Xerox W. Pro  #7338339
although there are probably many others.

The attachment leads to a multihomed exploit kit (report here) on:
hxxp://41.168.5.140:8080/navigator/jueoaritjuir.php
hxxp://62.85.27.129:8080/navigator/jueoaritjuir.php
hxxp://78.83.233.242:8080/navigator/jueoaritjuir.php
hxxp://180.235.150.72:8080/navigator/jueoaritjuir.php
hxxp://211.44.250.173:8080/navigator/jueoaritjuir.php
hxxp://219.94.194.138:8080/navigator/jueoaritjuir.php

Hosts:
41.168.5.140 (Neotel, South Africa)
62.85.27.129 (Microlink, Latvia)
78.83.233.242 (Spectrum Net, Bulgaria)
180.235.150.72 (Ardh Global, Indonesia)
211.44.250.173 (SK Broadband Co Ltd, Korea)
219.94.194.138 (Sakura Internet Inc, Japan)

Plain list for copy-and-pasting:
41.168.5.140
62.85.27.129
78.83.233.242
180.235.150.72
211.44.250.173
219.94.194.138

No comments: