This fake AmEx spam leads to malware on dozakialko.ru:Sent: 16 January 2013 02:22The malicious payload is at [donotclick]dozakialko.ru:8080/forum/links/column.php (report here) hosted on the following IPs:
Subject: American Express Alert: Your Transaction is Aborted
Your Wed, 16 Jan 2013 01:22:07 -0100 Incoming Transfer is Terminated
Valued, $5203
Your American Express Card account retired ZUE36213 with amount of 5070 USD.
Transaction Time:Wed, 16 Jan 2013 01:22:07 -0100
Payment Due Date:Wed, 16 Jan 2013 01:22:07 -0100
One small way to help the environment - get paperless statements
Review billing
statement
Issue a payment
Change notifications
options
You currently reading the LIMITED DATA version of the Statement-Ready Information.
Switch to the DETAILED DATA version.
Thank you for your Cardmembership.
Sincerely,
American Express Information center
________________________________________
89.111.176.125 (Garant-Park-Telecom, Russia)
91.224.135.20 (Proservis UAB, Lithunia)
212.112.207.15 (ip4 GmbH, Germany)
Plain list of IPs and related domains for copy-and-pasting:
89.111.176.125
91.224.135.20
212.112.207.15
dekamerionka.ru
dmssmgf.ru
dmpsonthh.ru
dmeiweilik.ru
belnialamsik.ru
demoralization.ru
dumarianoko.ru
dimanakasono.ru
bananamamor.ru
dozakialko.ru
1 comment:
Hello Conrad, I made full analysis of the malware downloaded via this spam. It is indeed strong-related to the American Express as phishing scheme.
I posted it in #MalwareMustDie blog in here: http://malwaremustdie.blogspot.jp/2013/01/cridex-fareit-infection-analysis.html
I hope it is useful for the blocking purpose, since the Cridex was actually dropping Fareit Trojan which having different CnC and Phishing Admin Panel portal.
Rgds always!
#MalwareMustDie!
Post a Comment