This fake eFax spam leads to malware on epimarkun.ru:Date: Thu, 24 Jan 2013 04:04:42 +0600There is an attachment called Efax_Corporate.htm leading to a malicious payload at [donotclick]epimarkun.ru:8080/forum/links/column.php which is hosted on the following IPs:
From: Habbo Hotel [auto-contact@habbo.com]
Subject: Efax Corporate
Attachments: Efax_Corporate.htm
Fax Message [Caller-ID: 963153883]
You have received a 28 pages fax at Thu, 24 Jan 2013 04:04:42 +0600, (157)-194-4168.
* The reference number for this fax is [eFAX-009228416].
View attached fax using your Internet Browser.
� 2013 j2 Global Communications, Inc. All rights reserved.
eFax � is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax � Customer Agreement.
50.31.1.104 (Steadfast Networks, US)
94.23.3.196 (OVH, France)
202.72.245.146 (Mongolian Railway Commercial Center, Mongolia)
These IPs and domains are all malicious:
50.31.1.104
94.23.3.196
202.72.245.146
dmssmgf.ru
esekundi.ru
esenstialin.ru
disownon.ru
epimarkun.ru
damagalko.ru
dumarianoko.ru
epiratko.ru
dfudont.ru
1 comment:
The malware download is redirected to:
hxxp://108.178.59.30/links/cleared-brought_nowhere.php?jio=0735070402&paiccq=060936020b0b37080236&mnehio=04&vwbubo=agwibu&jrmtup=fbsxgqu
This is shown in the javescript after it has be deobfuscated
Post a Comment