This spam leads to malware on dfudont.ru:Date: Fri, 18 Jan 2013 08:58:56 +0600 [21:58:56 EST]
From: SUMMERDnIKYkatTerry@aol.com
Subject: Fwd: Wire Transfer Confirmation (FED_59983S76643)
Dear Bank Account Operator,
WIRE TRANSFER: FED86180794682707910
CURRENT STATUS: PENDING
Please REVIEW YOUR TRANSACTION as soon as possible.
The malicious payload is at [donotclick]dfudont.ru:8080/forum/links/column.php hosted on:
89.111.176.125 (Garant-Park-Telecom, Russia)
91.224.135.20 (Proservis UAB, Lithunia)
212.112.207.15 (ip4 GmbH, Germany)
These IPs have been used in several malware attacks recently blocking them is a good idea. The following malicious domains are also present on these servers:
dekamerionka.ru
dmssmgf.ru
dmpsonthh.ru
dmeiweilik.ru
belnialamsik.ru
demoralization.ru
damagalko.ru
dozakialko.ru
dumarianoko.ru
dimanakasono.ru
bananamamor.ru
dfudont.ru
Update: there is also a fake Sendspace spam sending visitors to the same payload
Date: Thu, 17 Jan 2013 03:03:55 +0430
From: Badoo [noreply@badoo.com]
Subject: You have been sent a file (Filename: [redacted]_N584581.pdf)
Sendspace File Delivery Notification:
You've got a file called [redacted]_N390.pdf, (973.39 KB) waiting to be downloaded at sendspace.(It was sent by JOHNETTE ).
You can use the following link to retrieve your file:
Download
Thank you,
Sendspace, the best free file sharing service.
1 comment:
Hello, just finsished analyzing infection via Blackhole at domain/port dfudont.ru:8080, you will see the result in here: http://malwaremustdie.blogspot.jp/2013/01/cridex-fareit-infection-analysis.html#new
The malware payload is the same as previous infection in the domain dozakialko.ru:8080 is a Trojan Cridex dropping Trojan PWS Win32/Fareit the credential stealer analyzed previously.
Regards - #MalwareMustDie!
Post a Comment