Sponsored by..

Tuesday 5 March 2013

Sendspace spam / forumkianko.ru

This fake Sendspace spam leads to malware on forumkianko.ru:

Date:      Tue, 5 Mar 2013 06:52:10 +0100
From:      AyanaLinney@[redacted]
Subject:      You have been sent a file (Filename: [redacted]-51153.pdf)

Sendspace File Delivery Notification:

You've got a file called [redacted]-01271.pdf, (797.4 KB) waiting to be downloaded at sendspace.(It was sent by DEON VANG).

You can use the following link to retrieve your file:

Download Link

The file may be available for a limited time only.

Thank you,

sendspace - The best free file sharing service.

----------------------------------------------------------------------
Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.

The malicious payload is at [donotclick]forumkianko.ru:8080/forum/links/column.php (report here) hosted on:
 
46.4.77.145 (Hetzner, Germany)
198.104.62.49 (NTT America, US)
210.71.250.131 (Chungwa Telecom, Taiwan)

These IPs are the same as used in this attack.

1 comment:

unixfreaxjp said...

Hello Conrad,

The payload off this infections:

giliaonso.ru, 198.104.62.49, 210.71.250.131, 46.4.77.145
forumkianko.ru, 198.104.62.49, 210.71.250.131, 46.4.77.145

Are posted in:
Analysis PoC: http://pastebin.com/raw.php?i=4mxbVY0B
Payload Snapshot PoC: http://urlquery.net/report.php?id=1268437
Virus Total: a7a2e20afb5d04ea9798e21559d6cbbe575785d6d9d00c0693ae90a299d8d405

Rgds!