Sponsored by..

Friday 18 October 2013

Dropbox spam leads to malware on.. errr.. dynamooblog.ru

Two days ago I wrote about the apparent return of the RU:8080.. well it appears that in order to celebrate their return, they've acknowledged my acknowledgement in the form of a malware landing page of dynamooblog.ru.

Well... hi guys. Things have been a bit quieter without you. Anyway, this is the latest spam email purportedly from Dropbox, and using the same template as used in this ThreeScripts spam run.

Date:      Fri, 18 Oct 2013 16:00:54 -0500 [17:00:54 EDT]
From:      Dropbox [no-reply@dropboxmail.com]
Subject:      Please update your Expired Dropbox Password
Priority:      High Priority 1

Hello [redacted].

We have a warning in our system that you recently tried to login in to Dropbox with a password that you haven't changed long time already. Your old password has expired and you'll need to create a new one to log in.

Please visit the page to update your password

Set New Password

- The Dropbox Team    
    © 2013 Dropbox

The attack and payload is exactly the same as this one, and the executable is unchanged but now has a better VirusTotal detection rate of 29/48. The domain dynamooblog.ru was registered yesterday to the infamous Russian "Private Person" and is hosted on a lot of IPs that have been serving up Zbot for some time.

I'll have a closer poke at this network in a moment, but in the meantime this is my recommended blocklist:

No comments: