Sponsored by..

Friday 18 October 2013

Dropbox spam leads to malware on.. errr.. dynamooblog.ru

Two days ago I wrote about the apparent return of the RU:8080.. well it appears that in order to celebrate their return, they've acknowledged my acknowledgement in the form of a malware landing page of dynamooblog.ru.

Well... hi guys. Things have been a bit quieter without you. Anyway, this is the latest spam email purportedly from Dropbox, and using the same template as used in this ThreeScripts spam run.


Date:      Fri, 18 Oct 2013 16:00:54 -0500 [17:00:54 EDT]
From:      Dropbox [no-reply@dropboxmail.com]
Subject:      Please update your Expired Dropbox Password
Priority:      High Priority 1

Hello [redacted].

We have a warning in our system that you recently tried to login in to Dropbox with a password that you haven't changed long time already. Your old password has expired and you'll need to create a new one to log in.

Please visit the page to update your password

Set New Password

Enjoy!
- The Dropbox Team    
    © 2013 Dropbox


The attack and payload is exactly the same as this one, and the executable is unchanged but now has a better VirusTotal detection rate of 29/48. The domain dynamooblog.ru was registered yesterday to the infamous Russian "Private Person" and is hosted on a lot of IPs that have been serving up Zbot for some time.

I'll have a closer poke at this network in a moment, but in the meantime this is my recommended blocklist:
dynamooblog.ru
12.46.52.147
41.203.18.120
62.76.42.58
69.46.253.241
70.159.17.146
91.205.17.80
94.102.14.239
111.68.229.205
114.32.54.164
118.163.216.107
140.174.98.150
163.18.62.51
182.237.17.180
202.6.120.103
203.80.16.81
203.114.112.156
210.56.23.100
210.166.209.15
212.154.192.122
213.5.182.144
213.143.121.133
213.214.74.5


No comments: