The infection chain I have spotted here starts with a typical compromised website, in this case:
[donotclick]onerecipedaily.com/prawn-patia-from-anjum-anands-i-love-curry/
A quick look at the URLquery report shows a general alert, but no smoking gun..
Right at the end you can see a redirect to google.no..
However, I can look at the log files of the incident and I see that the next step is a jump to another compromised site:
[donotclick]autoselectosperu.com/de11edf0bcf9b7ce8d3a128934acda75.php?q=d6f53936c38ddad58c5a69d1d36c4904
This then jumps to the presumed payload site at:
[donotclick]bkbr.beuqnyrtz.com/gikhqqkdjc
What is the payload... errr.. I don't know. The incident logs come up with a generic detection and my query-fu isn't working today. You'll just have to trust me that it's going to be malicious.
The following malicious subdomains are also active on 173.212.223.249:
bkbr.beuqnyrtz.com
syb.beuqnyrtz.comsxxmxv.beuqnyrtz.info
The simplest thing to do to protect yourself against this particular threat is to use the following blocklist:
173.212.223.249
beuqnyrtz.com
beuqnyrtz.info
4 comments:
Smoking gun at the following URL Query report I just submitted for the same IP.
http://www.urlquery.net/report.php?id=1395850247350
@Jeremy.. nice!
Also spotted as Angler EK here: https://twitter.com/malekal_morte/status/448852977764143104
I was able to identify a payload for anyone interested originating from http://bkbr[dot]beuqnyrtz[dot]com/beq9klfi06.
MobileOptionPack.com (MZ header) - 8c3230a7f5543547ddb3addd35ea1e9105be2986f1aedb4b20ef17d73f16488c
https://www.virustotal.com/en/file/8c3230a7f5543547ddb3addd35ea1e9105be2986f1aedb4b20ef17d73f16488c/analysis/1395919007/
It was located in the AppData\Roaming\MobileOptionPack\ folder. I can't verify this is always the folder/filename.
The MZ file had a modified timestamp.
Hope this helps.
Post a Comment