Sponsored by..

Wednesday 3 December 2014

More malware on Crissic Solutions LLC

Another bunch of IPs on Crissic Solutions LLC, leading to what appears to be the Angler EK (see this URLquery report):

167.160.164.102 [VirusTotal report]
167.160.164.103 [VirusTotal report]
167.160.164.141 [VirusTotal report]
167.160.164.142 [VirusTotal report]

The following domains are being exploited (although there will probably be more soon).

citycentralone.biz
citycentraltwo.biz
citycentralfive.biz
citycentralfour.biz
seasononecoming.biz
seasonsixcoming.biz
seasontwocoming.biz
citycentralthree.biz
seasonfivecoming.biz
seasonfourcoming.biz
seasonsevencoming.biz
seasonthreecoming.biz
ultimateconnectioneleven.biz
saturdaynightsnow.biz
saturdaynightzero.biz
saturdaynightwater.biz
saturdaynighteleven.biz
saturdaynightknight.biz
mvsmicrocomcontrol.net
mvseyeoperationcontrol.net
dateswellsfolls.asia
limississippiviewsdooms.asia
limsviewsdooms.asia
limsviewsmakeoms.asia
dateshealthysfolls.asia

Subdomains in use start with one of qwe. or asd. or zxc. (see examples here [pastebin]).

Crissic Solutions LLC operates 167.160.160.0/19 which does have some legitimate sites in it, but since I have previously recommended blocking 167.160.165.0/24 and 167.160.166.0/24 and now with multiple servers on 167.160.164.0/24 also compromised then I suspect that temporarily blocking the entire /19 is the way to go.

1 comment:

CunningPike said...

Looking at the netblock allocations (http://whois.arin.net/rest/net/NET-167-160-160-0-2.html), blocking 167.160.160.0/21 might be a safer approach.