Sponsored by..

Tuesday, 6 January 2015

hqq.tv serving up exploit kit (via Digital Ocean and Choopa)

I will confess that I haven't had a lot of time to look at this, but here's an infection chain starting from a scummy-looking video streaming site called cine-stream.net. I do not recommend visiting any of the sites labelled [donotclick]

Step 1
[donotclick]cine-stream.net/1609-le-pre-nol-est-une-ordure-en-streaming.html
89.248.170.206 (Ecatel Ltd, Netherlands)
URLquery report

Step 2
[donotclick]hqq.tv/player/embed_player.php?vid=7SO84O65X5SM&autoplay=no
199.83.130.198 (Incapsula, US)

Step 3
[donotclick]agroristaler.info/dasimotulpes16.html
128.199.48.44 (Digital Ocean, Netherlands)
URLquery report

Step 4
[donotclick]aflesministal.info/chat.html
178.62.147.144 (Digital Ocean, Netherlands)
128.199.52.108 (Digital Ocean, Netherlands)

Step 5
[donotclick]pohfefungie.co.vu/VUZQBUgAAgtAGlc.html
[donotclick]eixaaweexum.co.vu/VxFVBkgAAgtAGlc.html
108.61.165.69 (Choopa LLC / Game Servers, Netherlands)
URLquery report

The Digital Ocean and Choopa IPs host several apparently malicious domains:

108.61.165.69
eixaaweexum.co.vu
ienaakeoke.co.vu
weswalkers.co.vu
pohfefungie.co.vu
vieleevethu.co.vu

178.62.147.144
128.199.52.108

sebitibir.info
abrisgalor.info
aflesministal.info

128.199.48.44
abibruget.info
alsonutird.info
fiflakutir.info
fistikopor.info
agroristaler.info
poliloparatoser.info

In my opinion, .co.vu domains are often bad news and are good candidates for blocking. In the mean time I would recommend the following minimum blocklist:

108.61.165.69
178.62.147.144
128.199.52.108
128.199.48.44

2 comments:

atorrrr said...

Tracking this guy as well.

currently the page aren't returning anything.

Domains:
raeyeethiu.co.vu
aiquouphie.co.vu

IP:
108.61.166.178

atorrrr said...

Small update..

108.61.166.178
aeghejukid.co.vu
ahhiebieng.co.vu
oothahkegh.co.vu
ouchoopaim.co.vu
raeyeethiu.co.vu
uurosuthoo.co.vu
yomaivooxu.co.vu
yoomaedoox.co.vu
108.61.177.89 :
giqueogohk.co.vu
ohghulohch.co.vu
oothoosite.co.vu
oyainuthae.co.vu
yeinoribaa.co.vu