From: Administrator [mailto:Administrator@Outlook-us.com]The download location varies but always has the same path. Here are some other sites in use:
Date: Monday, 12th January 2015 16:21
Subject: Important - New Outlook Settings
Please carefully read the downloaded instructions before updating settings.
http://indemnizaciongarantizada.com/outlook/settings.html
This e-mail and / or any attachment(s) is intended solely for the above-mentioned recipient(s) and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at helpdesk@Outlook-us.com and delete the e-mail. You must not copy it, distribute it, disclose it or take any action in reliance on it.
equisolv.com
crm.martrada.com
drukart.home.pl
baypipo.com
hagarsatat.com
duedisnc.it
hinchablessegarra.com
ferramentarighi.it
eu1.panalinks.com
duckzone.kilu.de
indemnizaciongarantizada.com
This spam run is essentially very similar as others seen in recent days, for example this one. Clicking the link in the email will either lead to nonsense text or a file that downloaded as "message.zip ;.zip ;.zip ;" when I tried it.
Inside this ZIP file is an executable file that is slightly different each time it is downloaded. When I scanned one of these earlier, it turned out to have a very low detection rate.
The Malwr report shows that it drops another file that appears to be a banking trojan, and which also has low detection rates.
Malwr also reports malicious traffic to and from the following locations:
http://202.153.35.133:12028/1201uk1/HOME/0/51-SP3/0/
http://202.153.35.133:12028/1201uk1/HOME/1/0/0/
http://morph-x.com/mandoc/page_241.pdf
http://202.153.35.133:12011/1201uk1/HOME/41/7/4/
A tip-off also indicates that there will be traffic to coffeeofthemonth.biz.
Recommended blocklist:
202.153.35.133
morph-x.com
coffeeofthemonth.biz
1 comment:
thanks for info
Post a Comment