It starts when a visitor visits the website click-and-trip.com hosted on 38.84.134.46 which purports to be some sort of hotel reservation system.
However, this URLquery report also shows a suspected Fiesta EK pattern and/or a TDS (Traffic Distribution System) URL. In the case of the report, the landing page is [donotclick]asasas.eu/yo416f8/counter.php?id=5 on 38.84.134.171 but this is one of those cases where the landing page seems to change quickly.
Both the "gateway" domain and "payload" domain share similarities in the WHOIS details. For click-and-trip.com it is:
Registrant Name: BERNARDO MINES
Registrant Organization: LA SAGRADA
Registrant Street: CARRER DE MALLORCA, 401
Registrant City: BARCELONA
Registrant State/Province: NON
Registrant Postal Code: 08013
Registrant Country: DE
Registrant Phone: +34.932073031
Registrant Phone Ext:
Registrant Fax: +1.5555555555
Registrant Fax Ext:
Registrant Email: HANSBRUSE@YAHOO.COM
Well, Barcelona isn't in DE (Germany), so these contact details look awfully suspect. If we look at the WHOIS details for asasas.eu we see:
Name Hans Bruse
Organisation hans inc
Language German
Address Am Forsthaus 9
18209 Glashagen
Germany
Phone +49.382037295
Email hansbruse@yahoo.com
Both addresses use the "hansbruse@yahoo.com" email address, and those German contact details for "Hans Bruse" are more convicining than "Bernado Mines".
The click-and-trip.com domain has been around since January and interestingly a dig back in time six months turns up slightly different contact details:
Registry Registrant ID:
Registrant Name: BERNARDO MINES
Registrant Organization: LA SAGRADA
Registrant Street: CARRER DE MALLORCA, 401
Registrant City: BARCELONA
Registrant State/Province: NON
Registrant Postal Code: 08013
Registrant Country: ES
Registrant Phone: +34.932073031
Registrant Phone Ext:
Registrant Fax: +1.5555555555
Registrant Fax Ext:
Registrant Email: GEFEST@ZMAIL.RU
Registry Admin ID:
See the Russian email address? That gets some positive matches on Google linking it to a person called Aleksandr Filippovskiy (or Filippovskiy Aleksandr) who has been connected with malware sites before. So on balance, this thing looks rather suspicious.. even though those details could also be a smokescreen.
Reverse DNS on 38.84.134.171 shows three suspect domains with a similar naming pattern:
aaqaaq.eu
asasas.eu
ooaooa.eu
We can also check the IP's reputation at VirusTotal and it doesn't look great. However, if we extend a look to neighbouring servers, we can see a similar pattern of domains all the way from 38.84.134.162 to 38.84.134.171.
ioooiiio.eu | 38.84.134.162 |
oieaa.com | 38.84.134.162 |
dcfvfr.com | 38.84.134.162 |
eiieei.com | 38.84.134.162 |
ijueee.com | 38.84.134.162 |
aoooaooa.com | 38.84.134.162 |
acccaacccaaaa.pw | 38.84.134.163 |
aaeeaae.com | 38.84.134.163 |
ooioooii.com | 38.84.134.163 |
azzaaazz.pw | 38.84.134.164 |
axxaaaxxx.pw | 38.84.134.164 |
aaooaaoaoaaa.pw | 38.84.134.164 |
advantagefilm.pw | 38.84.134.164 |
gthyuuuy.com | 38.84.134.164 |
kujeikdkd.com | 38.84.134.164 |
mijkuiiid.com | 38.84.134.164 |
rfttyhuui.com | 38.84.134.164 |
uyueueuee.com | 38.84.134.164 |
oooiiiio.us | 38.84.134.165 |
iiiiiiioooooooooo.us | 38.84.134.165 |
hyujuuy.com | 38.84.134.165 |
hyujyttr.com | 38.84.134.165 |
nefdefeettyt.com | 38.84.134.165 |
gthuueeed.us | 38.84.134.166 |
eeeeaeeeea.us | 38.84.134.166 |
aaeeeaaaeee.us | 38.84.134.166 |
gtyuyyuuj.com | 38.84.134.166 |
eedeeeedddd.eu | 38.84.134.167 |
iyiiyyyiiiyy.eu | 38.84.134.167 |
uoooouuuoo.pw | 38.84.134.167 |
efefefeeeeee.pw | 38.84.134.167 |
eaeaaaaaaeeeeee.pw | 38.84.134.167 |
aaaaaaooooo.us | 38.84.134.167 |
ioiiio.eu | 38.84.134.168 |
aeaaeee.eu | 38.84.134.168 |
aoaoooao.eu | 38.84.134.168 |
oiioooiiii.pw | 38.84.134.168 |
iaiaiaiaia.eu | 38.84.134.169 |
axxazazaza.eu | 38.84.134.170 |
jjjjajjiiiooo.eu | 38.84.134.170 |
aaqaaq.eu | 38.84.134.171 |
asasas.eu | 38.84.134.171 |
ooaooa.eu | 38.84.134.171 |
Older domains seem to use lower IP addresses, the pattern seems to be that domains are hosted in the range for a short time, then they are parked on what appear to be Namecheap parking IPs. Once the reputation of the IP is tarnished, then the domains move on to the next IP address.
The IPs in question roughly correspond to 38.84.134.160/28, but looking at the sites hosted in that range there is a gap of unused IPs all the way to 38.84.134.196.
Where these domains have identifiable WHOIS details, they conform to variants of the "Bernado Mines" persona, for example, acccaacccaaaa.pw:
Registrant ID:SVXABVV3KWVMGEKW
Registrant Name:Bernardo Mines
Registrant Organization:La Sagrada
Registrant Street1:Carrer de Mallorca, 401
Registrant City:Barcelona
Registrant State/Province:non
Registrant Postal Code:08013
Registrant Country:ES
Registrant Phone:+34.932073031
Registrant Fax:+1.5555555555
Registrant Email:ilokios@gmail.com
But we know that "Bernado Mines" also operates other IPs in this range, including techno6.com on 38.84.134.47 and a further examination of sites in the range shows aws-wireless.com on 38.84.134.14 which is registered to..
Registry Registrant ID:
Registrant Name: FILIPPOVSKIY ALEKSANDR
Registrant Organization: DOM
Registrant Street: YLICA BAYMANA. DOM 9.KORPYS A. KVARTIRA 106
Registrant Street: KVARTIRA 106
Registrant City: YOSHKAR OLA
Registrant State/Province: YOSHKAR OLA
Registrant Postal Code: 42400
Registrant Country: RU
Registrant Phone: +7.79276827596
Registrant Phone Ext:
Registrant Fax: +7.79276827596
Registrant Fax Ext:
Registrant Email: AWSWIRELESS@MAIL.COM
So we have Filippovskiy Aleksandr again.
A look at all the hosts I can find in this range [csv] show nothing of value, and a load of cyberquatting and spam sites. On balance, I think that blocking the entire 38.84.134.0/24 range may be prudent, even if it is hard to tell exactly what is going on here.