Sponsored by..

Showing posts with label Printer Spam. Show all posts
Showing posts with label Printer Spam. Show all posts

Thursday, 31 July 2014

"Scanned Image from a Xerox WorkCentre" spam

This is a thoroughly old school spam with a malicious attachment.

Date:      Thu, 31 Jul 2014 18:16:08 +0000 [14:16:08 EDT]
From:      Local Scan [scan.614@victimdomain]
Subject:      Scanned Image from a Xerox WorkCentre

You have a received a new image from Xerox WorkCentre.

Sent by: victimdomain
Number of Images: 5
Attachment File Type: ZIP [PDF]

WorkCentre Pro Location: Machine location not set
Device Name: victimdomain

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http://www.adobe.com/

Guess what.. it isn't an image at all, but a ZIP file with the unusual name of Image_[_var=partorderb].zip which contain a malicious executable Image_07312014.scr, scoring a measly 1/54 at VirusTotal.

The Comodo CAMAS report shows that the malware downloads components from the following locations:

94.23.247.202/3107us2/SANDBOXA/0/51-SP2/0/
94.23.247.202/3107us2/SANDBOXA/1/0/0/
94.23.247.202/3107h2/SANDBOXA/1/0/0/
94.23.247.202/3107op2/SANDBOXA/1/0/0/
globe-runners.com/fichier_pdf/31u2.zip
lucantaru.it/docs/31u2.zip
mediamaster-2000.de/img/heap.zip
ig-engenharia.com/wp-content/uploads/2014/02/heap.zip
upscalebeauty.com/img/colors/teal/opened.zip
lagrimas.tuars.com/css/opened.zip


There are some further clues in the VirusTotal comments as to what the malware does. Sophos has also seen the 94.23.247.202 (OVH, France) IP before.

Recommended blocklist:
94.23.247.202
globe-runners.com
lucantaru.it
mediamaster-2000.de
ig-engenharia.com
upscalebeauty.com
lagrimas.tuars.com

Wednesday, 18 June 2014

"Scanned Image from a Xerox WorkCentre" spam with a malicious PDF attachment

The PDF spammers are busy today - this is the third time this particular malicious PDF has been spammed out to victims, first as a fake HSBC message, then a fake Lloyds message, and now a fake Xerox WorkCentre spam.
From:     Xerox WorkCentre
Date:     18 June 2014 13:41
Subject:     Scanned Image from a Xerox WorkCentre

It was scanned and sent to you using a Xerox WorkCentre Pro.

Sent by: [redacted]
Number of Images: 0
Attachment File Type: PDF

WorkCentre Pro Location: Machine location not set
Device Name: [redacted]

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http://www.adobe.com/
The payload is a malicious PDF that is identical to the HSBC and Lloyds spams.

Thursday, 17 October 2013

"Scan from a Xerox WorkCentre" spam / A136_Incoming_Money_Transfer_Form.exe

The malware spammers are suffering from a chronic lack of imagination with this familiar fake printer spam:

Date:      Thu, 17 Oct 2013 13:01:52 -0600 [15:01:52 EDT]
From:      Incoming Fax [Incoming.Fax3@victimdomain.com]
Subject:      Scan from a Xerox WorkCentre

Please download the document.  It was scanned and sent to you using a Xerox multifunction device.

File Type: pdf
Download: Scanned from a Xerox multi~9.pdf

multifunction device Location: machine location not set
Device Name: Xerox1552


For more information on Xerox products and solutions, please visit http://www.xerox.com
Attached is an executable file Scanned from a Xerox multi~6.zip which in turn contains a file A136_Incoming_Money_Transfer_Form.exe which has a VirusTotal detection rate of 6/48.

Automated analysis [1] [2] [3] shows a connection to cushinc.com on 209.236.71.58 (Westhost, US). This is the same server as seen yesterday, so  my best guess is that the server is compromised and potentially all the 600+ domains on it are too. Blocking that IP address may be prudent.

Tuesday, 9 July 2013

Xerox WorkCentre (or is it HP Digital Device?) spam / SCAN_129_07082013_18911.zip

This fake printer spam has a malicious attachment:

Date:      Mon, 8 Jul 2013 12:20:24 -0500 [07/08/13 13:20:24 EDT]
From:      HP Digital Device [HP.Digital8@victimdomain]
Subject:      Scanned Image from a Xerox WorkCentre

Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.

Sent by: [victimdomain]
Number of Images: 8
Attachment File Type: ZIP [PDF]

WorkCentre Pro Location: Machine location not set
Device Name: OM7IEQ4M22

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http://www.adobe.com/
In this case there is an attachment SCAN_129_07082013_18911.zip containing an executable file SCAN_129_07082013_18911.exe (note that the date is encoded into the file). VirusTotal detections are 26/47 and identify it as a generic downloader, Comodo CAMAS reports that it is a Pony downloader that attempts to contact 2ndtimearoundweddingphotography.com which appears to be a hijacked GoDaddy domain.

As is common at the moment, there are a bunch of related hacked GoDaddy domains on a random (non-GoDaddy) server, in this case 64.94.100.116 (the somewhat notorious Nuclear Fallout Enterprises). All these domains should be treated as malicious according to reports from URLquery and VirusTotal.

gfpmenusonline.com
gfponlineordering.com
solarrec-auction.com
chapter2weddings.com
pecoprocurement.com
2brothersdelimenu.com
2ndtimearoundweddingphotography.com

The ThreatTrack report reveals more details [pdf] including the subsequent download locations as does the ThreatExpert report.

[donotclick]lacasadelmovilusado.com/bts1.exe
[donotclick]common.karsak.com.tr/FzPfH6.exe
[donotclick]ftp.vickibettger.com/oEoASW64.exe
[donotclick]qualitydoorblog.com/qbSTq.exe

This second file has a much lower detection rate at VirusTotal of just 3/47 (and they are all generic at that). The ThreatExpert report [pdf] gives more details of the malware plus some connection attempts, and Anubis reports something similar. They all appear to be dynamic ADSL addresses and probably not worth trying to block.

64.136.115.72
66.63.204.26
68.7.103.29
76.226.114.217
77.30.83.91
78.131.54.252
84.59.131.0
85.107.90.53
87.18.47.40
90.189.37.85
94.240.240.106
95.246.170.150
107.217.117.139
108.234.133.110
180.247.156.110
181.67.52.88
190.202.83.105
200.91.49.183
201.209.58.176
212.71.16.46
217.132.249.173
221.215.31.50

Recommended blocklist:
gfpmenusonline.com
gfponlineordering.com
solarrec-auction.com
chapter2weddings.com
pecoprocurement.com
2brothersdelimenu.com
2ndtimearoundweddingphotography.com
bobkahnvideo.com
lacasadelmovilusado.com
common.karsak.com.tr
ftp.vickibettger.com
qualitydoorblog.com
64.94.100.116
198.173.93.218
212.58.2.22

Wednesday, 19 June 2013

HP Spam / HP_Scan_06292013_398.zip FAIL

I've been seeing these spams for a couple of days now..

Date:      Wed, 19 Jun 2013 09:39:27 -0500 [10:39:27 EDT]
From:      HP Digital Device [HP.Digital0@victimdomain]
Subject:      Scanned Copy

Please open the attached document. This document was digitally sent to you using an HP Digital Sending device.

To view this document you need to use the Adobe Acrobat Reader.

-------------------------------------------------------------------------------
This email has been scanned for viruses and spam.
-------------------------------------------------------------------------------

The is an attachment called HP_Scan_06292013_398.zip. Obviously this is an attempt to deliver malware.. but the attachment is too small to have a payload. Initially I thought that it was some random part of somebody's security infrastructure stripping it off until I got a really clean copy.. and the ZIP file was just 8 bytes:
12 BA E8 AC 16 AC 7B AE
 Another sample version looks like this, with just 6 bytes:
12 BA E8 AC 16 AC
Googling for 12BAE8AC16AC or 12BAE8AC16AC7BAE gets nothing at all (well, except it will now I've blogged about it). Weird, huh?

Wednesday, 12 June 2013

"Scan from a Xerox WorkCentre" spam / Scan_06122013_29911.zip

This fake Xerox WorkCentre spam comes with a malicious attachment and appears to come from the victim's own domain:

Date:      Wed, 12 Jun 2013 10:36:16 -0500 [11:36:16 EDT]
From:      Xerox WorkCentre [Xerox.Device9@victimdomain.com]
Subject:      Scan from a Xerox WorkCentre

Please download the document.  It was scanned and sent to you using a Xerox multifunction device.

File Type: pdf
Download: Scanned from a Xerox multi~3.pdf

multifunction device Location: machine location not set
Device Name: Xerox2023


For more information on Xerox products and solutions, please visit http://www.xerox.com
Attached is a ZIP file, in this case called Scan_06122013_29911.zip which in turn contains an executable Scan_06122013_29911.exe. Note that the date is encoded into the filename so future versions will be different.

VirusTotal results are 23/47 which is typically patchy. Comodo CAMAS reports that the malware attempts to phone home to forum.xcpus.com on 71.19.227.135 and has the following checksums:
MD58fcba93b00dba3d182b1228b529d3c9e
SHA154f02f3f1d6954f98e14a9cee62787387e5b072c
SHA256544c08f288b1102d6304e9bf3fb352a8fdfb59df93dc4ecc0f753dd30e39da0c

ThreatExpert has some more information, but the ThreatTrack report [pdf] is more detailed and also identifies the following domains and IPs which are probably worth blocking or looking out for:
71.19.227.135
205.178.152.164
198.173.244.62
204.8.121.24

173.246.106.150
forum.xcpus.com
apparellogisticsgroup.net
ftp.celebritynetworks.com
portal.wroctv.com
ftp.videotre.tv.it
buildmybarwebsite.com

Update: I'd previously listed 195.110.124.133 on the blocklist which is a register.it parking server in Italy. That was probably overkill, you might want to unblock it and block ftp.videotre.tv.it instead.

Tuesday, 9 April 2013

HP ScanJet spam / jundaio.ru

This fake printer spam leads to malware on jundaio.ru:

Date:      Tue, 9 Apr 2013 10:07:40 +0500 [01:07:40 EDT]
From:      Scot Crump [ScotCrump@hotmail.com]
Subject: Re: Scan from a Hewlett-Packard ScanJet  #0437
Attachment: HP-ScannedDoc.htm

Attached document was scanned and sent

to you using a HP HPAD-400812P.
SENT BY : Scot S.
PAGES : 9
FILETYPE: .HTM [INTERNET EXPLORER/MOZILLA FIREFOX]
The attachment HP-ScannedDoc.htm leads to malware on [donotclick]jundaio.ru:8080/forum/links/column.php (report here) hosted on:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
94.103.45.34 (ANKARAHOSTING, Turkey)
208.94.108.238 (Fibrenoire, Canada)

Blocklist:
91.191.170.26
93.187.200.250
94.103.45.34
208.94.108.238
ifikangloo.ru
ifinaksiao.ru
ighjaooru.ru
igionkialo.ru
ijsiokolo.ru
ilianorkin.ru
illuminataf.ru
imanraiodl.ru
imbrigilia.ru
itriopea.ru
ivanikako.ru
ixxtigang.ru
izamalok.ru
izjianokr.ru
iztakor.ru
jundaio.ru



Thursday, 28 March 2013

"Scan from a Xerox W. Pro" spam / ilianorkin.ru

This fake printer spam leads to malware on ilianorkin.ru:

From: officejet@[victimdomain]
Sent: 27 March 2013 08:35
Subject: Fwd: Fwd: Scan from a Xerox W. Pro #589307

A Document was sent to you using a XEROX WorkJet PRO 481864299.

SENT BY : Omar
IMAGES : 9
FORMAT (.JPEG) DOWNLOAD
The malicious payload is at [donotclick]ilianorkin.ru:8080/forum/links/column.php (report here) hosted on:

66.249.23.64 (Endurance International Group, US)
69.46.253.241 (RapidDSL & Wireless, US)
140.114.75.84 (TANET, Taiwan)

Blocklist:
66.249.23.64
69.46.253.241
140.114.75.84
humaniopa.ru
hiskinta.ru
hohohomaza.ru
humarikanec.ru
hondatravel.ru
hillaryklinton.ru
hinakinioo.ru
hjuiopsdbgp.ru
hillairusbomges.ru
heepsteronst.ru
ilianorkin.ru
iliminattii.ru
illuminataf.ru

Monday, 25 March 2013

"Scan from a HP ScanJet" spam / humaniopa.ru

This fake printer spam leads to malware on humaniopa.ru:

Date:      Mon, 25 Mar 2013 03:57:54 -0500
From:      LinkedIn Connections [connections@linkedin.com]
Subject:      Scan from a HP ScanJet #928909620
Attachments:     Scanned_Document.htm

Attached document was scanned and sent

to you using a Hewlett-Packard HP Officejet 98278P.

Sent by: CHANG
Images : 5
Attachment Type: .HTM [INTERNET EXPLORER]

Hewlett-Packard Officejet Location: machine location not set
The attachment Scanned_Document.htm leads to malware on [donotclick]humaniopa.ru:8080/forum/links/column.php (report here) hosted on:
66.249.23.64 (Endurance International Group, US)
72.11.155.182 (OC3 Networks, US)
72.167.254.194 (GoDaddy, US)
95.211.154.196 (Leaseweb, Netherlands)

Blocklist:
66.249.23.64
72.11.155.182
72.167.254.194
95.211.154.196
hohohomaza.ru
hillaryklinton.ru
hinakinioo.ru
hillairusbomges.ru
humaniopa.ru
humarikanec.ru


Thursday, 21 March 2013

"Scan from a Hewlett-Packard ScanJet" spam / hillaryklinton.ru

This fake printer spam leads to malware on the amusingly-named hillaryklinton.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn Password
Sent: 21 March 2013 06:56
Subject: Scan from a Hewlett-Packard ScanJet #269644

Attached document was scanned and sent
to you using a Hewlett-Packard HP Officejet 6209P.

Sent by: SANDIE
Images : 1
Attachment Type: .HTM [INTERNET EXPLORER]

Hewlett-Packard Officejet Location: machine location not set
In this case there is an attachment called Scanned_Document.htm which leads to a malicious payload at [donotclick]hillaryklinton.ru:8080/forum/links/column.php (report here) hosted on:

50.22.0.2 (SoftLayer, US)
62.75.157.196 (Inergenia, Germany)
109.230.229.156 (High Quality Server, Germany)

Blocklist:
50.22.0.2
62.75.157.196
109.230.229.156
foruminanki.ru
forumla.ru
forumny.ru
gulivaerinf.ru
gxnaika.ru
hanofk.ru
heelicotper.ru
hifnsiiip.ru
hillaryklinton.ru
himalayaori.ru
humalinaoo.ru



Thursday, 21 February 2013

"Scan from a Xerox WorkCentre Pro" spam / familanar.ru

This familiar printer spam leads to malware on the familanar.ru domain:

Date:      Thu, 21 Feb 2013 09:22:25 -0500 [09:22:25 EST]
From:      Tagged [Tagged@taggedmail.com]
Subject:      Fwd: Re:  Scan from a Xerox WorkCentre Pro #800304

A Document was sent to you using a XEROX WorkJet PRO 760820.

SENT BY : BRYNN
IMAGES : 5
FORMAT (.JPEG) DOWNLOAD
The malicious payload is at [donotclick]familanar.ru:8080/forum/links/column.php (report here) hosted on:

84.23.66.74 (EUserv Internet, Germany)
122.160.168.219 (Trackon Couriers, India)
210.71.250.131 (Chungwa Telecom, China)

Which are the same IPs found in this attack and several others. Block 'em if you can.

Thursday, 14 February 2013

HP ScanJet spam / 202.72.245.146

This fake printer spam leads to malware on 202.72.245.146:

Date:      Thu, 14 Feb 2013 10:10:56 +0000
From:      AntonioShapard@hotmail.com
Subject:      Fwd: Re: Scan from a Hewlett-Packard ScanJet #6293
Attachments:     HP_Document.htm

Attached document was scanned and sent

to you using a HP A-32347P.

SENT BY : TRISH
PAGES : 3
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]

=================

Date:      Thu, 14 Feb 2013 06:07:00 -0800
From:      LinkedIn Password [password@linkedin.com]
Subject:      Fwd: Scan from a Hewlett-Packard ScanJet 83097855
Attachments:     HP_Document.htm

Attached document was scanned and sent

to you using a HP A-775861P.

SENT BY : CARLINE
PAGES : 4
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]
The malicious payload is on [donotclick]202.72.245.146:8080/forum/links/column.php (report here) which is a familiar IP address belonging to Railcom in Mongolia. The following malicious websites are also active on the same server:
enakinukia.ru
dekamerionka.ru
evskindarka.ru
exibonapa.ru
esigbsoahd.ru
dmssmgf.ru
epianokif.ru
elistof.ru
dmpsonthh.ru
esekundi.ru
egihurinak.ru
exiansik.ru
ewinhdutik.ru
efjjdopkam.ru
eipuonam.ru
emaianem.ru
disownon.ru
estipaindo.ru
ejiposhhgio.ru
epilarikko.ru
damagalko.ru
emalenoko.ru
epiratko.ru
evujalo.ru
bananamamor.ru
eminakotpr.ru
dfudont.ru

HP ScanJet spam / eipuonam.ru

This fake printer spam leads to malware on eipuonam.ru:

Date:      Thu, 14 Feb 2013 -02:00:50 -0800
From:      "Xanga" [noreply@xanga.com]
Subject:      Fwd: Scan from a HP ScanJet #72551
Attachments:     HP_Document.htm

Attached document was scanned and sent

to you using a HP A-39329P.

SENT BY : Ingrid
PAGES : 0
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]

The attachment HP_Document.htm contains a script that attempts to direct visitors to [donotclick]eipuonam.ru:8080/forum/links/column.php (report here) hosted on:


91.121.57.231 (OVH, France)
195.210.47.208 (PS Internet, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)

The following IPs and sites should be blocked:
91.121.57.231
195.210.47.208
202.72.245.146
bananamamor.ru
damagalko.ru
dekamerionka.ru
dfudont.ru
disownon.ru
dmpsonthh.ru
dmssmgf.ru
efjjdopkam.ru
egihurinak.ru
eipuonam.ru
ejiposhhgio.ru
elistof.ru
emaianem.ru
emalenoko.ru
eminakotpr.ru
enakinukia.ru
epianokif.ru
epilarikko.ru
epiratko.ru
esekundi.ru
esigbsoahd.ru
estipaindo.ru
evskindarka.ru
evujalo.ru
exiansik.ru
exibonapa.ru

Tuesday, 6 November 2012

"Scan from a Xerox WorkCentre Pro" / peneloipin.ru

This fake printer spam leads to malware on peneloipin.ru:

From: Keshawn Burns [mailto:MaribelParchment@hotmail.com]
Sent: 06 November 2012 05:09
Subject: Scan from a Xerox WorkCentre Pro #47938830

Please open the attached document. It was scanned and sent
to you using a Xerox WorkCentre Pro.

Sent by: Keshawn
Number of Images: 5
Attachment File Type: .HTML [Internet Explorer file]

Xerox WorkCentre Location: machine location not set
 The attachment contains some obfuscated Javascript that redirects the visitor to a malicious payload on [donotclick]peneloipin.ru:8080/forum/links/column.php hosted on some IPs that have been used several times before for malware:

65.99.223.24 (RimuHosting, US)
103.6.238.9 (Universiti Putra, Malaysia)
203.80.16.81 (MYREN, Malaysia)

The following malicious domains are also hosted on the same servers:
forumibiza.ru
kiladopje.ru
donkihotik.ru
lemonadiom.ru
peneloipin.ru
panacealeon.ru
finitolaco.ru
fidelocastroo.ru
ponowseniks.ru
dianadrau.ru
panalkinew.ru
fionadix.ru


Wednesday, 31 October 2012

HP ScanJet spam / donkihotik.ru

This fake printer message leads to malware on donkihotik.ru:


Date:      Wed, 31 Oct 2012 05:06:42 +0300
From:      LinkedIn Connections
Subject:      Re: Fwd:Scan from a HP ScanJet #26531
Attachments:     HP-Scan-44974.htm

Attached document was scanned and sent



to you using a Hewlett-Packard Officejet PRO.

Sent: by Bria
Image(s) : 6
Attachment: Internet Explorer file [.htm]

Hewlett-Packard Officejet Location: machine location not set

The malicious payload is at [donotclick]donkihotik.ru:8080/forum/links/column.php which is hosted on the same IP addresses as this attack yesterday.

Tuesday, 18 September 2012

"Scan from a Hewlett-Packard ScanJet" spam / denegnashete.ru

This fake printer spam.. or Craigslist spam.. leads to malware on denegnashete.ru:

From: craigslist - automated message, do not reply [mailto:robot@craigslist.org]
Sent: 18 September 2012 11:44
Subject: Re: Fwd: Scan from a Hewlett-Packard ScanJet #97273

A document was scanned and sent to you using a Hewlett-Packard HP18412598P


Sent to you by: SIDNEY
Pages : 7
Filetype(s): Images (.jpeg) View

Location: not set.
Device: P91162592KLLD

The malicious payload is at [donotclick]denegnashete.ru:8080/forum/links/column.php (report here) hosted on the same IPs as found here.

Thursday, 16 August 2012

"Scan from a Hewlett-Packard ScanJet" spam / anapoli.ru

More fake printer spam, this time leading to malware on anapoli.ru:


Date:      Thu, 16 Aug 2012 12:20:25 +0500
From:      Mariah Gunn via LinkedIn [member@linkedin.com]
Subject:      Fwd: Scan from a Hewlett-Packard ScanJet #88682504
Attachments:     HP_scanDoc.htm

Attached document was scanned and sent



to you using a Hewlett-Packard HP 90027P.

SENT BY : SAVANNAH
PAGES : 1
FILETYPE: .HTML [Internet Explorer File]
The malicious payload is on [donotclick]anapoli.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on a bunch of familiar looking IP addresses:
50.56.92.47 (Slicehost, US)
190.120.228.92 (Infolink, Panama)
203.80.16.81 (Myren, Malaysia)


Monday, 13 August 2012

"Scan from a Xerox WorkCentre Pro" spam / mirdymas.ru

This spam leads to malware on mirdymas.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn Password
Sent: 13 August 2012 08:59
Subject: Fwd: Re: Re: Scan from a Xerox WorkCentre Pro #9484820

A Document was sent to you using a XEROX WorkJet OP578636.


SENT BY : JIN
IMAGES : 1
FORMAT (.JPEG) DOWNLOAD

DEVICE: 109A62DS953L

The malicious payload is at [donotclick]mirdymas.ru:8080/forum/showthread.php?page=5fa58bce769e5c2 (report here) hosted on the following familiar IP addresses:

46.51.218.71 (Amazon, Ireland)
71.89.140.153 (Cloudaccess.net, US)
203.80.16.81 (Myren, Malaysia)

Blocking access to these IPs will prevent other malicious sites on the same servers from being a problem.

Thursday, 28 June 2012

NACHA Spam / porscheforumspb.ru

This fake NACHA spam leads to malware on porscheforumspb.ru:

Date:      Wed, 27 Jun 2012 06:18:09 -0430
From:      "Electronic Payments Association" [donotreply@nacha.org]
Subject:      Fwd: ACH Transfer rejected

The ACH transfer, initiated from your bank account, was canceled.

Canceled transfer:

Bath Nr.: FE-45452995330US

Transaction Report: View



ADELINE Jewell

Automated Clearing House, NACHA

The malicious payload is on [donotclick]porscheforumspb.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here), hosted on the following IPs:

110.234.176.99 (Tulip Telecom, India)
128.134.57.112 (Seoul Kwangun University, Korea)
190.81.107.70 (Telmex, Peru)

Tuesday, 12 June 2012

"Your Flight Order А994284" / saprolaunimaxim.ru

This fake flight email leads to malware on saprolaunimaxim.ru.

From: Simonne Storey [sandy@krishermckay.com]
Subject: Your Flight Order А994284

Dear Customer,

FLIGHT NUMBER A45-342
DATE & TIME / JUNE 27, 2012, 10:140 PM
ARRIVING: NEW YORK JFK
TOTAL PRICE : 456.62 USD

Please download and print out your ticket here:
DOWNLOAD

Amercian Airlines{br[1-5]}

The link hoes to a malicious payload on [donotclick]saprolaunimaxim.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on the following IP addresses:

89.108.75.155 (Agava Ltd, Russia)
50.57.43.49 (Slicehost, US)
50.57.88.200 (Slicehost, US)

The following IPs and domains are also connected to this malware and should be considered hostile:
girlsnotcryz.ru
hamlovladivostok.ru
holigaansongeer.ru
paranoiknepjet.ru
piloramamoskow.ru
pistolitnameste.ru
pushkidamki.ru
spbfotomontag.ru
stroby.ru
uzindexation.ru
31.17.189.212
50.57.43.49
50.57.88.200
89.108.75.155
184.106.200.65
187.85.160.106