Date: Mon, 17 Feb 2014 16:19:40 -0700 [18:19:40 EST]The links in the email go to:
From: accounts@pcfa.co.in
Subject: Image has been sent
Image has been sent.
DSC_990341.jpg 33 Kbytes
Go To Evernote
Copyright 2014 Evernote Corporation. All rights reserved
[donotclick]www.aka-im.org/1.html
[donotclick]bluebuddha.us/1.html
Which in turn loads a script from:
[donotclick]merdekapalace.com/1.txt
[donotclick]www.shivammehta.com/1.txt
That in turn attempts to load a script from [donotclick]opheevipshoopsimemu.ru:8080/dp2w4dvhe2 which is multihomed on the following IPs:
31.222.178.84 (Rackspace, UK)
37.59.36.223 (OVH, France)
54.254.203.163 (Amazon Data Services, Singapore)
78.108.93.186 (Majordomo LLC, Russia)
78.129.184.4 (Iomart Hosting, UK)
140.112.31.129 (TANET, Taiwan)
180.244.28.149 (PT Telkom Indonesia, Indonesia)
202.22.156.178 (Broadband ADSL, New Caledonia)
The URLquery report on the landing site indicates a possible Angler Exploit Kit, although the code itself is hardened against analysis.
There are a number of other hostile sites on those same IPs (listed below in Italics). I would recommend blocking the following IPs and domains:
31.222.178.84
37.59.36.223
54.254.203.163
78.108.93.186
78.129.184.4
140.112.31.129
180.244.28.149
202.22.156.178
afrikanajirafselefant.biz
bakrymseeculsoxeju.ru
boadoohygoowhoononopee.biz
bydseekampoojopoopuboo.biz
jolygoestobeinvester.ru
noaphoapofoashike.biz
opheevipshoopsimemu.ru
ozimtickugryssytchook.org
telaceeroatsorgoatchel.biz
ypawhygrawhorsemto.ru
aka-im.org
bluebuddha.us
merdekapalace.com
shivammehta.com