Some sort of .htaccess hack is going on, redirecting users to
infernomag.com and then on to a malicious site that looks like it's downloading a Zbot variant. It only seems to work with Internet Explorer, and only when the page is accessed from a search engine (like Google). infernomag.com is hosted on
85.17.132.194 (Leaseweb) which is the same server as
gtracking.org which alters the .htaccess file
as described here.
infernomag.com then redirects users to one of at least two Leaseweb-hosted servers at
85.17.19.201 and
85.17.19.203 (possibly others). These servers have a number of domains on them that appear to belong to legitimate domains registered at GoDaddy by (mostly) UK users - it is likely that their domain control panels have been compromised. Examples are:
actually2.weddingphotographersurrey.net
amount9.gwdempseyjr.com
are5.gwdempseyjr.com
background1.photographbcn.com
brought0.gwdempseyjr.com
captain5.photographbcn.com
captain6.gwdempseyjr.com
charge7.photographbcn.com
signal6.photographbcn.com
completely8.gwdempseyjr.com
congress1.airduct-ventcleaning-mn.com
hard9.photographbcn.com
leading1.airduct-ventcleaning-mn.com
party4.gwdempseyjr.com
providence5.gwdempseyjr.com
safe1.gwdempseyjr.com
she1.weddingphotographerkent.net
tax6.weddingphotographersurrey.net
theory7.weddingphotographerkent.net
am1.theimperialsuspects.com
area6.bettyjaneware.com
belief7.theimperialsuspects.com
contact2.theimperialsuspects.com
cultural5.boneki.com
direct2.theimperialsuspects.com
enemy2.theimperialsuspects.com
baby3.trycue.com
liberal6.trycue.com
most0.ladyofvirtuestore.com
professional0.ladyofvirtuestore.com
Two domains on those servers that do not fit the pattern are:
gfaster.net
fortreecom.net
The WHOIS details are probably fake, for infernomag.com and gtracking.org they are:
Felix Maurer
sherman66@ymail.com
Waldowstr. 61
Gschwend Gschwend
74417 DE
+49 98466101
fortreecom.net uses the same email address but a different name:
Bernd Austerlit (sherman66@ymail.com)
Alt Reinickendorf 94
Ziemetshausen
Bayern,86471
DE
Tel. +82.84991251
Detection rates are rubbish. AntiVir detects the payload as
TR/Dropper.Gen, BitDefender as
Gen:Variant.Zbot.34, Ikarus as
Trojan.Win32.Pirminay and Sophos as
Mal/Ponmocup-A. Other products do not seem to detect anything at all.
Blocking those IPs of 85.17.132.194, 85.17.19.201 and 85.17.19.203 is safer than trying to block the domains. Blocking the whole /24s instead would probably cause very little inconvenience.