This fake Intuit QuickBooks spam leads to malware:
From: QUICKBOOKS ONLINE [qbservices@customersupport.intuit.com]
Date: 30 November 2015 at 10:42
Subject: INTUIT QB
As of November 5th, 2015, we will be updating the browsers we support. We encourage you to upgrade to the latest version for the best online experience. Please proceed the following link, download and install the security update for all supported browsers to be on top with INTUIT online security!
InTuIT. | simplify the business of life
© 2015 Intuit Inc. All rights reserved. Intuit and QuickBooks are registered trademarks of Intuit Inc. Terms and conditions, features, support, pricing, and service options subject to change without notice.
The spam is almost identical to
this one which led to
Nymaim ransomware.
In this particular spam, the email went to a landing page at
updates.intuitdataserver-1.com/sessionid-7ec395d0628d6799669584f04027c7f6 which then attempts to download a
fake Firefox update.
This executable has a VirusTotal detection rate of
3/55, the MD5 is
592899e0eb3c06fb9fda59d03e4b5b53. The
Hybrid Analysis report shows the malware attempting to POST to
mlewipzrm.in which is multihomed on:
89.163.249.75 (myLoc managed IT AG, Germany)
188.209.52.228 (BlazingFast LLC, Ukraine / NForce Entertainment, Romania)
95.173.164.212 (Netinternet Bilgisayar ve Telekomunikasyon San. ve Tic. Ltd. Sti., Turkey)
The nameservers for mlewipzrm.in are
NS1.REBELLECLUB.NET and
NS2.REBELLECLUB.NET which are hosted on the following IPs:
210.110.198.10 (KISTI, Korea)
52.61.88.21 (Amazon AWS, US)
These nameservers support the following malicious domains:
exstiosgen.com
ecestioneng.com
densetsystem.com
deseondefend.com
xonstensetsat.com
dledisysteming.com
thecertisendes.com
georgino.net
tangsburan.net
rebelleclub.net
helpagregator.net
The download location uses a pair of nameservers,
NS1.MOMEDEFER.PW and
NS1.PRIZEBROCK.PW. If we factor in the NS2 servers as well, we get a set of malicious IPs:
5.135.237.209 (OVH, France)
196.52.21.11 (LogicWeb, US / South Africa)
75.127.2.116 (Foroquimica SL / ColoCrossing, US)
These nameservers support the following malicious domains:
browsersecurityupdates.com
intuit-browsersecurity.com
intuit-browserupdate.com
intuitdataserver.com
intuitdataserver1.com
intuitdataserver-1.com
intuitinstruments.com
intuit-security.com
intuitsecuritycenter.com
intuitsecurityupdates.com
intuit-securityupdates.com
intuit-updates.com
intuitupdates-1.com
security-center1.com
securitycentral1.com
securitycentral-1.com
securityserver-2.com
securityupdateserver-1.com
updates-1.com
updateserver-1.com
As far as I can tell, these domains are hosted on the following IPs:
52.91.28.199 (Amazon AWS, US)
213.238.170.217 (Eksen Bilisim, Turkey)
75.127.2.116 (Foroquimica SL / ColoCrossing, US)
I recommend that you
block the following IPs and/or domains:
52.91.28.199
213.238.170.217
5.135.237.209
196.52.21.11
75.127.2.116
210.110.198.10
52.61.88.21
89.163.249.75
188.209.52.228
95.173.164.212
mlewipzrm.in
exstiosgen.com
ecestioneng.com
densetsystem.com
deseondefend.com
xonstensetsat.com
dledisysteming.com
thecertisendes.com
georgino.net
tangsburan.net
rebelleclub.net
helpagregator.net
browsersecurityupdates.com
intuit-browsersecurity.com
intuit-browserupdate.com
intuitdataserver.com
intuitdataserver1.com
intuitdataserver-1.com
intuitinstruments.com
intuit-security.com
intuitsecuritycenter.com
intuitsecurityupdates.com
intuit-securityupdates.com
intuit-updates.com
intuitupdates-1.com
security-center1.com
securitycentral1.com
securitycentral-1.com
securityserver-2.com
securityupdateserver-1.com
updates-1.com
updateserver-1.com
momedefer.pw
prizebrock.pw