The Latest in IT Security

“Arch Coal Corp” spam lead to malware / coajsfooioas.ru and tuberkulesneporok.ru

14
Feb
2012

A slightly different spam from the usual Xerox rubbish, but with a similar malicious payload.. this time on the domains coajsfooioas.ru and tuberkulesneporok.ru.

Date:      Tue, 13 Feb 2012 04:59:42 +0900
From:      “DELL AVILES” Arch Coal Corp . [AfinaGuridi@auburn.edu]
Subject:      Re: Intercompany inv. from Arch Coal Corp.
Attachments:     Invoice_02_7_h158329.htm

Good day

Attached the intercompany inv. for the period Dec. 2011 til Jan.. 2012.

Thanks a lot for supporting this process

DELL AVILES

Arch Coal Corp. 

The obfuscated javascript in the attachment attempts to download malicious code from coajsfooioas.ru:8080/images/aublbzdni.php followed by more code from tuberkulesneporok.ru:8080/images/jw.php?i=8 (Wepawet report here).

These domains are multihosted on the same IPs as listed here. Blocking access to those IPs should stop further malware attacks from being successful.

Related posts:
  1. “Inter-company inv. from Aleris International Corp. ” / cruikdfoknaofa.ru
  2. “I’m in trouble! ” spam / ckjsfhlasla.ru
  3. “Scan from a Hewlett-Packard Officejet” malicious spam / cserimankra.ru and samaragotodokns.ru
  4. “End of Aug. Statement” spam / kamarovoskorlovo.ru and serebrokakzoloto.ru
  5. “Scan from a Hewlett-Packard ScanJet ” spam / debiudlasduisioa.ru

Tags:  
Written by Dynamoo's Blog
0 Comments

Leave a reply


Categories

SUNDAY, FEBRUARY 23, 2025
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments