Another fake Intuit spam leading to malware, this time on dhjhgfkjsldkjdj.ru:
The malware is a Phoenix exploit kit at dhjhgfkjsldkjdj.ru:8080/navigator/jueoaritjuir.php (Wepawet Report here) which is multihomed on the IPs below, a very similar list to this recent spam run.
41.66.137.155 (AfricaINX, South Africa)
41.168.5.140 (Neotel Pty, South Africa)
61.187.191.16 (ChinaNet Hunan, China)
62.85.27.129 (Microlink, Latvia)
78.83.233.242 (Spectrum Net JSC, Bulgaria)
78.107.82.98 (Vimpelcom, Russia)
89.218.55.51 (Kazakhtelecom, Kazakhstan)
125.19.103.198 (Bharti Infotel Ltd, India)
180.235.150.72 (Ardh Global, Indonesia)
194.85.97.121 (State Technical University of Saint-Petersburg, Russia)
200.169.13.84 (Comite Gestor Da Internet, Brazil)
202.149.85.37 (Satata Neka Tama, Indonesia)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.56.24.226 (Commission For Science And Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband Co Ltd, Korea)
219.94.194.138 (Sakura Internet, Japan)
Plain list for copy-and-pasting:
41.66.137.155
41.168.5.140
61.187.191.16
62.85.27.129
78.83.233.242
78.107.82.98
89.218.55.51
125.19.103.198
180.235.150.72
194.85.97.121
200.169.13.84
202.149.85.37
210.56.23.100
210.56.24.226
210.109.108.210
211.44.250.173
219.94.194.138
Date: Wed, 4 Apr 2012 11:33:37 +0100
From: pXTwWE@gmail.com
Subject: Dowload your Intuit.com invoice.
Attachments: Intuit_Order-255798.htm
Dear customer: Thank you for ordering from Intuit Market. We are processing and will message you when your order ships. If you ordered multiple items, we may sned them in more than one delivery (at no extra cost to you) to ensure quicker delivery. If you have questions about your order please call 1-900-374-9959 ($2.89/min).
ORDER INFORMATION
Please download your complete order id #5400523 from the attachment.(Open with Internet Explorer)
�2012 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax, among others, are registered trademarks of Intuit Inc.
The malware is a Phoenix exploit kit at dhjhgfkjsldkjdj.ru:8080/navigator/jueoaritjuir.php (Wepawet Report here) which is multihomed on the IPs below, a very similar list to this recent spam run.
41.66.137.155 (AfricaINX, South Africa)
41.168.5.140 (Neotel Pty, South Africa)
61.187.191.16 (ChinaNet Hunan, China)
62.85.27.129 (Microlink, Latvia)
78.83.233.242 (Spectrum Net JSC, Bulgaria)
78.107.82.98 (Vimpelcom, Russia)
89.218.55.51 (Kazakhtelecom, Kazakhstan)
125.19.103.198 (Bharti Infotel Ltd, India)
180.235.150.72 (Ardh Global, Indonesia)
194.85.97.121 (State Technical University of Saint-Petersburg, Russia)
200.169.13.84 (Comite Gestor Da Internet, Brazil)
202.149.85.37 (Satata Neka Tama, Indonesia)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.56.24.226 (Commission For Science And Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband Co Ltd, Korea)
219.94.194.138 (Sakura Internet, Japan)
Plain list for copy-and-pasting:
41.66.137.155
41.168.5.140
61.187.191.16
62.85.27.129
78.83.233.242
78.107.82.98
89.218.55.51
125.19.103.198
180.235.150.72
194.85.97.121
200.169.13.84
202.149.85.37
210.56.23.100
210.56.24.226
210.109.108.210
211.44.250.173
219.94.194.138
Leave a reply
