The Latest in IT Security

“Scan from a Xerox WorkCentre Pro” spam with malicious attachment / cojsdhfhhlsl.ru

13
Feb
2012

Here’s a slightly new twist on a very familiar theme, with an email attachment that contains an HTML page with obfuscated javascript.. leading to malware.

Date:      Sun, 11 Feb 2012 12:26:18 +0100
From:      “JANICE Heller” [[email protected]]
Subject:      Re: Scan from a Xerox WorkCentre Pro #383806
Attachments:     Xerox_Doc_X30366.htm

Please open the attached document. It was scanned and sent

to you using a Xerox WorkCentre Pro.

Sent by: Guest
Number of Images: 8
Attachment File Type: .HTML [Internet Explorer Format]

WorkCentre Pro Location: machine location not set
Device Name: KDX157PS0MSUDX382782

The file Xerox_Doc_X30366.htm attempts to open a malicious web page at cojsdhfhhlsl.ru:8080/images/aublbzdni.php which contains the Blackhole exploit kit (the Wepawet report is here).

This domain is multihomed on some very familar looking IP addresses.. in fact, they are almost identical to this spam attack. If you have blocked those IPs then you will be protected against this one.

For the record, the IPs and hosts are:
46.105.97.103 (OVH Systems, France)
46.137.251.11 (Amazon Data Services, Ireland)
50.31.1.105 (Steadfast Networks, US)
50.57.77.119 (Slicehost, US)
50.57.118.247 (Slicehost, US)
50.76.184.100 (Comcast Business Communications, US)
69.60.117.183 (Colopronto, US)
72.22.83.93 (iPower, US)
78.83.233.242 (MVN Systems Ltd, Bulgaria)
87.120.41.155 (Neterra Ltd, Bulgaria)
88.191.97.108 (Free SAS / ProXad, France)
93.189.88.198 (SiliconTower, Spain)
98.158.180.244 (Hosting Services Inc, US)
125.214.74.8 (Web24 Pty Ltd, Australia)
173.203.51.174 (Slicehost, US)
173.255.229.33 (Linode, US)
174.122.121.154 (ThePlanet, US)
184.106.151.78 (Slicehost, US)
184.106.200.65 (Slicehost, US)
184.106.237.210 (Slicehost, US)
190.106.129.43 (G2KHosting, Argentina)
200.169.13.84 (Century Telecom Ltda, Brazil)
204.12.252.82 (Jaidee Daijai, US)
209.114.47.158 (Slicehost, US)

If you need a plain listing for pasting into a blocklist, use:
46.105.97.103
46.137.251.11
50.31.1.105
50.57.77.119
50.57.118.247
50.76.184.100
69.60.117.183
72.22.83.93
78.83.233.242
87.120.41.155
88.191.97.108
93.189.88.198
98.158.180.244
125.214.74.8
173.203.51.174
173.255.229.33
174.122.121.154
184.106.151.78
184.106.200.65
184.106.237.210
190.106.129.43
200.169.13.84
204.12.252.82
209.114.47.158

  1. Kafeine February 14, 2012

    Thanks for sharing.
    Small comment : I think It’s not a Blackhole Exploit Kit but a Phoenix Exploit Kit
    (see: hxxp://cojsdhfhhlsl.xx:8080/images/install.php?lang=en )

Leave a reply


Categories

THURSDAY, DECEMBER 12, 2019
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments