There are two injected elements, one is a .in site hosted on 18.104.22.168 [Leaseweb, Netherlands] which could be one of the following:
There’s a pretty inconclusive Wepawet report here but be assured that these domains have a malicious payload.
The second injection is a reference to lpicture.info which is hosted on 22.214.171.124, this is a Leasweb Germany IP address suballocated to inferno.name who appear to be a Serbian firm fronted in the UK. I strongly recommend blocking all their IP ranges (listed here) if you can. lpicture.info merely forwards to a malicious payload on ghjvodka.info (report here) and that in turn is listed on 126.96.36.199 (OVH, France) along with some other suspect looking sites that lead be to conclude that this IP address is worth blocking too:
This malware seems to be quite good at avoid analysis. But if you can block these IPs then I strongly recommend that you block them.
Leave a reply