Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Wed, Nov 20 2013
- #DhiaLite - New Malware campaign on 88.198.198.83 shares infrastructure with Citadel and Cryptolocker.
- Details further down.
- New set of malware subdomains started resolving to 88.198.198.83 yesterday
- All under dns8w.com 2LD which was registered on 18-nov-2013
- Subdomains and IP are dropping Worm:Win32/Vobfus.HK
- https://www.virustotal.com/en/ip-address/88.198.198.83/information/
- Subdomains are in the form [0-9]{5} under dns8w.com
- #Sample subdomains on 88.198.198.83
- 98520.dns8w.com
- 97364.dns8w.com
- 95568.dns8w.com
- 95121.dns8w.com
- 95069.dns8w.com
- 95047.dns8w.com
- 94704.dns8w.com
- 91599.dns8w.com
- 89961.dns8w.com
- 89165.dns8w.com
- Furthermore, the domains listed below are also hosted on 88.198.198.83. They appeared between 2013-08-19 and 2013-11-06 and are currently live.
- ns1.boxonline1.com
- ns4.mysearchhere.net
- ns3.mysearchhere.net
- ns2.mysearchhere.net
- ns1.timedate2.org
- ns1.backdate2.com
- ns1.dateback1.su
- ns1.dateback1.com
- ns1.chopsuwey.net
- ns1.backupdate1.net
- ns1.boxonline2.org
- ns1.timedate1.org
- ns1.dateback5.com
- ns1.backdate1.net
- ns1.datetoday1.org
- ns1.dateback5.net
- ns1.musicmixc.com
- ns1.dateback2.org
- ns1.dateback3.com
- ns1.chopbell.biz
- ns1.cpuchecks1.com
- ns1.dateback2.net
- ns1.mysearchhere.net
- ns1.dateback3.org
- ns1.chopstickers.net
- ns1.backdate2.net
- ns1.dateback4.com
- ns1.dateback1.org
- ns1.dateback5.org
- ns1.dateback3.net
- ns1.datetoday1.net
- ns1.dateback1.net
- ns1.backupdate4.net
- ns1.dateback2.com
- All these domains use ns1.sochi2013.su & ns2.sochi2013.su as nameservers which resolve to:
- ns1.sochi2013.su 81.177.170.217
- ns2.sochi2013.su 81.177.170.218
- 81.177.170.217 and 81.177.170.218 are dropping TrojanDownloader:Win32/Cutwail
- https://www.virustotal.com/en/ip-address/81.177.170.217/information/
- https://www.virustotal.com/en/ip-address/81.177.170.218/information/
- 81.177.170.217 and 81.177.170.218 are currently live.
- Example malware file dropped from 81.177.170.217 is http://81.177.170.218/jopa.exe
- VT and Malwr reports below
- https://www.virustotal.com/en/file/76f931200b8e726ba8c4a3e5f88c958e972ee3dca47379ba5c7dd93a0b782ff3/analysis/1384925687/
- https://malwr.com/analysis/ZWQ2M2FlMmViMDhhNDA4NmE2YWQzNWQxNmMwOWFhMmE/
- In addition, on the same /24 of 81.177.170.217 several IPs have been serving other malware campaigns.
- Most notable IP is 81.177.170.166 which has been serving as Citadel CnC and Cryptolocker dropper & CnC.
- 81.177.170.166 is currently live.
- http://www.spamhaus.org/sbl/listings/openhosting.ru
- https://www.virustotal.com/en/ip-address/81.177.170.166/information/
- https://malwr.com/analysis/NWExNmQ0ZGQ3ZWRlNDc4MDkyYjEyM2I4NTdiYjlhMDg/
- END
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement