The redret.ru Connection

We had some time on hands this weekend so we took a closer look at the IPs used by the fast flux network supporting the Blackhole Exploit Kits used to drop Bugat/Feodo banking trojans. If you recall from our previous posts “United Postal Service Tracking Number H7614058739” and “Rejection of your tax appeal” the following IP addresses were apart of a fast-flux network that hosted Blackhole Exploit Kits:

46.137.85.218
50.76.184.100
61.187.191.16
83.170.91.152
85.214.204.32
94.20.30.91
124.124.212.172
173.203.211.157
174.122.121.154
184.106.151.78
208.109.171.99
211.44.250.173

The IP 85.214.204.32 is of particular interest. In mid-January 2012 the domain cxredret[.]ru resolved to this IP. This domain was apart of the family of *redret.ru domains that plagued the internet at the end of last year. The boys over at the Internet Storm Center blogged about the *redret.ru domains back on 2011-12-06. It should come as no surprise that the *redret.ru domains also hosted Blackhole Exploit Kits that dropped Bugat/Feodo banking trojans.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: