Moar Intuit Spam

Ugh, another day … another Intuit-themed Spam run. Instead of including malicious links with the URL pattern /intu.html todays spam run linked to /int-market.html. The bad links redirected victims to a Blackhole Exploit kit at migdaliasbistro[.]net.

This exploit kit dropped a Bugat/Feodo payload with the MD5 e6e3f2dd452fad8d88E8156a4fa7ca2f.

This payload retrieved its configuration file/target list via a POST request to a command and control server at hbirjhcnsuiwgtrq[.]ru/rwx/B2_9w3/in/.

Note that the domain migdaliasbistro[.]net was hosted on a fast-flux network. This domain had A records with a TTL of 900 seconds and currently resolved to as well as A quick review of these IPs shows that they previously hosted Blackhole Exploit kits used in previous campaigns that weve covered in our posts “Triple Barrel Spam Cannon” and “Your Intuit Order“. Domains previously hosted on these IPs include:


The command and control server domain at hbirjhcnsuiwgtrq[.]ru was also hosted on a fast-flux network. This domain’s A record had a TTL of 60 seconds and currently resolved to the following IPs:

The fast-flux network used to host the command and control domain at hbirjhcnsuiwgtrq[.]ru appears to be a separate and distinct from the network hosting the exploit kit at migdaliasbistro[.]net. Note that the IPs hosting the hbirjhcnsuiwgtrq[.]ru domain overlap with the IPs mentioned in “The Redret Connection“.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: