Back to the Citi malware

Posted on by

This spam email is not a phishing scam that is after your banking information (at least not right away). Instead, it wants to add your computer to a large botnet.

Clicking on the link launching the drive-by download infection. It’s one of those situations where you can’t finish swearing before it’s too late:

A successful infection loads the following:

tradifrance.net/NGxo03v6/index.html
urbannex.co.za/SVVsEJwY/js.js
shokani.net/YvKDGVwn/js.js
69.194.194.90/showthread.php?t=4a6d866826776084
69.194.194.90/favicon.ico
69.194.194.90/Cal.jar
69.194.194.90/data/hcp_vbs.php?f=0cf26&d=0
69.194.194.90/q.php?f=0cf26&e=0
69.194.194.90/q.php?e=5&f=0cf26

The java exploit currently has 0 detection on VirusTotal.

Jerome Segura

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>