Alert for ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related

[polonus]

Website flagged for PHISHing and SPAM:
http://urlquery.net/report/c8add490-f049-450d-a2da-87f3abd768f0
See: https://sitecheck.sucuri.net/results/myhealthdeal.su  blacklisted website
See all flaws on hoster: https://www.shodan.io/host/159.148.186.238
IP given as clean here: https://www.virustotal.com/gui/url/71c4823b0ab40bfcdbf3249775c6fc627562e678f459f57360d253d34f4d4211/detection
ON IP with users submitted blacklists and flagged by ThreatCrowd:
https://www.virustotal.com/gui/ip-address/159.148.186.238/details
Pharma-spam detections: https://www.virustotal.com/gui/ip-address/159.148.186.238/relations
Blacklisted domain example: https://sitecheck.sucuri.net/results/https/www.newdrugselement.ru
IP spam report: https://cleantalk.org/blacklists/159.148.186.46
Spam & BruteForce attacks, see abuse log

polonus

[Pondus]

IP given as clean here: https://www.virustotal.com/gui/url/71c4823b0ab40bfcdbf3249775c6fc627562e678f459f57360d253d34f4d4211/detection

See attached screenshot .... info is 3 years old

[polonus]

Hi Pondus,

Probably you did not see the IP relations report at VT.
The info for that particular domain has been 3 years old, maybe, but in the mean time spamming from that IP under various Pharma-spam addresses has been going on: https://www.virustotal.com/gui/ip-address/159.148.186.238/relations

This not three years ago (see quote), is it?

Scanned
Detections
URL
2019-11-17
5
/ 71
-https://www.newdrugselement.ru/
2019-11-17
3
/ 71
-http://magicmedsprogram.ru/
2019-11-17
1
/ 71
-http://privatepillssale.eu/
2019-11-17
5
/ 71
-http://www.newdrugselement.ru/
2019-11-15
1
/ 71
-http://privatepillssale.eu/products/men_s_health/cialisviagra/order/
2019-11-14
2
/ 71
-http://puremedicalsale.eu/
2019-11-10
1
/ 71
-http://themedsbargain.eu/
2019-11-06
1
/ 71
-http://medicalherbmall.ru/
2019-11-17
7
/ 71
-http://luckyherbalmart.su/
2019-11-18
3
/ 71
-http://myhealthdeal.su/

So abuse from that IP is going on all of the time, and the hoster probably turns a blind eye,

pol

[Michael (alan1998)]

Hi Pondus,

Probably you did not see the IP relations report at VT.
The info for that particular domain has been 3 years old, maybe, but in the mean time spamming from that IP under various Pharma-spam addresses has been going on: https://www.virustotal.com/gui/ip-address/159.148.186.238/relations

This not three years ago (see quote), is it?

Scanned
Detections
URL
2019-11-17
5
/ 71
-https://www.newdrugselement.ru/
2019-11-17
3
/ 71
-http://magicmedsprogram.ru/
2019-11-17
1
/ 71
-http://privatepillssale.eu/
2019-11-17
5
/ 71
-http://www.newdrugselement.ru/
2019-11-15
1
/ 71
-http://privatepillssale.eu/products/men_s_health/cialisviagra/order/
2019-11-14
2
/ 71
-http://puremedicalsale.eu/
2019-11-10
1
/ 71
-http://themedsbargain.eu/
2019-11-06
1
/ 71
-http://medicalherbmall.ru/
2019-11-17
7
/ 71
-http://luckyherbalmart.su/
2019-11-18
3
/ 71
-http://myhealthdeal.su/

So abuse from that IP is going on all of the time, and the hoster probably turns a blind eye,

pol

I'm not sure how IP Relations works in VT - however I reran the IP Address in VirusTotal. I got pulled away before I could post the updated information.

[polonus]

Hi Michael 9alan1998),

Whatever you mention there, it is a known fact, that this Ip source is spreading pharma-spam and performing brute force attacks.
No two ways about it, whatever new domains are being created for that specific reason,
residing on:
-159.148.186.238 (-159.148.186.128/25)
AS 200709 (SIA Bighost.lv)
LV

Through another search query result the malware spreading from that particular IP is still alive and kicking,
may it that malware spreading stays under 24 hrs or less time for one particular domain:

15.67769
htxps://rechtsanwalt-chyla.de/wp-content/themes/twentyten/K_tripleback_celation.html
created 15 days ago / modified 15 days ago
Malware site - Hybrid-Analysis
contacted_host: 159.148.186.238 contacted_host.keyword: 159.148.186.238
 
11.441689
hxtp://dgd-pharma.com/chinchilla.html
created 14 days ago / modified 14 days ago
Malware site - Hybrid-Analysis
contacted_host: 159.148.186.238 contacted_host.keyword: 159.148.186.238

 
1
-159.148.186.238
created 15 days ago / modified 14 days ago
Mail Spammer - Barracuda Malware site - Hybrid-Analysis

 
1
-yourherbsvalue.eu
created 14 days ago / modified 14 days ago
Malware site - Hybrid-Analysis

  and for one of these domains a further analysis report ->

Sample information

0
Antivirus detections
0
IDS alerts
3
Processes
0
Http events
2
Contacted hosts
4
DNS Requests
Malware site
malicious
8

Score
Hashes
Filename:
hxtps://rechtsanwalt-chyla.de/wp-content/themes/twentyten/K_tripleback_celation.html
md5:
2b5bd8ab2b4923084d6c33c257c3a459
sha1:
ff7d12f5a166bfe7e86fc3d161eb9f8c132d313d
sha256:
4993c660586612ac5175f9ebade58b8dec3b0edd95328fd731fd4a6978200c65

Dates
Indexed:
Sun Nov 03 2019 17:45:04 GMT+0100 (15 days ago)
Last modified:
Sun Nov 03 2019 17:45:04 GMT+0100 (15 days ago)
Network contacts
DNS Requests
-isrg.trustid.ocsp.identrust.com
-ocsp.int-x3.letsencrypt.org
-peto.magicherbssale.com
-rechtsanwalt-chyla.de
Contacted Hosts
-80.150.6.143
-159.148.186.238
Process list
uid
00097840-00002720
commandline
"%WINDIR%\System32\ieframe.dll",OpenURL C:\4993c660586612ac5175f9ebade58b8dec3b0edd95328fd731fd4a6978200c65.url
name
rundll32.exe
normalizedpath
%WINDIR%\System32\rundll32.exe
sha256
3fa4912eb43fc304652d7b01f118589259861e2d628fa7c86193e54d5f987670
uid
00097998-00004004
commandline
hxtps://rechtsanwalt-chyla.de/wp-content/themes/twentyten/K_tripleback_celation.html
name
iexplore.exe
normalizedpath
%PROGRAMFILES%\Internet Explorer\iexplore.exe
sha256
8abc7daa81c8a20bfd88b6a60ecc9ed1292fbb6cedbd6f872f36512d9a194bba
uid
00098026-00003892
commandline
SCODEF:4004 CREDAT:275457 /prefetch:2
name
iexplore.exe
normalizedpath
%PROGRAMFILES%\Internet Explorer\iexplore.exe
sha256
8abc7daa81c8a20bfd88b6a60ecc9ed1292fbb6cedbd6f872f36512d9a194bba

Info source provided by maltiverse's repository for malware researchers.

General conclusion i.m.h.o. everything coming from this particular IP should be blocked a.s.a.p.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

[polonus]

Also consider this scan:

Checking: -http://www.snobword.com/
Engine version: 7.0.42.9300
Total virus-finding records: 8323173
File size: 5075 bytes
File MD5: 33e691a6a1c09b0719eb81db583938e6

-http://www.snobword.com/ - archive JS-HTML
>-http://www.snobword.com//JSTAG_1[211][cc] - Ok
>-http://www.snobword.com//JSTAG_2[2cc][11] - Ok
>-http://www.snobword.com//JSTAG_3[1274][e6] - Ok
-http://www.snobword.com/ - Ok

This website is insecure.
No 3rd party trackers on this site.

Since there are no third party dependencies preventing it, why don‘t you ask snobword.com to adopt SSL?
No Privacy Practices found.

See for site issues: https://sitecheck.sucuri.net/results/www.snobword.com
Running Sitefinity 3.7.2136.240:1  Exploitable: Hospitality Exploit, vuln. to arbitrairy file upload exploit,
because JavaScript code in an HTML file has the same origin as the application's own code.
Upgrade and patch a.s.a.p. See further here: https://exploits.shodan.io/?q=Sitefinity
Open to doosatghack.

polonus

[polonus]

Here we see this site is a scam site:
https://www.scamvoid.net/check/magicmedsprogram.ru/

polonus