Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter


So one day an email gets caught in my filter.  There's nothing fancy about it but for the lulz I just follow the links to see where they go. The one thing that DID stick out was this email tried to use my filter as a relay, which makes it easy to spot.

It ends up leading to a malicious APK file, installer for Android OS.

Subject:  Shelly Taylor /xjvnsqk /fbktojkxbxp.php

That was it, just a link in the body of the email, nothing else.

Header Examples:

The envelope header spoofed one of the people inside my network. So they were trying to use my filter like an open relay.

Received: from mycomputer []  <-- that ip is NOT in my network.
  X-Envelope-From: [someone in my domain]
  From: "Shelly Taylor" <shelly1smr>
  To: .... [ like a hundred people ]
  Subject: Shelly Taylor

Link Samples:

The first link: /xjvnsqk /fbktojkxbxp.php

didn't really do much in so I decided to try CURL a few different user-agents. I noticed that the Android user-agent strings resulted in a different reply:

<title>302 Found</title>
<p>The document has moved <a href="http:// /FLVupdate.php">here</a>.</p>

ORLY? So I put THAT URL in but still don't get much. So I CURL it though some other user-agent strings and find that the next hop is using javascript trickery!

<html><head><script type="text/javascript">"FLVupdate.php","FLVupdate2.php");

Well played good sir! So I CURL the FLVupdate2.php URL with an Android user-agent string and I get:

VirusTotal report 

AVG 					Android_dc.AILJ 	
Ad-Aware Android.Trojan.NioServ.B
AntiVir Android/NoComA.D.2
Avast Android:NotCom-C [PUP]
Baidu-International Trojan.AndroidOS.NioServ.AeCJ
BitDefender Android.Trojan.NioServ.B
Commtouch AndroidOS/NoCom.A
Comodo UnclassifiedMalware
ESET-NOD32 a variant of Android/NoComA.D
Emsisoft Android.Trojan.NioServ.B (B)
F-Prot AndroidOS/NoCom.A
F-Secure Trojan:Android/NotCompatible.31e20f58!gen
GData Android.Trojan.NioServ.B
Ikarus AndroidOS.NoComA
K7GW Trojan ( 0048d68d1 )
Kaspersky HEUR:Trojan.AndroidOS.NioServ.a
Kingsoft Android.Troj.at_Nisev.a.(kcloud)
McAfee Artemis!02874F8CDA35
McAfee-GW-Edition Artemis!02874F8CDA35
MicroWorld-eScan Android.Trojan.NioServ.B
Sophos Andr/Notcom-A
TrendMicro-HouseCall TROJ_GEN.F47V0805
VIPRE Trojan.AndroidOS.Generic.A

Joe Sandbox's report explains much more about this Android malware.

Something evil... (Dynamoo does this part much better):

Now, when I said that didn't show much on the first URL, that isn't exactly true. showed me similary URLs on the same IP. /ynuydft/yxhsgqzegzvtbjn.html /rpk/sytilyjbazgwk.php /no/plauyexaqer.php

These URLs also provided a path to malware. So I go check the IP with and bigger than shit: /abzvwp /dklhbsgwwnyryaxzujztq.php /uduld /kawabanga.php /ppy /vuivhngsqqd.vgfhdubrbueqynljn /cpec /xbukymgnfjkolsepjzcpzhaufczpwv.awyqpyvwbapmfoepfklkxnf /lettinglovelead /pocketinfo.php /ftyalj /ukuhefrjgqtlntilld.ahovwpnafgvzn /pz /btwnow.php

Several of those lead to Android malware and depending on the user agent, some lead to junky copypasta clickbait sites like:  <-- rip off of Good Housekeeping /indexer.php ?a=269321&c=skin&s=h57s <-- Rachel Ray copycat? <-- fake Fox News site

And Like I said earlier, Dynamoo's Blog would do some real digging on this, so check THIS out!


I notified HiVelocity hosting about the IP address that seems to be pretty-well compromised. HiVelocity responded by disabling it for cleanup and investigation. Mad props to them for taking action! Email excerpt:

Picture of hivelocity email about taking down malware site.

This junked-up server is of course NOT mission-critical to the malware spammers, but sometimes one bad email can get a server taken down. Then, look at all the attention Conrad at Dynamoo's Blog put on them and the next-higher group. The malware spammers were better off before they sent that one oddball email.

If this was at least a little helpful, how about a +1, Like, or Tweet?