Re: [mailop] CutWail infections growing again, all China based..

[Michael Peddemors via mailop]

On 2020-07-21 9:15 a.m., Bill Cole via mailop wrote:

On 19 Jul 2020, at 22:38, Chris via mailop wrote:

It is particularly bizarre that it infests one ISP like this.  I'm 
wondering if someone managed to force the infection to do IP 
reallocations frequently to IP-hop.  Cutwail normally has thousands of 
infected IPs per campaign spread across ISPs.


I have noticed something Cutwail-like (fast-talking starting with bogus 
HELO name (e.g. ymlf-pc) ) clustering in single-ISP ranges, as if it 
spread via probing nearby IPs with whatever its infection vector is. No 
2020 cases of that which I've noticed, but there's been a general 
decline in the phylum of fast-talkers from my vantage points this year.




If someone wants to play around with these reports, and if this thread 
is interesting, probably should take it to the SDLU mailing list, or 
something similar.. was just interesting that it is contained to one 
network, and that the increase started about the same time as the emotet 
started back up again.. Last 24 hours new reports.. (Simple Cutwail) at 
bottom.


The more sophisticated version still out there, but not increasing 
much.. be nice to see take downs of these.


156.96.56.48x2  
190.146.128.23  x2  static-ip-19014612823.cable.net.co
92.46.239.2 x5  zinc.kz

 ...

Simpler CutWail version..

1.193.228.202   x1  NXDOMAIN
1.193.228.232   x1  NXDOMAIN
1.194.72.79 x1  
1.194.90.163x1  
1.195.126.94x1  NXDOMAIN
1.197.73.196x1  
1.197.89.104x1  
1.197.89.175x1  
1.197.95.21 x1  
103.151.124.79  x1  NXDOMAIN
106.42.60.203   x1  
110.166.211.42  x2  NXDOMAIN
110.190.16.232  x1  NXDOMAIN
111.225.152.172 x1  NXDOMAIN
111.225.153.151 x1  NXDOMAIN
111.225.153.175 x1  NXDOMAIN
111.227.162.29  x1  
111.227.229.182 x2  
111.75.154.57   x1  
111.75.228.29   x1  
111.77.114.81   x1  NXDOMAIN
111.77.190.126  x1  NXDOMAIN
112.171.192.98  x12 NXDOMAIN
113.123.119.101 x1  NXDOMAIN
113.124.87.103  x1  NXDOMAIN
113.228.103.112 x1  NXDOMAIN
113.228.103.236 x1  NXDOMAIN
113.228.107.242 x1  NXDOMAIN
113.231.82.221  x1  NXDOMAIN
113.231.83.195  x1  NXDOMAIN
113.236.92.80   x1  NXDOMAIN
113.238.104.144 x1  NXDOMAIN
114.100.133.172 x1  NXDOMAIN
114.102.28.36   x1  NXDOMAIN
114.104.210.207 x1  NXDOMAIN
114.104.235.147 x1  NXDOMAIN
114.236.21.4x1  NXDOMAIN
114.236.22.94   x1  NXDOMAIN
114.239.149.97  x1  NXDOMAIN
114.239.172.138 x1  NXDOMAIN
114.96.37.36x1  NXDOMAIN
114.98.162.229  x1  NXDOMAIN
114.99.221.171  x1  NXDOMAIN
115.196.66.54   x1  NXDOMAIN
115.201.84.22   x1  NXDOMAIN
115.201.88.191  x1  NXDOMAIN
115.201.88.9x1  NXDOMAIN
115.211.125.159 x1  NXDOMAIN
115.211.125.179 x1  NXDOMAIN
115.211.52.200  x2  NXDOMAIN
115.211.55.44   x1  NXDOMAIN
115.211.61.126  x1  NXDOMAIN
115.220.130.9   x1  NXDOMAIN
115.229.16.191  x2  NXDOMAIN
115.230.51.77   x1  NXDOMAIN
116.209.138.13  x1  NXDOMAIN
116.209.142.111 x1  NXDOMAIN
116.3.98.171x1  
117.26.40.37x1  37.40.26.117.broad.qz.fj.dynamic.163data.com.cn
117.66.44.77x1  NXDOMAIN
117.66.47.117   x1  NXDOMAIN
117.69.186.116  x1  NXDOMAIN
117.69.187.146  x1  NXDOMAIN
117.82.254.53   x1  NXDOMAIN
118.117.90.133  x1  NXDOMAIN
118.117.90.216  x1  NXDOMAIN
118.118.9.7 x1  NXDOMAIN
118.213.229.138 x1  NXDOMAIN
119.113.195.247 x1  NXDOMAIN
119.54.0.197x2  197.0.54.119.adsl-pool.jlccptt.net.cn
119.54.11.229   x1  229.11.54.119.adsl-pool.jlccptt.net.cn
119.54.12.170   x1  170.12.54.119.adsl-pool.jlccptt.net.cn
119.54.14.23x1  23.14.54.119.adsl-pool.jlccptt.net.cn
119.54.15.220   x1  220.15.54.119.adsl-pool.jlccptt.net.cn
119.54.16.228   x3  228.16.54.119.adsl-pool.jlccptt.net.cn
119.54.21.228   x2  228.21.54.119.adsl-pool.jlccptt.net.cn
119.54.24.116   x1  116.24.54.119.adsl-pool.jlccptt.net.cn
119.54.26.6 x1  6.26.54.119.adsl-pool.jlccptt.net.cn
119.54.29.167   x1  167.29.54.119.adsl-pool.jlccptt.net.cn
119.54.29.244   x1  244.29.54.119.adsl-pool.jlccptt.net.cn
119.54.31.177   x1  177.31.54.119.adsl-pool.jlccptt.net.cn
119.54.31.223   x1  223.31.54.119.adsl-pool.jlccptt.net.cn
119.54.34.221   x1  221.34.54.119.adsl-pool.jlccptt.net.cn
119.54.34.31x1  31.34.54.119.adsl-pool.jlccptt.net.cn
119.54.35.21x2  21.35.54.119.adsl-pool.jlccptt.net.cn
119.54.35.79x2  79.35.54.119.adsl-pool.jlccptt.net.cn
119.54.36.152   x1  152.36.54.119.adsl-pool.jlccptt.net.cn
119.54.36.159   x2  159.36.54.119.adsl-pool.jlccptt.net.cn
119.54.4.155x1  155.4.54.119.adsl-pool.jlccptt.net.cn
119.54.43.164   x1  164.43.54.119.adsl-pool.jlccptt.net.cn
119.54.43.182   x2  182.43.54.119.adsl-pool.jlccptt.net.cn
119.54.45.57x1  

Re: [mailop] CutWail infections growing again, all China based..

[Bill Cole via mailop]

On 19 Jul 2020, at 22:38, Chris via mailop wrote:

It is particularly bizarre that it infests one ISP like this.  I'm 
wondering if someone managed to force the infection to do IP 
reallocations frequently to IP-hop.  Cutwail normally has thousands of 
infected IPs per campaign spread across ISPs.


I have noticed something Cutwail-like (fast-talking starting with bogus 
HELO name (e.g. ymlf-pc) ) clustering in single-ISP ranges, as if it 
spread via probing nearby IPs with whatever its infection vector is. No 
2020 cases of that which I've noticed, but there's been a general 
decline in the phylum of fast-talkers from my vantage points this year.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] CutWail infections growing again, all China based..

[Chris via mailop]

I can confirm that this is cutwail.  I'm showing 100% agreement in spot 
checking of your list of IPs.


This particular cutwail variant, unlike the others, has been percolating 
at low volumes for a long time.  The other more sophisticated versions 
have all pretty much gone away.


It is particularly bizarre that it infests one ISP like this.  I'm 
wondering if someone managed to force the infection to do IP 
reallocations frequently to IP-hop.  Cutwail normally has thousands of 
infected IPs per campaign spread across ISPs.


The other possibility is that someone stole the SMTP emission part and 
reused it in something less bot-like.


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop