I was already missing these SPAM emails with some advice about my sexual life: “Your woman wants you to be the best lover”, “The greatest technique to gratify your lady”, etc. I was getting upset about this, I needed some help...;p
So finally I am receiving a lot of these again. After visiting the link (hxxp://goozix.com/its.html) we can see a redirection to a page to buy Viagra and other “medicines”. But also there is some malicious Javascript code hidden there. The result of the deobfuscation contains code to create a cookie (“visited_uq=55”) and also an iframe to load the URL hxxp://gylaqim.com/exit.php. This domain, created on the 21st of September, resolves each time to a different IP and has a history of more than 400 IPs. It has 6 authoritative DNS servers, ns*.gylaqim.com, also resolving to multiple IPs.
Depending on the server which is responding after visiting hxxp://gylaqim.com/exit.php we will be redirected to another initial page - with another redirection to a Viagra site plus malicious Javascript code - or to the actual exploit kit.
The initial pages seen until the moment are the following:
hxxp://178.170.104.124/destruction.html
hxxp://178.170.104.124/seed.html
hxxp://actes-lyon.org/true.html
hxxp://aybabtu.ru/express.html
hxxp://brave.net.nz/ocean.html
hxxp://goozix.com/its.html
hxxp://moniwild.sakura.ne.jp/average.html
hxxp://rodinr.511.com1.ru/angle.html
hxxp://southeasterntrains-fail.com/somewhere.html
hxxp://toys-store.net/dawn.html