FedEx & Wire Transfer

Subject: Re_Wire Transfer (3935SH506).
URL: ceroonce.com /loadit/fondos/file-index.htm

WireTransfer

Subject: Fedex Delivery Confirmation 351301.

FedEx

Victim is eventually redirected to a Phoenix Exploit kit at sonografx[.]ru:8080 /navigator/jueoaritjuir.php hosted at IP addresse(s):

78.83.233.242
78.107.82.98
89.218.55.51
125.19.103.198
41.66.137.155
41.168.5.140
62.85.27.129
219.94.194.138
180.235.150.72
194.85.97.121
200.169.13.84
202.149.85.37
210.56.23.100
210.56.24.226
210.109.108.210
211.44.250.173

Phoenix controller downloads a PDF from samsonikonyou[.]ru:8080 /navigator/alisgtypezfq1.pdf. This PDF is identified as exploiting CVE-2010-0188. This flash exploit had following properties.

Name: gukzxtjpcsjobn.pdf
Size: 13,237 bytes
MD5: df6f147dcd68fbaa26a7d941958dc58d

Exploit forces victim to download a Pony downloader from poosdfhhsppsdns[.]su:8080 /navigator/frf3.php?i=15. This pony downloader had following properties:

File: dsarcubqinhsjqkugsbm.exe
MD5: 9485f9d0afac1f929f49aafe31e7000c
Size: 94,760 bytes
Timestamp: 2012:04:04 17:09:33+02:00

Pony downloader’s dropzone is running at infovega.lt /pony/gate.php. Pony then downloads 3 identical Gameover Zeus payloads from:

1. http://www.ciupanezu.ro /6rBQWWdx/9ZR.exe
2. burmak.com.tr /bo0B7BgS/bhsuZJdf.exe
3. hotelritmotropical.net /dCWhyHtG/XbKbb5L.exe

Gameover Zeus is installed as %AppData%/ikwyp.exe with following properties:

MD5: c8c3fa05dc37232a0643834dded6dced
Size: 3,04,168 bytes
Timestamp: 2010:10:28 15:51:02+02:00

This payload is digitally signed by ‘GggvpYSuFAF7Uqd’. Certificate is valid from 04/04/2012 to 01/01/2040.

Note, this Gameover payload connects to a dropzone at 202.182.185.78:22675 and uses bot id of “mf2222a4″.

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: