The sample we analyzed had a link to a malicious page at hxxp://printingcheaper.com/page1.htm?XVUU=S1KGEAGODJ8XNNAHB48IE5UHL&ZELSDVH=J0VL2BFPNUITV68G6&ID5TU3=UA0MLSUW5R2R8GC&DT9=MXK3SEKG0JMHDAU0RZAG6P3K&4S0W2E=8MG1P4S5IGNJAPNX87C&G4YO6P6=AEPEC1D5PXXZ&CS66A7F=RNK4RSELG796VIEX0TUYQ8F9&877R2=VGZBG625JCT8Z9O2K&KQA05=5L5TW1IP247&
This malicious page contained javascript that redirected victims to a Phoenix Exploit kit at hxxp://uiwewsecondary.ru:8080/internet/fpkrerflfvd.php
Phoenix kit first drops a CVE-2010-0188 PDF payload from hxxp://uiwewsecondary.ru:8080/internet/kqbzaubpiqxnbn.pdf. PDF file had following properties:
File: kqbzaubpiqxnbn.pdf
MD5: 1b6f367a28de927e6573e803e555a297
Size: 13,163 bytes
Successful exploit in turn handed victims off to second exploit kit at hxxp://poluicenotgo.ru:8080/internet/at.php?i=15. This kit dropped a Pony downloader with following properties:
File: esfwatkocliuyn.exe
MD5: 5726463108bb6f26e6dd54763e85453b
Size: 1,35,264 bytes
Both these phoenix exploit kits are hosted at the following IP addresses on a same fast flux infrastructure:
83.170.91.152
85.214.204.32
88.190.22.72
89.31.145.154
112.78.124.115
125.19.103.198
41.168.5.140
62.85.27.129
173.203.211.157
210.56.23.100
211.44.250.173
216.24.197.66
219.94.194.138
Pony downloader posts to its dropzone at hxxp://dare2dreamz.com/pony/gate.php, hosted at IP address 109.206.180.54. It was also configured to download 3 identical Gameover Zeus payloads from following locations:
1. hxxp://dynolite.eu/7U0ASvP9/AZz.exe
2. hxxp://abbott.u4ria.co.za/HGFg1RHz/MkiZMX.exe
3. hxxp://demircioglubilgisayar.com.tr/qy3kMMxv/VgWqQm4k.exe
Gameover was installed in %APPDATA%\Meizo\ehgea.exe
MD5: a3e56f7ba6cd98b2ac87596daf74e2aa
Size: 3,71,808 bytes
Timestamp: 2010:10:29 14:08:06+02:00
This Gameover Zeus variant posts to a dropzone at 211.73.186.159:28813. Webinjects were downloaded from 76.73.52.11:25362. The Gameover variant had a botid of “MF222a17” and cid of “5555”.
Interestingly, Pony Downloader and Gameover Zeus both shared same properties indicating both these payloads were built by same group/people, around same time(?):
Signature: Digitally signed by ‘VfnHcYKXDLnVlQizT9uLI4yhP’
Certificate Validity: 04/16/2012 to 01/01/2040
Company Name: Microsoft Corporation
File Description: Windows Disk Diagnostic User Resolver
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
Internal Name: DFDWiz.exe
Legal Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: DFDWiz.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 6.1.7600.16385
spamalysis 