Update: 950 Euro transfer to Intesa Sanpaolo

New Hostile URLs observed on April 5, 2013:

 

hxxp://www.freerider.it/info1.html
hxxp://heartmecouture.com/info1.html
hxxp://www.milservice.pl/info1.html
hxxp://moneysystem.50webs.com/info1.html
hxxp://www.schmerbachskeller.de/info1.html
hxxp://svdnet.com/info1.html
hxxp://elima-docs-tpr.narod.ru/info1.html
hxxp://gesfi.com/info1.html
hxxp://www.padcacweb.pwp.blueyonder.co.uk/info1.html
hxxp://50.63.26.224/info1.html
hxxp://www.pon-vonbohlmannsland.de/info1.html
hxxp://ferret.perm.ru/info1.html
hxxp://www.mtetv.it/info1.html
hxxp://www.kkwalberberg.mynetcologne.de/info1.html
hxxp://w0e2fj2b3.homepage.t-online.de/info1.html
hxxp://personal.nbnet.nb.ca/info1.html
hxxp://valleylabel.net/info1.html
hxxp://nightfox.republika.pl/info1.html
hxxp://troop228.info/info1.html
hxxp://matpol.cba.pl/info1.html
hxxp://www.gianlucaboezio.it/info1.html
hxxp://www.wittmann-praxis.de/info1.html
hxxp://champwrestlinginfo.tripod.com/info1.html
hxxp://spiritoftheage.org.uk/info1.html
hxxp://www.stock-marketfair.com/info1.html
hxxp://www.magna4.com.br/info1.html
hxxp://biancas-scrapseite.pytalhost.de/info1.html
hxxp://ostunivilla.com/info1.html
hxxp://papagai.de/info1.html
hxxp://www.stahlvolleyballa.homepage.t-online.de/info1.html
hxxp://www.cyted.com/info1.html
hxxp://sttrni.com.br/info1.html
hxxp://wabostudios.com/info1.html
hxxp://www.ceccatobassano.it/info1.html
hxxp://www.sitkarymowanie.republika.pl/info1.html
hxxp://dokutainment.square7.ch/info1.html
hxxp://www.biglife.de/info1.html
hxxp://www.advmorais.com.br/info1.html
hxxp://www.chenilleawardletters.net/info1.html
hxxp://jkatinc.com/info1.html
hxxp://lawsonprinters.com/info1.html
hxxp://pianowithchris.com/info1.html
hxxp://prod1-imagesvu.integra.fr/info1.html
hxxp://qmbit.de/info1.html

 

This page contain an encoded script which is used to redirect to a Blackhole exploit kit v 2.x at hxxp://bangpleasure.com/news/wanting_book_switch.php. This BH kit is hosted at IP address 97.107.142.157 at the time of this writing.

 

 

 

950 Euro transfer to Intesa Sanpaolo

We analyzed a spam theme distributed from Cutwail SpamBot that is used theme of “950 Euro transfer to Intesa Sanpaolo” on April 04, 2013:

Spam Subject(s):

Si deve essere attestato a 950,00 à dal tuo conto corrente bancario presso Intesa anPaolo.
Richiesta di ammortamento di à 950,00 dal conto bancario di Intesa SanPaolo
Gli ammortamenti delle 950,00 à dal tuo conto bancario in Intesa SanPaolo
à 950,00 sono dal vostro conto di Intesa SanPaolo ammortizzato in 24 ore

Spam Template:

<!DOCTYPE html PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”>
<HTML><HEAD><TITLE></TITLE>
</HEAD>
<BODY>

Gentile Cliente, <br>
Abbiamo ricevuto la richiesta di ammortamento di à 950,00 dal proprio conto bancario in Intesa SanPaolo per risolvere la consegna dei documenti. <br>L’ammortamento dei fondi e la trasmissione di documenti ulteriori fatto in 24 ore.<br><br>
<a href=”hxxp://herr-pferd.de/info1.html”>Vedi i dettagli dell’ordine </a> <br>
Cordiali saluti, Servizio clienti sostegno della Intesa SanPaolo Banca.<br>
</BODY></HTML>

Hostile URL(s):

hxxp://herr-pferd.de/info1.html
hxxp://nwernau.de/info1.html
hxxp://soswciechanow.home.pl/info1.html
hxxp://www.glueckauf-altenburg.de/info1.html
hxxp://nyhus.dk/info1.html
hxxp://barake.de/info1.html
hxxp://renata.weihs.w.interia.pl/info1.html
hxxp://vinkraj.narod.ru/info1.html
hxxp://mmjackofm.w.interia.pl/info1.html
hxxp://217.170.66.122/info1.html
hxxp://209.41.177.143/info1.html
hxxp://www.skemadtc.it/info1.html
hxxp://kumballa.de/info1.html
hxxp://www.samba-loco.de/info1.html
hxxp://brauerildiko.hu/info1.html
hxxp://public.dataproject.com/info1.html
hxxp://www.nationalhymne.de/info1.html
hxxp://angstrem.com.pl/info1.html
hxxp://mojdziennik.cba.pl/info1.html
hxxp://eleganceshop.home.pl/info1.html
hxxp://xchange.thegateworldwide.com/info1.html
hxxp://www.burningwick.pwp.blueyonder.co.uk/info1.html
hxxp://jwjoomla.cwsurf.de/info1.html
hxxp://www.agliati.it/info1.html
hxxp://best-nk.c0.pl/info1.html

The text ‘Vedi i dettagli dell’ordine’ contains a hyperlink to one of the URLs listed above. This page contain an encoded script which is used to redirect to a Blackhole exploit kit v 2.x at hxxp://23.advertisingspecialties.biz/news/wanting_book_switch.php. This BH kit is hosted at IP address 96.126.106.62 at the time of this writing.

The kit attempts to download the following files/exploits:

hxxp://23.advertisingspecialties.biz/news/wanting_book_switch.php?tsltj=1l:30:1l:32:32&gmon=3j&eyoyoeuy=1o:30:32:30:1h:1j:1i:1f:1n:33&ggievtn=1o:1d:1f:1d:1f:1d:1f
Name: a4ccf.pdf
Identifier: CVE-2010-0188 exploit
Type: PDF document, version 1.6
Size: 9895 bytes
MD5sum: 1ef1040ba77c13ddc268ca34a4b030c6

If exploitation is successful, it redirects to hxxp://23.advertisingspecialties.biz/news/wanting_book_switch.php?fvpcpp=1l:30:1l:32:32&irzg=1o:30:32:30:1h:1j:1i:1f:1n:33&phrua=1i&nlcdd=obmoxwk&fdrehtz=gfyuft, a Pony variant with the following properties is downloaded:

Name: contacts.exe
Identifier: Pony downloader
Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Size: 150,528 bytes
MD5: c42105cc624659827773cb62de516d5a

Pony downloader posts to its dropzone at:

hxxp://3ecompany.com:8080/forum/viewtopic.php

hxxp://23.advertisingspecialties.biz/forum/viewtopic.php

hxxp://23.area-plumbing-company.com/forum/viewtopic.php

hxxp://23.debtfreein100days.com/forum/viewtopic.php

 

Pony downloader was configured to download Gameover Zeus payloads from following locations:

1. hxxp://agarest.com/dckWfjue.exe
2. hxxp://kj-supply.com/JUz8cnK.exe
3. hxxp://chadgunderson.com/ZUmJx.exe

Gameover installes in %APPDATA%\Ppro\rfluo.exe and had following file properties:

File: rfluo.exe
Size: 376,832 bytes
MD5: 6e65ca8fa550b03d1f377cc1c685abd8
Build TimeStamp: 2013-03-16 18:17:58
Language Code: Russian
Character Set: Unicode
Company Name: Корпорация Майкрософт
File Description: Монитор устройств неподвижных изображений
File Version: 5.1.2600.5512 (xpsp.080413-0852)

The Gameover variant had a botid of “candyshop” and cid of 8888. Following P2P Drones were found embedded inside the Gameover Zeus payload:

178.122.63.254:26281
99.54.188.39:17053
78.166.181.174:25812
49.49.77.245:11443
95.58.110.195:28758
94.240.224.115:27794
147.8.213.30:18592
95.104.51.216:25833
194.94.127.98:25549
176.73.238.72:22869
69.77.132.197:20764
75.6.222.103:11577
71.136.48.91:22174
203.128.247.114:29667
186.96.66.82:17103
63.139.177.211:11505
78.139.187.6:14384
198.101.63.2:13725
90.176.158.215:15920

Scanned Image from a Xerox WorkCentre

We analyzed following malicious attachment that is used in Xerox Scanned Image theme spam on February 14 2013:

Spam Subject:
Scanned Image from a Xerox WorkCentre

Spam Template:

Device Name: Not Set
Device Model: Scab-3871N
Location: Not Set

File Format: PDF (Medium)
File Name: Scan_02-13-2013-245.zip
Resolution: 200dpi x 200dpi

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: hxxp://www.adobe.com/

File: Scan_02-13-2013_245.zip
MD5: 2688370c5fd8bc197141a55d43883ad4
Size: 117,606 bytes

Pony downloader posts to its dropzone at hxxp://88.190.210.199/ponyb/gate.php. It was also configured to download 3 Gameover Zeus payloads from following locations:
1. hxxp://www.inaji.jp/5Ncs.exe
2. hxxp://w6050v1kc.homepage.t-online.de/KYrngX.exe
3. hxxp://socialighter.co.za/3N0k.exe
Gameover installes in %APPDATA%\Iriwb\tuoqf.exe and had following file properties:

File: tuoqf.exe
MD5: cd08cfedf5033ce7b18a0e1be4d23501
Size: 309,760 bytes
Time-Stamp: 2013-02-5 20:09:27
This Gameover Zeus variant posts to a dropzone at 66.229.110.89:28898. Webinjects were downloaded from 174.110.150.207:23173. The Gameover variant had a botid of “dotf14.

Following P2P Drones were found embedded inside the Gameover Zeus payload:

1.186.47.244:16276
72.227.149.1:19320
108.211.64.46:23323
71.43.217.3:11403
94.67.187.38:12457
66.229.110.89:28898
190.203.42.42:12579
74.235.184.84:27524
94.65.14.73:22510
194.94.127.98:25549
223.204.193.72:22233
120.61.188.154:29013
91.99.200.6:29806
64.219.121.189:13503
174.110.150.207:16149
95.57.163.144:12290
71.86.150.224:20781
213.189.69.49:13564

First Foundation Bank Secure Email Notification

We analyzed following malicious attachment that is used in First foundation Bank theme spam on February 14 2013:

Spam Subject:
First Foundation Bank Secure Email Notification – 29834077

Mail From:
“FF-inc Secure Notification” <secure.notification@ff-inc.com>
Spam Template:

You have received a secure message

Read your secure message by opening the attachment, secure_mail_29834077. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser. To access from a mobile device, forward this message to mobile@res.ff-inc.com to receive a mobile login URL.

If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.230.9081.

2000-2013 First Foundation Inc. All rights reserved.

File: secure_mail_29834077.zip
MD5: e6454c2cb43c669906fcdbe199a195f3
Size: 118,086 bytes

Pony downloader posts to its dropzone at hxxp://88.190.210.199/ponyb/gate.php. It was also configured to download 3 Gameover Zeus payloads from following locations:

1. hxxp://angeloelacicca.altervista.org/kcprVD.exe
2. hxxp://www.dalcin.it/d2sqx.exe
3. hxxp://geeksleaks.com/h0L7.exe
Gameover installes in %APPDATA%\Qaajda\okubha.exe and had following file properties:

File: okubha.exe
MD5: e1b3e6a075ac40ff5ecc8c37d3bbced4
Size: 309,760 bytes
Time-Stamp: 2013-02-5 20:09:27
This Gameover Zeus variant posts to a dropzone at 99.109.198.196:21961. Webinjects were downloaded from 174.110.150.207:23173. The Gameover variant had a botid of “citif14”.

Following P2P Drones were found embedded inside the Gameover Zeus payload:

70.137.132.232:18161
99.109.198.196:21961
72.227.149.1:19320
94.67.187.38:12457
1.186.47.244:16276
71.43.217.3:11403
190.203.42.42:12579
93.177.174.72:10119
120.61.188.154:29013
94.65.14.73:22510
64.219.121.189:13503
66.229.110.89:28898
194.94.127.98:25549
223.204.193.72:22233
95.57.163.144:12290
174.110.150.207:16149
91.99.200.6:29806
74.235.184.84:27524
213.189.69.49:13564

Action Required – Time Sensitive Material (Detma.org)

We analyzed following malicious attachment that is used in Detma.org theme spam on February 12 2013:

Spam Subject:
Action Required – Time Sensitive Material
From Address:
“Unemployment Assistance@detma.org” <info@detma.org>

Spam Template:

Action Required

File: case#95648678394857345~93245725793248.zip
MD5: dd28a6cc3df2b1608dc15a4b397013b4
Size: 102,170 bytes

Pony downloader posts to its dropzone at hxxp://carmine.warsheet.com/forum/viewtopic.php hosted at IP address 174.122.102.165. It was also configured to download 3 Gameover Zeus payloads from following locations:
1. hxxp://seunig.de/L5Fvb.exe
2. hxxp://limitedltd.be/CtSfQca3.exe
3. hxxp://visiterlareunion.fr/3gyrJ8B8.exe
Gameover installes in %APPDATA%\Ixra\osso.exe and had following file properties:

File: oss.exe
Size: 309,760 bytes
MD5: 93e6daf13f5239af3d7a44ecfee1b3c5
Time-Stamp: 2013-02-05 20:09:27
This Gameover Zeus variant posts to a dropzone at 180.251.247.89:12043. Webinjects were downloaded from 95.137.226.107:12656. The Gameover variant had a botid of “bofaf12” and cid of 5555.

Following P2P Drones were found embedded inside the installed Gameover Zeus payload:

182.53.159.239:21908
193.206.41.25:23766
202.29.48.110:27464
194.219.108.252:13955
99.54.188.39:28335
83.111.92.83:19194
117.198.82.160:16553
105.227.214.178:13349
85.238.56.148:10598
174.110.150.207:16149
120.61.165.227:28649
213.189.69.49:13564
168.216.148.2:17586
74.235.184.84:27524
41.97.100.220:24282
194.94.127.98:25549
82.211.186.140:29092
94.68.61.135:14511

ADP Recent Transaction

We analyzed following malicious attachment that is used in ADP themed spam on February 07 & 08 2013:

Spam Template:

We were unable to process your recent transaction. Please verify your details and try again.
If the problem persists, contact us to complete your order.

Transaction details are shown in the attached file.

Reference #239814359000

This e-mail has been sent from an automated system.
PLEASE DO NOT REPLY.

The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you.

Attachment:

File: ADP – Recent Transaction
MD5: c8b3ea47a1f2080dbede84a9f7940de7
Size: 131,584 bytes

Pony downloader posts to its dropzone at hxxp://archiv.social-neos.eu/ponyb/gate.php. It was also configured to download 3 Gameover Zeus payloads from following locations:

1. hxxp://84.1.156.73/KhCt.exe
2. hxxp://plcontractors.co.uk/UWcZzRs.exe
3. hxxp://k3security.co.za/tMDrS.exe

Gameover installes in %APPDATA%\Ybna\unyfl.exe and had following file properties:

File: ylkas.exe
Size: 359,936 bytes
MD5: 53cf45f6ab62b633393924b86b6c8d76
Time-Stamp: 2013-02-05 20:09:27
Company Name: Microsoft Corporation
File Description: Microsoft Windows Setup Utility
File Version: 9.00.00.4503
Internal Name: a6ize
Legal Copyright: (C) Microsoft Corporation. All rights reserved.
Original Filename: a6ize
Product Name: Microsoft(R) Windows Media Player
Product Version: 9.00.00.4503

This Gameover Zeus variant posts to a dropzone at 180.251.247.89:12043. Webinjects were downloaded from 99.76.3.38:11350. The Gameover variant had a botid of “dotmanf8”.

Following P2P Drones were found embedded inside the installed Gameover Zeus payload:

180.251.247.89:12043
74.15.177.4:24291
99.76.3.38:11350
75.47.232.67:20840
71.2.233.139:18736
76.182.182.56:12604
1.186.47.244:16276
87.5.135.46:10028
94.68.61.135:14511
69.39.74.6:14775
71.42.56.253:22652
189.13.190.37:18570
85.75.3.38:28599
41.141.251.253:26258
161.184.174.65:14545
37.191.204.170:15619
66.117.77.134:15387
74.235.184.84:27524
66.229.110.89:28898

ADP Security Management Update

We analyzed following malicious URL which is used in ADP themed spam on June 28/29 2012:

hxxp://web.abmes.org.br/EiqyDBxS/index.html

ADP Security Update

The spam sample we analyzed was sent from 95.41.229.91 – a known Cutwail spambot.

This malicious page contained 4 javascripts as shown below:

<script type=”text/javascript” src=”hxxp://firmowa.malopolska.pl/WVfNMNHn/js.js”></script>
<script type=”text/javascript” src=”hxxp://egerak.ipislam.edu.my/vp0BYhy2/js.js”></script>
<script type=”text/javascript” src=”hxxp://humas.poltek-malang.ac.id/w28K6pb6/js.js”></script>

Eventually these malicious JS redirects victim to a Blackhole Exploit kit at 173.255.228.171.

This Blackhole exploit kit was hosting at least 14 different malicious payloads. Detected malware payloads identified by MD5 hash included the following:

  • e6341e75dc5413720cbb03f6836ac39d
  • 1277be3dfecd932a1b4b32b1f0942146
  • 13b08f673c05c81b1f5b3344b23f79a2
  • 53fdca7c26b10de657cb4a4906cf6510
  • 488559808a353430357f4c3db9fb126f
  • 13b08f673c05c81b1f5b3344b23f79a2
  • 48a89c2e1816e2f8ec38071b45c72e6e
  • fe05f07e54adbf2d55946643f9a76f83
  • bee7603e2fb3dcb9dcf1c5589d551cb5
  • 1b1bbf726902beb3b25d11fbdc58720f
  • 017c71a4f156df3300d01ace4e01087a
  • e11534af5bb6a69726524e6851d8136d
  • 017c71a4f156df3300d01ace4e01087a
  • ced5d89b3d27b85e9418a94ef2aac990

All of these binaries appear, upon initial inspection, to be Pony downloaders.
Pony downloader posts to its dropzone at hxxp://182.23.41.18/pony/gate.php and also downloads 3 identical Gameover Zeus from following locations:

1. hxxp://ftp.fundwaysofmo.com/pdqPv.exe
2. hxxp://www.artevoz.com.br/9D0JP.exe
3. hxxp://diclebaliksepeti.com/fJoqfYi.exe

ADP Funding Notification – Debit Draft

Weve been quiet recently, but we havent stopped our work. Behind the scenes weve been developing some new tools and techniques that we hope will enable us to more efficiently track the bad guys. We used some of these new tools and techniques in our analysis of a new spam run today that spoofed communications from ADP. We observed spam messages with the subject line “ADP Funding Notification – Debit Draft”. The spam sample we analyzed was sent from 78.96.173.243 – a known Cutwail spambot.

The link in this message directed victims to junnioreadriano.com.br/MZ0PnMj5/index.html. Note that our bad guys are still using the same /8-random-character/index.html pattern. This page contained the following two malicious javascript redirectors:

http://ftp.leocardz.com/BhSFTbq9/js.js
http://www.webondemand.altervista.org/V4uags9T/js.js

These javascripts redirector victims to a Blackhole Exploit kit at 50.116.38.183. This Blackhole exploit kit was hosting at least 9 different malicious payloads. Detected malware payloads identified by MD5 hash included the following:

ce03b87d1d10e76526883077d3924528
937b44fbb5fec18f53c6de60a801d8ed
13fd74a6dc4f1e8e952ea2bc692ede5e
58859d47ccd39461a52a9455f3b0a8ac
9af1128108aac221fd16ddc213c8147a
48a5cd662c66fcdf3ee96ea2126096c7
a08780b691232573e9895589b7f0b76f
1b1bbf726902beb3b25d11fbdc58720f
ededc8b9d03ded0cb7818dc2ef72ad4c

All of these binaries appear, upon initial inspection, to be Pony downloaders.

Twitter received a request to reset the password for your account.

We analyzed following malicious URL which is used in Twitter themed spam on May 17 2012:

hxxp://lakshmiparthasarathyathreya.com/nwFzPsjZ/index.html

Twitter - Reset Password

This malicious page contained 4 javascripts as shown below:

<script type=”text/javascript” src=”hxxp://www.houard.eu/D2ec6Q6S/js.js”></script>
<script type=”text/javascript” src=”hxxp://egerak.ipislam.edu.my/vp0BYhy2/js.js”></script>
<script type=”text/javascript” src=”hxxp://hardinggraphics.com/ZRRV8K9w/js.js”></script>
<script type=”text/javascript” src=”hxxp://portaldomarmoreegranito.com.br/69zecvvX/js.js”></script>

Eventually these malicious JS redirects victim to a Blackhole Exploit kit at hxxp://69.194.192.218/showthread.php?t=d7ad916d1c0396ff

BlackHole kit first droppes Pony from the following location:

hxxp://69.194.192.218/q.php?f=ba33e&e=4
File: readme.exe
MD5: cc696f9ac857c59be3940791f1dfa9c1
Size: 99,808 bytes

Pony downloader posts to its dropzone at hxxp://50.57.121.196/pony/gate.php. It was also configured to download 2 identical Gameover Zeus payloads from following locations:

1. hxxp://hosting1554269.az.pl/j5EGyoC.exe
2. hxxp://spiritfinancial.net/JqLBEaNt.exe

Gameover installes in %APPDATA%\Micyu\viunbu.exe

MD5: 1a518087bc0cbc1efd869012b2b1a7bd
Size: 3,05,120 bytes
Timestamp: 2010:10:29 20:57:49+02:00
Signature: This file is digitally signed by ‘gHA6’
Certificate Validity: 05/16/2012 to 01/01/2040

This Gameover Zeus variant posts to a dropzone at 189.78.66.155:29620. Webinjects were downloaded from 87.23.103.64:19802. The Gameover variant had a botid of “NRm18”.

As we have been seeing for past few weeks, Pony Downloader and Gameover Zeus both payloads share same file properties indicating both these payloads were built by same group/people, around same time(?):

Signature: This file is digitally signed by ‘gHA6’
Certificate Validity: 05/16/2012 to 01/01/2040
Company Name: bhq93888888888 Corporation
File Description: CTF Loader
Internal Name: CTFMON
Legal Copyright: © bhq93888888888 Corporation. All rights reserved.
Original Filename: CTFMON.EXE
Product Name: bhq93888888888® Windows® Operating System
Product Version: 6.1.7600.16385
Ole Self Register: D

Zeus v2.0.8.9 being rolled out on IRS themed spam

We analyzed following malicious attachement which was distributed with IRS themed spam May 14 2012:

Name: Plexer_Order-z9284
MD5: e807511362923762da627599daeeba65
Size: 21,54,749 bytes
Content: Plexer_Order-z9284.exe

This zip archive contained the following malicious dropper:

Name: Plexer_Order-z9284.exe
MD5: 3c8b1a1c45fbb93e93dbde75795c21bd
Size: 21,84,348 bytes
Timestamp: 1970:01:01 01:00:49+01:00
Company Name: NEW ORDER 2012 FOR VIEW PLEXR
File Description: Win32 Cabinet Self-Extractor
File Version: 9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
Internal Name: Wextract
Legal Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: WEXTRACT.EXE .MUI
Product Name: Plexer Order Viewer 2012
Product Version: 56.0.89.3
Comments: NEW VERSION ORDER 2012 FOR VIEW PLEXR
Website: http://www.avira.com
Packager: Xenocode Postbuild 2009 for .NET Beta
Packager Version: 7.0.162

This dropper first installs Google Talk on the system and brings Google Talk window on top of desktop. Behind the scene, it installs Zeus v2.0.8.9. Zeus was intalled in %APPDATA%/[random]/emta.exe and had following file properties:

Name: emta.exe
MD5: bbdeabff13e565e187e0e85fcb1e732f
Size: 95,744 bytes
Tmestamp: 2011:07:27 04:06:30+02:00

Like normal Zeus, it first downloads configuration file consisting of targetlist and webinjects from:

hxxp://kmginsights.com/upload/LoadhandlerImages_/y/config.bin

Zeus dropzone was also running on same domain at:

hxxp://kmginsights.com/upload/LoadhandlerImages_/y/gate.php

This Zeus controller was running on a compromised website of KMG INSIGHTS who offers a complete line of marketing, technology and organizational consulting services.

Russian, Spanish, Italian and UK banks and financial institutions were on the target of this Zeus controller.