Notification of securities investigation against your company

Many spam cannons were firing today. We found an interesting sample spoofing communications from the Securities and Exchange Commission. The observed sample had the subject line “Notification of securities investigation against your company” and was sent from a bot with the IP address 216.172.162.140. This sample had the following text and pulled an SEC logo from www[.]compliancebuilding[.]com/wp-content/uploads/2010/06/sec-logo.png,

U.S. Securities and Exchange Commission

Dear customer,
Securities and Exchange Commission Whistleblower office has
received information about alleged misconduct at your company, including
Material misstatement or omission in a company's public filings or financial
statements, or a failure to file Municipal securities transactions or public
pension plans, involving such financial products as Real Estate.
 
Failure to provide feedback to this complaint within 14 day period will
result in Securities and Exchange Commission investigation against your
company. You can obtain the complaint details in U.S. Securities and
Exchange Commission Tips, Complaints, and Referrals portal under the
following link:
  
Complaint details
 
SEC Office
100 F Street NE
Mail Stop 5971
Washington, DC 20549
Fax: (703) 813-9322
This sample contained a link to ftp[.]doers[.]com[.]br/eCPYfXi6/index.html. This page contained the following javascript redirectors:

hxxp://bragafitness[.]hospedagemdesites[.]ws/qrMFwG1u/js.js
hxxp://bwsjw[.]99k[.]org/jHgw9JQQ/js.js
hxxp://anny[.]cl/G4j1iRCp/js.js
hxxp://autoserviciorubiano[.]com/KfwwD6S2/js.js

These javascript redirectors contain the following document.location script that send victims to a Blackhole Exploit kit at campinghold[.]com:

document.location=’http://campinghold%5B.%5Dcom/search.php?page=d44175c6da768b70′;

Vulnerable victims then downloaded a Pony Downloader variant from hxxp://campinghold[.]com/d.php?f=29651&e=1. This binary had the following properties:

File: info.exe
Size: 94720
MD5: A65EA4CB7683692CA28C6901959A99A8

Unfortunately, this binary was only detected by 2 of 41 AV vendors on Virustotal.com. This Pony downloader variant was configured to POST stolen FTP credentials to the following drop zones:

hxxp://campinghold[.]com/pony/gate.php
hxxp://campingshelf[.]com/pony/gate.php
hxxp://favoriteleague[.]com/pony/gate.php

Further, the Pony downloader then grabbed Gameover Zeus banking trojans from the following locations:

hxxp://ftp[.]geaevents[.]com/b5AZK.exe
hxxp://HardDiskKurtarma[.]com[.]tr/rC0Vd2.exe
hxxp://tiengo[.]com[.]br/91RL7Cz.exe
hxxp://newbie-training-videos[.]com/cmtW5.exe
hxxp://ftp[.]sergiofahrer[.]com[.]br/MUrFH4K.exe

These Gameover Zeus variants were all identical and had the following properties:

Size: 294912
MD5: 3FCF95CD338E38320F56C82F580D7D76

This Gameover variant is detected by 8 of 43 AV vendors on VirusTotal.com.

This Gameover variant also had a botid of “ppc24”. Like other Gameover variants it was configured to steal online banking credentials. This variant then sent stolen credentials to 66.240.67.222 over port 12584.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: