United Postal Service Tracking Number H7614058739

Most of the spam cannons that we follow go quiet on the weekends, so lets take a look at a sample that we picked up on Friday 2012-02-24. This spam spoofed communications from UPS.

We noted that at least one spam sample from this UPS campaign was sent from a bot at This particular IP is apart of a known Grum spambot.

Attached to this sample was an file named “UPS-NR954wi27683.htm”. This html file contained a malicious javascript that redirected victims to a Blackhole Exploit kit cgoosjjdopola[.]ru. This kit probed victims for a series of potential vulnerabilities downloading malicious .swf, .pdf, and .jar files.

Vulnerable computers were then instructed to download a Bugat/Feodo banking trojan from sumgankorobanns[.]ru via a GET request to sumgankorobanns[.]ru:8080/images/jw.php?i=10. The downloaded Bugat/Feodo payload had the following properties:

File: gsxohsapcpklkti.exe
Size: 73216
MD5: c6d7b68ee00085702f7f6aafb03ca559

Both cgoosjjdopola[.]ru and sumgankorobanns[.]ru were hosted on the same fast-flux botnet we observed in our previous post “Rejection of your tax appeal“. These domains resolved to the following IP addresses (a number of which were observed in our previous post):

We had a little time on our hands today so we decided to poke around the Blackhole Kit  at sumgankorobanns[.]ru and see if it hosted any other goodies. We found that this kit hosted the same Bugat/Feodo payload (c6d7b68ee00085702f7f6aafb03ca559) between jw.php?i=1 and jw.php?i=18.

This Bugat/Feodo variant attempts to first to connect to a command and control server at hjpyvexsutdctjol[.]ru. During testing this control server returned a “500 Internal Server Error”. The variant then connects to a secondary control server at wfyusepaxvulfdtn[.]ru via the following POST request wfyusepaxvulfdtn[.]ru:8080/rwx/B1_3n9/in/. This POST request returned a configuration file. The configuration file instructed the Bugat/Feodo variant to hijack account credentials for approximately 300 banking websites.

If the /rwx/B1_3n9/in/ path looks familiar to you it should. Recall our previous post “Rejection of your tax appeal” where we saw a different Bugat/Feodo variant pull down its configuration file from hjpyvexsutdctjol[.]ru:8080/rwx/B2_9w3/in/.

Hrm, the Bugat/Feodo variant dropped by the UPS spam also tried to connect to the control server at hjpyvexsutdctjol[.]ru. However, the UPS Bugat/Feodo variant was configured to download its configuration file from /rwx/B1_3n9/in/ instead of /rwx/B2_9w3/in/. Perhaps, the /B1 and /B2 path variations are used by the bad guys to track different spam and malware distribution campaigns.

The current control server at wfyusepaxvulfdtn[.]ru also dropped an additional bit of love. Appended to the configuration file downloaded from wfyusepaxvulfdtn[.]ru:8080/rwx/B1_3n9/in/ was a secondary malware payload identified as Heap. This Heap variant had the following properties:

File: POS1B.tmp
Size: 118272
MD5: 64BE90378FC40117EA93DFB8FA5AEC92

This Heap variant scans the victim machine for email addresses. These email addresses are harvested and then sent to a control server over port 20050. Communications from the Heap variant to the control server at were encoded with a standard base64 alphabet.

If you wanna know if youre infected by Bugat/Feodo you can do the following simple checks on your local machine. First, Bugat/Feodo is almost always installed in the following location on your filesystem: C:\Documents and Settings\Administrator\Application Data\. Bugat/Feodo is installed as KB********.exe where ******** is a series of 8 random number unique to each victim computer. Additionally, the downloaded configuration file is stored in the clear in the victim’s registry at HKEY_CURRENT_USER\Software\Microsoft\Windows Media Center\********. If you find either of these artifacts on your machine youre probably infected.

What can brown do for you, you ask? Well, in this case it can infect you with a Bugat/Feodo banking trojan and a Heap email harvester.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: