Triple Barrel Spam Cannon

wall of spam

Our spammer friends started their week with an early morning spam run. We observed three different spam campaigns in action today that all utilized the same infrastructure and dropped the same Bugat/Feodo banking trojan.

The bad guys used the same modus operandi that theyve come to rely on. Their spam messages contained link to hacked websites – primarily WordPress blogs. These hacked sites hosted malicious javascript that redirected victims to an Exploit Kit that dropped a Bugat/Feodo payload.

The different campaigns were easily identifiable via the URL paths used on the hacked websites.

  • IRS-themed spam had a URL path of /fgallery/rep.html or just /rep.html. Checkout a Wepawet report from an IRS-spam sample here.
  • AICPA-themed spam had a URL path of /fgallery/astro.html or just /astro.html. Checkout a Wepawet report from an AICPA-spam sample here.
  • BBB-themed spam had a URL path of /fgallery/brena.html or just /brena.html. Checkout a Wepawet report from a BBB-spam sample here.

All of the observed samples redirected victims to an exploit kit at hxxp://110hobart[.]com.

The 110hobart[.]com currently resolves to 76.12.101.172. While this domain only points to 1 IP address, the A record has a TTL of 900 seconds – indicating that it is hosted on a fast-flux infrastructure. This is consistent with the other exploits kits used in associated spam campaigns. Further investigation of the 110hobart[.]com domain shows that its has 4 NS records including:

  • ns1.hiring-decisions.com
  • ns2.hiring-decisions.com
  • ns1.grapecomputers.net
  • ns2.grapecomputers.net

Our guess is that these nameservers are serving other malicious domains. We can use the “swiss army knife” over at Robtex to validate our assumption. Indeed, Robtex proves our intuition correct and shows that following other domains also utilized these nameservers:

  • energirans[.]net
  • hapturing[.]net
  • housespect[.]net
  • synergyledlighting[.]net
  • synetworks[.]net
Have we seen any of these domains before? We sure have! The domain energirans.net hosted an exploit kit used in a previous AICPA spam run documented here. Jsunpack tells us that hapturing[.]net is also bad. Conrad over at Dynamoo’s Blog notes that housespect[.]net and synetworks[.]net are bad as well. And yes, you guessed it synergyledlighting[.]net also stinks … Wepawet tell us more here.

In the case of the IRS, AICPA, and BBB spam runs seen today all of them ultimately instructed victims to download a Bugat/Feodo banking trojan from hxxp://110hobart[.]com/w.php?f=cc677&e=1. This payload had an MD5 of 2dbe5c4303672f256886ed27c92e97be and was detected by 9 of 43 AV vendors on VirusTotal.

This Bugat/Feodo sample retrieved a configuration file/target list from a command and control server at hjpyvexsutdctjol[.]ru:8080 via the following POST request:
POST /rwx/B2_9w3/in/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
Host: hjpyvexsutdctjol[.]ru:8080
Content-Length: 97
Connection: Keep-Alive
Cache-Control: no-cache
We havent yet examined the configuration file/target list in detail but were confident that it targets the same 300+ financial institutions that weve seen in previous Bugat/Feodo configs.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: