Fwd: Re: Security update for banking accounts

We were able to track down the ACH/Wire-themed spam referred to in our “Next Day Malware” post. The observed sample had the following text:

Dear Online Account Operator,
Your ACH transactions have been
temporarily disabled.
View details

Best regards,
Security department


This sample was sent from the IP address This IP is apart of a Cutwail spambot.

The ‘View details’ text contained a hyperlink to hxxp://www[.]weight-losstoday[.]com/wp-content/themes/illustration-too-10/nacha-index.htm. This html page contained an iframe to hxxp://cgunikqakklsdpfo[.]ru:8080/img/?promo=nacha.

Note the exploit kit at cgunikqakklsdpfo[.]ru. This is the same kit we saw mentioned in our “Next Day Malware” post.

Victims were then redirected to fedikankamolns[.]ru, where they downloaded a Bugat/Feodo banking trojan with the MD5 286918DE8BEE1CACD3A1089076C3DE45. This sample was only detected by 3 of 43 AV vendors on VirusTotal.

This Bugat/Feodo variant retrieved its configuration file/target list via the following POST request to hjpyvexsutdctjol[.]ru:

POST /rwx/B1_3n9/in/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
Host: hjpyvexsutdctjol[.]ru:8080
Content-Length: 109
Connection: Keep-Alive
Cache-Control: no-cache

Yeah, we know … this is identical to the DHL and FedEx spam runs documented in our earlier post.

What we found interesting about the NACHA spam was that it leveraged the legitimate nacha.org site in its social engineering efforts. The exploit kit at cgunikqakklsdpfo[.]ru appears to pull content from the legitimate http://www.nacha.org website and dynamically assemble the phishing page below.

Note the inclusion of a malicious link to a fake transaction report. That link points to hxxp://cgunikqakklsdpfo[.]ru:8080/img/?file=report-ACH782316225975342US.exe. As you recall from our “Next Day Malware” post the sample hosted at this location has an MD5 of 82c95751e71c829b09fef4166a749e67 – the same hash used in the DHL and FedEx spam runs.

It seems that the bad guys set this page up as a fallback in the case that visitors are not vulnerable to the exploits packaged in the exploit kit at cgunikqakklsdpfo[.]ru. Those users that are patched may still fall victim to this clever social engineer lure.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: