Next Day Malware

On 2012-02-25 we looked at a spam sample spoofing communications from UPS. Today we’ll look at parallel campaigns spoofing DHL and FedEx. Apparently our spammer friends dont like to play favorites 🙂

We retrieved a number of samples from each campaign. Observed FedEx samples had subject lines of “Fedex id. 624486″ or ” FedEx DELIVERY CONFIRMATION 4999298″ where the included transaction numbers vary by spam sample. Likewise, a DHL sample had a subject line “DHL id. 6686369” were 6686369 appears to vary by each spam specimen.We noted that two of the FedEx samples that we examined were sent from and Each of these IPs are apart of a Cutwail spam botnet.  While we werent able to trace the source IP of the sample we analyzed were confident that it was also spewed by the same Cutwail botnet.

All of the FedEx and DHL spam samples we examined had .html files attachments. These .html files contained malicious javascript that redirected victims to an exploit kit at ciontooabgooppoa[.]ru. This domain resolves to the following IP addresses:

The domain ciontooabgooppoa[.]ru has an A record with a TTL of 60 seconds and appears to be hosted on  a similar fast-flux infrastructure as the fast-flux network discussed in our previous post “The Redret Connection“. However, none of the above IPs overlap with the IPs seen in our previous posts.

Vulnerable victims then download the same Bugat/Feodo banking trojan from fedikankamolns[.]ru:8080/images/jw.php?i=1 and fedikankamolns[.]ru:8080/images/jw.php?i=3. Both payloads have an MD5 of 82c95751e71c829b09fef4166a749e67 and are only detected by 2 of 42 AV vendors on VirusTotal. Its worth noting that the sample uploaded to VirusTotal had a file name report-ACH121768812916532US.exe and was retrieved from hxxp://cgunikqakklsdpfo[.]ru:8080/img/?file=report-ACH121768812916532US.exe. We verified that a GET request to this URL did in fact return a Bugat/Feodo payload with a MD5 of 82c95751e71c829b09fef4166a749e67. This suggests that another ACH wire-themed spam campaign also redirected victims to the same exploit kit.

The fedikankamolns[.]ru and cgunikqakklsdpfo[.]ru domains resolved to the same IP addresses as the ciontooabgooppoa[.]ru domain seen above. We poked the exploit kit at fedikankamolns[.]ru and found that it hosted the following files. The list below is presented in the following format url, file size, MD5 hash:

  • fedikankamolns[.]ru:8080/images/jw.php?i=1 65536 82c95751e71c829b09fef4166a749e67
  • fedikankamolns[.]ru:8080/images/jw.php?i=2 65536 82c95751e71c829b09fef4166a749e67
  • fedikankamolns[.]ru:8080/images/jw.php?i=3 65536 82c95751e71c829b09fef4166a749e67
  • fedikankamolns[.]ru:8080/images/jw.php?i=4 65536 82c95751e71c829b09fef4166a749e67
  • fedikankamolns[.]ru:8080/images/jw.php?i=5 65536 82c95751e71c829b09fef4166a749e67
  • fedikankamolns[.]ru:8080/images/jw.php?i=6 65536 82c95751e71c829b09fef4166a749e67
  • fedikankamolns[.]ru:8080/images/jw.php?i=7 65536 82c95751e71c829b09fef4166a749e67
  • fedikankamolns[.]ru:8080/images/jw.php?i=8 65536 82c95751e71c829b09fef4166a749e67
  • fedikankamolns[.]ru:8080/images/jw.php?i=9 65536 82c95751e71c829b09fef4166a749e67
  • fedikankamolns[.]ru:8080/images/jw.php?i=10 65536 82c95751e71c829b09fef4166a749e67
  • fedikankamolns[.]ru:8080/images/jw.php?i=11 65536 82c95751e71c829b09fef4166a749e67
  • fedikankamolns[.]ru:8080/images/jw.php?i=12 65536 82c95751e71c829b09fef4166a749e67
  • fedikankamolns[.]ru:8080/images/jw.php?i=13 65536 82c95751e71c829b09fef4166a749e67
  • fedikankamolns[.]ru:8080/images/jw.php?i=14 65536 82c95751e71c829b09fef4166a749e67
  • fedikankamolns[.]ru:8080/images/jw.php?i=15 65536 82c95751e71c829b09fef4166a749e67
  • fedikankamolns[.]ru:8080/images/jw.php?i=16 65536 82c95751e71c829b09fef4166a749e67
  • fedikankamolns[.]ru:8080/images/jw.php?i=17 65536 82c95751e71c829b09fef4166a749e67
  • fedikankamolns[.]ru:8080/images/jw.php?i=18 65536 82c95751e71c829b09fef4166a749e67

The Bugat/Feodo variant with the MD5 82c95751e71c829b09fef4166a749e67 retrieved its configuration file/target list via a POST request to hjpyvexsutdctjol[.]ru:8080/rwx/B1_3n9/in/. Like you, Im getting tired of seeing this control server in operation.

During our analysis, the c2 server at resolved to the following IPs:

Many of these IPs were seen in our “The Redret Connection” post.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: