ACH transfer failure

Zeus campaigns were popping off like fireworks on the 4th of July today. We picked up a NACHA-themed spam run that spoofed communications from the Electronics Payments Association.

The sample we studied contained a malicious link to akinenerji[.]com[.]tr/GGqfWi1e/index.html. Note the use of the same 8 random character file name in the malicious links. This continues to be a good identifier for malicious missives dropping Zeus. This particular hostile webpage contained the following javascript redirectors:

hxxp://bancodeconsorcios.com.br/ZfyuAyUg/js.js
hxxp://cursogratisonline.com.br/XZRuas0b/js.js
hxxp://turkbids.com/rKHVqLnH/js.js
hxxp://www.dismat.com.br/P3VGS26B/js.js
hxxp://www.fuzuefestas.com.br/tWZYtyqd/js.js

These javascript redirectors contained the following one line script that redirected victims to a Blackhole Exploit kit at trucktumble[.]com:

document.location=’hxxp://trucktumble[.]com/search.php?page=977334ca118fcb8c’;

Thankfully the domain trucktumble[.]com has been swept offline, but we expect the bad guys to adapt quickly and have another Exploit Kit online soon.

Victims of this NACHA campaign were instructed to pull down a Gameover Zeus variant with the following properties:

Size: 285184
MD5: 05192190AC8CCBE12DA6DD269A0F8E93

The Gameover variant had a bot id of “chinz1” and posted online banking credentials stolen from victims to a drop zone at 88.216.22.31 over port 27724.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: