Re: Fwd: Your Flight N US78-4323024

Apologies to Bugat/Feodo. We havent been ignoring you, we just wanted to throw Zeus some love over the last few days.

In all seriousness, Bugat/Feodo campaigns have been running full bore. We picked up a spam run yesterday, 2012-02-28, that spoofed communications from American Airlines.

The sample we picked up had a subject line “Re: Fwd: Your Flight N US78-4323024”. Based on a quick review of other spam samples floating in the wild it appears that the flight number in these spam samples (e.g. US78-4323024) are randomly generated. This sample contained the following text:

Dear Customer,

FLIGHT NUMBER 968-394501
DATE/TIME : MARCH 24, 2011, 17:15 PM
ARRIVING AIRPORT: WASHINGTON DC
INT. AIRPORTPRICE : 724.96 USD

Your bought ticket is attached to the letter as a scan document (Internet Exlporer
File).To use your ticket you should

The sample we studied had an .html file attached. This .html file contained malicious javascript that redirected victims to a Phoenix Exploit kit at cparabnormapoopdsf[.]ru:8080/images/aublbzdni.php. The domain cparabnormapoopdsf[.]ru was hosted on a fast flux network and resolved to the following IPs:

78.83.233.242
83.238.208.55
95.156.232.102
125.19.103.198
50.31.1.105
173.203.51.174
184.106.200.65
184.106.237.210
188.165.253.126
190.81.107.70
199.204.23.216
200.169.13.84
209.114.47.158
210.56.23.100
210.109.108.210

Lets take a closer look at the exploit files dropped by this Phoenix Kit on its victims. During our analysis we ran a test machine with outdated versions of Acrobat Reader, Abode Flash, and Java. During our testing a malicious flash file was downloaded from cparabnormapoopdsf[.]ru:8080/images/bnhleogmgnitcv.swf. This flash file had the following properties.

File: bnhleogmgnitcv.swf
Size: 7776
MD5: CD3607C1089CBD33511226FB6FCE8716

This flash file exploited CVE-2011-0611 and was detected by 14 of 43 AV vendors on VirusTotal.

A malicious PDF file was also downloaded from cparabnormapoopdsf[.]ru:8080/images/dsfliqitktinx.php. This PDF file had the following properties:

File: dsfliqitktinx.pdf
Size: 13163
MD5: DF7086AA302F844ED098941388B47DA4

The PDF exploits CVE-2010-0188 and was detected by 30 of 43 AV vendors on VirusTotal.

A malicious .jar file was also downloaded from cparabnormapoopdsf[.]ru:8080/images/iwclymknjnencs.jar. This .jar file had the following properties:

File: iwclymknjnencs.jar
Size: 13361
MD5: 68358F8F1FD6C01D7E29E445CA646623

This .jar file exploits CVE-2011-3544 and was detected by 27 of 43 AV vendors on VirusTotal.

I guess there was a sale on Java exploits because a second .jar file that also exploited CVE-2011-3544 was downloaded from cparabnormapoopdsf[.]ru:8080/images/dpcobsyscrctbt.jar.

File: dpcobsyscrctbt.jar
Size: 13028
MD5: AEFA842A18A8D19BB661107BA6E77699

This file was detected by 25 of 43 AV vendors on VirusTotal.

These exploits in turn pulled down a Bugat/Feodo payload from fedikankamolns[.]ru:8080/images/jw.php?i=8. This Bugat/Feodo variant had the following properties:

File: gsxohsapcpklkti.exe
Size: 70656
MD5: 286918DE8BEE1CACD3A1089076C3DE45

The gsxohsapcpklkti.exe filename appears to be a randomly generated.

This Bugat/Feodo variant downloaded its configuration file/target list via the following POST request to a command and control server at hjpyvexsutdctjol[.]ru:8080

POST /rwx/B1_3n9/in/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
Host: hjpyvexsutdctjol[.]ru:8080
Content-Length: 97
Connection: Keep-Alive
Cache-Control: no-cache

And for those of you wondering … no, American Airlines’s website was not targeted by this Bugat/Feodo variant. American’s brand was simply abused as a means to social engineer victims into opening the .html file attached in the spam email.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: