Your Intuit Order

Over the last two days we observed two different spam campaigns spoofing communications from Intuit.  

The first campaign, observed yesterday 2012-02-29, contained a malicious link to sumero2[.]sicakcikolata[.]com/intu.html. Additional spam samples included similar links to URLs ending in /intu.html. This page redirected victims to a Blackhole Exploit kit at perikanzas[.]com. This kit dropped a Bugat/Feodo payload with the MD5 7cb6acde5f89832fd4f2e69b20c26d4d. This Bugat/Feodo variant retrieved a configuration file/target list via the following POST request to a command and control server at

POST /rwx/B2_9w3/in/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
Content-Length: 97
Connection: Keep-Alive
Cache-Control: no-cache

Another spam campaign seen today sent almost the same spam template spoofing communications from Intuit. The text was identical but the formatting was slightly different.

A sample from today’s campaign contained a malicious link to premiumsoft[.]com[.]ar/fe28oiHd/index.html. By now, we should all recognize the pattern in the URL and know that this malicious link will contain javascript redirectors that send victims to a Blackhole Exploit Kit that drops Gameover Zeus. In this specific case premiumsoft[.]com[.]ar/fe28oiHd/index.html contained the following javascript redirectors:


These malicious scripts redirected victims to a Blackhole Kit at trucktumble[.]com. This kit dropped a Gameover Zeus with the following properties:

Size: 285184
MD5: 2D24DF1A327094AA18DB9DE7554C4E8C

This Zeus variant had a bot id of ‘mmz1’ and sent stolen banking credentials to a drop zone at over port 27724.

It cant be a coincidence that almost the same spam template was used in two different spam campaigns that dropped two different malware payloads, can it?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: