Your Intuit Order

Over the last two days we observed two different spam campaigns spoofing communications from Intuit.  

The first campaign, observed yesterday 2012-02-29, contained a malicious link to sumero2[.]sicakcikolata[.]com/intu.html. Additional spam samples included similar links to URLs ending in /intu.html. This page redirected victims to a Blackhole Exploit kit at perikanzas[.]com. This kit dropped a Bugat/Feodo payload with the MD5 7cb6acde5f89832fd4f2e69b20c26d4d. This Bugat/Feodo variant retrieved a configuration file/target list via the following POST request to a command and control server at wiwwkvjkinewgycb.ru:

POST /rwx/B2_9w3/in/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
Host: wiwwkvjkinewgycb.ru:8080
Content-Length: 97
Connection: Keep-Alive
Cache-Control: no-cache

Another spam campaign seen today sent almost the same spam template spoofing communications from Intuit. The text was identical but the formatting was slightly different.

A sample from today’s campaign contained a malicious link to premiumsoft[.]com[.]ar/fe28oiHd/index.html. By now, we should all recognize the pattern in the URL and know that this malicious link will contain javascript redirectors that send victims to a Blackhole Exploit Kit that drops Gameover Zeus. In this specific case premiumsoft[.]com[.]ar/fe28oiHd/index.html contained the following javascript redirectors:

hxxp://kocaelibakimrehabilitasyon[.]gov[.]tr/TXvNpbbR/js.js
hxxp://nestahotel[.]com/jNN7XEMM/js.js
hxxp://trendhome[.]org/bHrL1Bpk/js.js
hxxp://www[.]tncas[.]com/KzXgGvRV/js.js
hxxp://www[.]umutpirinci[.]com/sxrwX5TS/js.js

These malicious scripts redirected victims to a Blackhole Kit at trucktumble[.]com. This kit dropped a Gameover Zeus with the following properties:

Size: 285184
MD5: 2D24DF1A327094AA18DB9DE7554C4E8C

This Zeus variant had a bot id of ‘mmz1’ and sent stolen banking credentials to a drop zone at 88.216.22.31 over port 27724.

It cant be a coincidence that almost the same spam template was used in two different spam campaigns that dropped two different malware payloads, can it?

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: