BBB – case ID 79816101

Subject: ***SPAM*** BBB case ID 79816101.
URL: hxxp://ccexperience.com[.]ar/806oTcTJ/index.html

BBB - Case ID 79816101

The text ‘Please open the COMPLAINT REPORT’ contains a hyperlink to a URL as shown above. This page contains no content but only a JS:

videooclip[.]net /N9o1miaa/js.js

This javascript redirectors contain the following document.location script that send victims to a Blackhole Exploit kit at 173.255.253.217:

document.location=’hxxp://tradertorrent[.]com/showthread.php?t=73a07bcb51f4be71′;

It first downloaded Pony downloader from the following location:

tradertorrent[.]com /q.php?f=e4a98&e=2

File: contacts.exe
MD5:987c108961a23e039f0f2ad010270436
Size: 94,864 bytes

A malicious PDF file was also downloaded from tradertorrent[.]com /content/ap2.php?f=e4a98. This PDF file had the following properties:

File: a049f.pdf
Size: 16,508 bytes
MD5: 117dbed934491ebf02be3cf1233c1389

The PDF exploits CVE-2010-0188 and was detected by 26 of 43 AV vendors on VirusTotal.

If exploitation is successful, it redirects to tradertorrent[.]com /q.php?f=e4a98&e=4, a Gameover Zeus was installed.
This pony downloader variant was also configured to download Gameover Zeus binaries from the following locations:

layout.cnt[.]br /3ZD7ArbR/rnzj80FK.exe
kucukagaanaokulu.k12[.]tr /5hxYiCGM/DLsp9.exe
beyondcreativehm[.]com /MnFUS9Ah/PVzKLHf.exe

File: rnzj80FK.exe/DLsp9.exe/PVzKLHf.exe
MD5: 001865adb5e8fe5d446c93170da9b551
Size: 2,78,528 bytes
Other: This file is digitally signed by ‘66666666’
Company Name: 2q3wet Corporation
File Description: Windows TaskManager
Internal Name: taskmgr
Legal Copyright: Copyright (C) 2q3wet Corp. 1991-1999
Original Filename: taskmgr.exe

This Gameover variant is detected by 6 of 43 AV vendors on VirusTotal.
The Gameover Zeus variant posts to a dropzone at 69.10.118.248:15539 /index.php. It had CID of “3004″. Webinjects were via 212.12.204.154:13693.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: