Intuit – order status

Subject: Your order status.
URL: hxxp://shibby[.]no /wp-includes/quick.html

Intuit - Order Status

The text ‘Reorder Intuit Checks Quickly and Easily’, ‘ Intuit small business website’ and ‘Submit your feedback here.’ contains a hyperlink to a URL as shown above. This page contain an encoded script which is used to redirect to a Blackhole exploit kit at icemed[.]net/main.php?page=ffa1bed3ef7ceb23 hosted at IP addresses

The kit attempts to download the following files/exploits:

icemed[.]net /content/ap2.php?f=504ad

File: 1fd6c.pdf
MD5: f2cf8b787a1cbbaff4178bf69342ff1e
Size: 16,638 bytes
Exploit: Libtiff integer overflow in Adobe Reader and Acrobat (CVE-2010-0188)

If exploitation is successful, it redirects to icemed[.]net /w.php?f=504ad&e=2 and/or icemed[.]net /w.php?f=504ad&e=4, a Bugat/Feodo variant with the following properties is installed:

File: calc.exe
MD5: b12bf8208bd1359b5167ee2ac6074375
Size: 73,216 bytes
Product Name: Beryl
Company Name: You Software, Inc.
File Description: Carat Fixed Layla
Internal Name: Opq Left

Bugat/Feodo is installed as:
File: C:\Documents and Settings\Administrator\Application Data\KB00283728.exe

This Bugat/Feodo variant retrieved its configuration file/target list from a command and control server at ngdvmtwodjjuovsnfj[.]ru:8080 /rwx/B2_9w3/in/. This domain is hosted at the following IP addresses on a fast flux infrastructure:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: