Re: Intercompany invoice from Novellus Systems Corp.

Subject: Re: Intercompany invoice from Novellus Systems Corp

Re: Intercompany invoice from Novellus Systems Corp.

The spam attachment contained an encoded script which is used to redirect to an Phoenix Exploit kit at cruikdfoknaofa[.]ru:8080 /images/aublbzdni.php hosted at IP addresse(s):

During our testing a malicious flash file containing CVE-2011-0611 was downloaded from cruikdfoknaofa[.]ru:8080 /images/hvincoylguat.swf. This flash file had the following properties.

File: hvincoylguat.swf
Size: 7,787 bytes
MD5: 3b973bdaebf1401b6b4c5c3154674ce9

This flash file exploited CVE-2011-0611 and was detected by 14 of 43 AV vendors on VirusTotal.

A malicious PDF file was also downloaded from cruikdfoknaofa[.]ru:8080 /images/gthpcpxmgvjoe.php. This PDF file had the following properties:

File: gthpcpxmgvjoe.php
Size: 13,179 bytes
MD5: 49cf08a7d20636722a0bb30a51552b5a

The PDF exploits CVE-2010-0188 and was detected by 26 of 43 AV vendors on VirusTotal.

If exploitation is successful, it redirects to zolindarkksokns[.]ru:8080 /images/jw.php?i=15 or zolindarkksokns[.]ru:8080 /images/jw.php?i=8 , a Bugat/Feodo variant with the following properties is installed:

File: gsxohsapcpklkti.exe
MD5: 2845d59896de45cc6e77cc39db4b0710
Size: 1,48,738 bytes
Timestamp: 2011:03:25 06:01:22+01:00

Bugat/Feodo is installed as:
File: C:\Documents and Settings\Administrator\Application Data\KB00090109.exe

MD5: 33f4b51c1661a500619906f8fa1254cd
Size: 74,240 bytes
Timestamp: 2008:11:17 06:14:18+01:00
Company Name: Pegtop Software
File Description: Obeys Aware Beach Kay
Product Name: Mum Anti Cakes Goon Lamps

This Bugat/Feodo variant retrieved its configuration file/target list from a command and control server at rdjdykfceprrqihpcm[.]ru:8080 /rwx/B2_9w3/in/. This domain is hosted at the following IP addresses on a fast flux infrastructure:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: