I’m in trouble! themed spam installs Bugat/Feodo

Subject: I’m in trouble!
Attachment: Image_DIG7905507.htm

I'm in trouble

The spam attachment contained an encoded script which is used to redirect to an Phoenix Exploit kit at ckjsfhlasla[.]ru:8080 /images/aublbzdni.php hosted at IP addresse(s):

During our testing a malicious flash file containing CVE-2011-0611 was downloaded from ckjsfhlasla[.]ru:8080 /images/brcweqgshnxqh.swf. This flash file had the following properties.

File: brcweqgshnxqh.swf
Size: 7,790 bytes
MD5: 289a35c701f0d709dcd5e260478c26b6

This flash file exploited CVE-2011-0611 and was detected by 14 of 43 AV vendors on VirusTotal.

A malicious PDF file was also downloaded from ckjsfhlasla[.]ru:8080 /images/kobzfoivdpdzilx.php. This PDF file had the following properties:

File: kobzfoivdpdzilx.php
Size: 13,426 bytes
MD5: 292cc51c6487e3216d93aa118300d5f0

The PDF exploits CVE-2010-0188 and was detected by 26 of 43 AV vendors on VirusTotal.

If exploitation is successful, it redirects to kroshkidlahlebans[.]ru:8080 /images/jw.php?i=15 or kroshkidlahlebans[.]ru:8080 /images/jw.php?i=8 , a Bugat/Feodo variant with the following properties is installed:

File: gsxohsapcpklkti.exe
MD5: b4e7a7fab3f5f9d2ffe0a3d7e696c6db
Size: 75,264 bytes
Timestamp: 1970:01:01 09:24:13+01:00

Bugat/Feodo is installed as:
File: C:\Documents and Settings\Administrator\Application Data\KB00090109.exe

This Bugat/Feodo variant retrieved its configuration file/target list from a command and control server at ciasamkbnavtknxiko[.]ru:8080 /rwx/B1_3n9/in/. This domain is hosted at the following IP addresses on a fast flux infrastructure:


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: