LinkedIn Notification

It appears that are Bugat/Feodo friends decided to mix it up a bit today and rolled with a new spam template. Throughout the day we picked up a number of LinkedIn-themed spam emails.

An example spam email had the subject line ‘LinkedIn Notification’ and a link to http://bpo-legal.com/components/com_ag_google_analytics2/Link.html. In fact all of the spam messages we observed contained links with the URI pattern /com_ag_google_analytics2/Link.html. The bpo-legal.com/components/com_ag_google_analytics2/Link.html page contained javascript that redirected victims to a Blackhole Exploit kit at torsax.net. The domain torsax.net resolved to 41.64.21.71. This IP has hosted a number of other Blackhole exploit kits that weve previously encountered. For example, 41.64.21.71 previously hosted:

  • 110hobart.com
  • abc-spain.net
  • energirans.net
  • freac.net
  • hapturing.net
  • housespect.net
  • icemed.net
  • perikanzas.com
  • synergyledlighting.net
The domain torsax.net had an A record with a TTL of 900 seconds and like the other previously observed domains was hosted on a fast flux infrastructure.
The torsax.net Blackhole Exploit kit dropped a Bugat/Feodo banking trojan with the following properties:
File: about.exe
MD5: 610600d0969f248ae90bf5eac1b21907
Size: 74752 bytes

This Bugat/Feodo payload utilized a domain generation algorithm and attempted to connect to a number of different domains prior to connecting to a live command and control server at ciasamkbnavtknxiko.ru. This domain had an A record with a TTL of 60 seconds and resolved to the following IPs:

  • 89.111.176.29
  • 91.121.7.5
  • 91.121.91.111
  • 94.20.30.91
  • 81.169.187.170
  • 85.214.204.32
  • 112.78.124.115
  • 124.124.212.172
  • 182.50.142.154
  • 208.109.170.55

All of these IPs have been used to host malicious domains observed in previous spam campaigns documented in this blog.

The Bugat/Feodo variant dropped by this LinkedIn spam campaign downloaded its configuration file/target list via POST request to ciasamkbnavtknxiko.ru:8080/rwx/B2_9w3/in/.

On a side note I have to give major props to Nightrover for carrying the load while Malzap and I were swamped with work and family life. Nightrover is brilliant expect great things from him 🙂

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: