‘Scan from HP’ themed spam dropping Bugat/Feodo variants

Subject: Re: Scan from a Hewlett-Packard ScanJet 0810

Re: Scan from a Hewlett-Packard ScanJet 0810

Subject: Re: Scan from a Hewlett-Packard ScanJet 217872

Re: Scan from a Hewlett-Packard ScanJet 217872

Subject: Fwd: Re: Scan from a HP ScanJet #924491

Fwd: Re: Scan from a HP ScanJet #924491

All these 3 spams’ attachment contained an encoded script which is used to redirect to an Phoenix Exploit kit at  dsakhfgkallsjfd[.]ru:8080, doosdkdkjsjdfo[.]ru:8080, and debiudlasduisioa[.]ru:8080 respectively. These domains were hosted at following IP addresse(s) on a fast flux infrastructure:

78.83.233.242
78.107.82.98
83.238.208.55
89.218.55.51
95.156.232.102
111.93.161.226
118.97.9.60
125.19.103.198
62.85.27.129
173.203.51.174
173.203.211.157
190.81.107.70
200.169.13.84
202.149.85.37
209.114.47.158
210.56.23.100
210.56.24.226
210.109.108.210
211.44.250.173
219.94.194.138

During our testing a malicious flash file containing CVE-2011-0611 was downloaded from dsakhfgkallsjfd[.]ru:8080 /images/avhqeqyrkzfrysk.swf. This flash file had the following properties.

File: avhqeqyrkzfrysk.swf
Size: 7,791 bytes
MD5: 5c4da9f9ee8f0de019a42b4580598c75

This flash file exploited CVE-2011-0611 and was detected by 14 of 43 AV vendors on VirusTotal.

A malicious PDF file was also downloaded from dsakhfgkallsjfd[.]ru:8080 /images/kobzfoivdpdzilx.php. This PDF file had the following properties:

File: xlhwhrfvfsxubl.php
Size: 13,223 bytes
MD5: 31cd92176c0e56073be8b4f96839630d

The PDF exploits CVE-2010-0188 and was detected by 26 of 43 AV vendors on VirusTotal.

If exploitation is successful, it redirects to xspisokdomenidgmens[.]ru:8080 /images/jw.php?i=15, a Bugat/Feodo variant with the following properties is installed:

File: gsxohsapcpklkti.exe
MD5: ddfaecd57e6f436767678af43b5c1faf
Size: 75,312 bytes
Timestamp: 1970:01:01 07:06:40+01:00

Bugat/Feodo is installed as:
File: C:\Documents and Settings\Administrator\Application Data\KB00090109.exe

This Bugat/Feodo variant retrieved its configuration file/target list from a command and control server at ciasamkbnavtknxiko[.]ru:8080 /rwx/B1_3n9/in/. This domain is hosted at the following IP addresses on a fast flux infrastructure:

91.121.7.5
91.121.91.111
94.20.30.91
85.214.204.32
89.111.176.29
112.78.124.115
124.124.212.172
182.50.142.154
208.109.170.55

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: