Careerbuilder spam delivers more than just a new job posting

Our Gameover Zeus friends are hoping that you are looking for a new job with the latest Careerbuilder spam campaign which claims to contain a link to a position that you would be interested in.

This campaign uses some of the following subject lines:

You might be interested in this vacant position.
Careerbuilder.com has found an open position for you
Careerbuilder.com open positions suggestion.
New position found for you at Careerbuilder.com.

The sample analyzed contained links to 3 different compromised websites:

starrculinary[.]com/tMp7j7qT/index.html
wsndesign[.]com/thwzcFQd/index.html
whiteoak.co[.]za/thwzcFQd/index.html

These websites redirected to JS files at the following locations:

hedef-ik[.]com/SXgUX3Zp/js.js
maxtroholidays[.]com/Hk89vZp3/js.js
runa.dp[.]ua/4cstVpNa/js.js
http://www.dimarcoagenziaassicurazioni[.]it/Tr39e5sz/js.js

In typical fashion, the Javascript is used to redirect to a Blackhole exploit kit. Todays kit continues on the ‘slick’ theme we saw yesterday – slickvenue[.]com/showthread.php?t=d44175c6da768b70.

This kit attempted to download the following exploits:

score.swf
Detected by 20/43 vendors on VirusTotal.

Qai.jar
Detected by 0/43 on VirusTotal.

field.swf
Detected by 17/43 on VirusTotal.

10a1e.pdf
Detected by 3/43 on VirusTotal.

It then installed the Gameover Zeus binary via slickvenue[.]com/q.php?f=e0c3a&e=0:

File Name: contacts.exe
MD5: 565f1a0802d1320ef3e28a98567fca95
Size: 284184 bytes
This file is detected by 9/43 on VirusTotal.

Gee, this file is signed with a very familiar looking digital signature (see yesterdays ‘Fraud Protection Alert’):


This Gameover Zeus variant is currently posting to a drop zone at 183.178.102[.]107:26672/index.php and uses a BotID of ‘ppcz20’.

Advertisements

5 Comments

  1. Posted May 25, 2012 at 6:02 am | Permalink | Reply

    Having read this I thought it was extremely enlightening.

    I appreciate you finding the time and effort to put this informative article
    together. I once again find myself personally spending way too
    much time both reading and leaving comments.
    But so what, it was still worthwhile!

  2. Amy
    Posted June 27, 2012 at 7:33 pm | Permalink | Reply

    not really relevant to the one above

  3. Posted February 21, 2013 at 4:25 am | Permalink | Reply

    I do not drop a leave a response, however after looking at through a ton of remarks on this page
    Careerbuilder spam delivers more than just a new job posting spamalysis.
    I do have a couple of questions for you if it’s allright. Could it be only me or does it seem like some of these responses come across as if they are written by brain dead folks? 😛 And, if you are posting at additional places, I’d like to keep up with you.
    Could you post a list of all of your social networking pages like your Facebook page, twitter feed, or linkedin profile?

  4. Posted April 18, 2013 at 7:50 pm | Permalink | Reply

    What’s up Dear, are you actually visiting this web site daily, if so afterward you will definitely get nice knowledge.

  5. Posted April 20, 2013 at 8:55 pm | Permalink | Reply

    Thanks for one’s marvelous posting! I actually enjoyed reading it, you can be a great author. I will remember to bookmark your blog and will often come back someday. I want to encourage yourself to continue your great writing, have a nice afternoon!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: