USPS themed spam

Subject:
Your USPS delivery.
USPS postage invoice.
USPS postage labels receipt.

URLs:
movie-watch-online[.]com/psaea9uq/index.html (hosted at IP address 212.124.118.130)
grimper.awardspace[.]com/m4QmPyqG/index.html (hosted at IP address 83.125.22.158)
oscardelaolla.com[.]co/zngqs0Ts/index.html (hosted at IP address 184.173.9.56)

USPS postage labels receipt

Your USPS delivery

USPS postage invoice

 

 

 

 

 

 

 

 

 

 

 

 

 

The text ‘Clink-N-Ship Account’ contain hyperlinks to compromised websites as shown above. These pages contains no content but only 5 JS:

akdenizilaclama[.]com/eRNZruZY/js.js
bushman-panoramic[.]fr/njHeWGPi/js.js
globaltransact.co[.]za/reQ9z72V/js.js
greenberg[.]bg/E0Lhcg6B/js.js
http://www.creazionimultimediali[.]net/XvpMHseV/js.js

These javascript redirectors contain the following document.location script that send victims to a Blackhole Exploit kit at 66.7.222.139:

document.location=’hxxp://slickvenue.com/showthread.php?t=d44175c6da768b70′;

It downloadeds Gameover Zeus (installer) from the following location:

slickvenue.[.]com /q.php?f=e0c3a&e=2

File: contacts.exe
MD5: f78dc4de518ce68db58c8cd663685266
Size: 2,86,744 bytes

It then installs Zeus in %APPDATA% which had following properties:

File: weja.exe
MD5: d92d70b7b97a1c6552079890ccbfcbdf
Size: 2,84,184 bytes
Other: This file is digitally signed by ‘SDOkUGUnMWwv’
Company Name: Twain Working Group
File Description: Twain.dll Client’s 32-Bit Thunking Server
File Version: 1,7,0,0
Internal Name: Twunk_32
Original Filename: Twunk_32.exe
Product Name: Twain Thunker
Timestamp: 2011:10:03 18:46:52+02:00
This Gameover Zeus variant ex-filtrated stolen data to dropzones at 200.84.133.130:10581 /index.php and 183.178.102.107:26672 /index.php.

The Gameover variant had a bot id of “ppcz20” cid of “3005”. Location of the Backconnect proxies at 89.19.6.118. Webinjects were pulled from the proxy at 87.97.164.223 from TCP port 22005.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: