WellsFargo – CEO Portal Statement & Notice Event

CEO Portal Statements & Notices Event



The text ‘View the details of this transaction online’ contain hyperlinks to compromised websites as shown above. These pages contains no content but only 5 JS:


These javascript redirectors contain the following document.location script that send victims to a Blackhole Exploit kit at

It first droppes Pony downloader from the following location:
closteage[.]com /q.php?f=ba33e&e=2

File: readme.exe
MD5: 659382f4192ef5070016b996e94b4646
Size: 2,83,160 bytes

Pony downloader posts to its dropzone at /pony/gate.php. It was also configured to downloads following 4 files, all of them are same Gameover Zeus payloads:

1. derya34[.]com/M7R7.exe
2. http://www.procontracts.co[.]za/dnhoLD.exe
3. alimujtaba.purelogics[.]info/Jq3v.exe
4. http://www.e-gaming[.]cz/qNrkMGD.exe

It then installs Zeus in %APPDATA% which had following properties:

File: uxnab.exe
MD5: 5d4fabfef89a31dd87834a8d714f1323
Size: 2,83,160 bytes
Other: This file is digitally signed by ‘5r6Io0OJu3L2’
Company Name: Twain Working Group
File Description: Twain.dll Client’s 32-Bit Thunking Server
File Version: 1,7,0,0
Internal Name: Twunk_32
Original Filename: Twunk_32.exe
Product Name: Twain Thunker
Timestamp: 2011:10:11 15:07:46+02:00

This Gameover Zeus payload ex-filtrated stolen data to dropzone at /index.php.
This payload had a bot id of “NR21″ cid of “3005″. Webinjects were pulled from the same proxy at


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: