USPS Delivery Confirmation – Failed 64885492

Attachment: UPS_id1086785803.htm


Encoded JS in spam attachment redirects victim to a Phoenix Exploit kit at sisfshsdofhidd[.]ru:8080 /navigator/jueoaritjuir.php hosted at IP addresse(s):

Phoenix controller then drops a PDF exploit CVE-2010-0188 from the sisfshsdofhidd[.]ru:8080 /navigator/alisgtypezfq.pdf.

This PDF file had the following properties:
Name: alisgtypezfq.pdf
Size: 13,233 bytes
MD5: ed5d2236be495b79d3fcc1d28acaabb0

The PDF exploits CVE-2010-0188 and was detected by 29 of 43 AV vendors on VirusTotal.

Successful exploitation will then redirect victims to phfhshdjsjdppns[.]su:8080 /navigator/frf3.php?i=8. This will download a Bugat/Feodo variant with the following properties:

File: dsarcubqinhsjqkugsbm.exe
MD5: 20de62566248864be3b0e413b332d731
Size: 86,016 bytes
Timestamp: 2011:03:25 06:01:22+01:00

It receives its configuration file from a command and control server at nolwzyzsqkhjkqhomc[.]ru:8080 /rwx/B1_3n9/in/. This domain is hosted on a fast flux infrastructure at the following IP addresses:

Note that almost for 3 weeks sticking to same URI scheme for Phoenix landing page and payload page, Bugat/Feodo spam campaign now changes URI schemes:

from /images/aublbzdni.php to /navigator/jueoaritjuir.php
from /images/jw.php?i= to /navigator/frf3.php?i=


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: