USPS Delivery Confirmation – Failed 64885492

Attachment: UPS_id1086785803.htm

UPS_id1086785803

Encoded JS in spam attachment redirects victim to a Phoenix Exploit kit at sisfshsdofhidd[.]ru:8080 /navigator/jueoaritjuir.php hosted at IP addresse(s):

78.83.233.242
125.19.103.198
41.66.137.155
41.168.5.140
61.187.191.16
62.85.27.129
180.235.150.72
202.143.147.35
202.149.85.37
210.56.23.100
210.56.24.226
210.109.108.210
211.44.250.173
216.24.194.2
219.94.194.138

Phoenix controller then drops a PDF exploit CVE-2010-0188 from the sisfshsdofhidd[.]ru:8080 /navigator/alisgtypezfq.pdf.

This PDF file had the following properties:
Name: alisgtypezfq.pdf
Size: 13,233 bytes
MD5: ed5d2236be495b79d3fcc1d28acaabb0

The PDF exploits CVE-2010-0188 and was detected by 29 of 43 AV vendors on VirusTotal.

Successful exploitation will then redirect victims to phfhshdjsjdppns[.]su:8080 /navigator/frf3.php?i=8. This will download a Bugat/Feodo variant with the following properties:

File: dsarcubqinhsjqkugsbm.exe
MD5: 20de62566248864be3b0e413b332d731
Size: 86,016 bytes
Timestamp: 2011:03:25 06:01:22+01:00

It receives its configuration file from a command and control server at nolwzyzsqkhjkqhomc[.]ru:8080 /rwx/B1_3n9/in/. This domain is hosted on a fast flux infrastructure at the following IP addresses:

74.117.62.130
74.208.14.131
81.30.160.7
83.170.91.152
85.214.204.32
87.204.199.100
88.190.22.72
89.31.145.154
91.121.109.139
94.20.30.91
112.78.124.115
173.224.220.2
199.71.213.72

Note that almost for 3 weeks sticking to same URI scheme for Phoenix landing page and payload page, Bugat/Feodo spam campaign now changes URI schemes:

from /images/aublbzdni.php to /navigator/jueoaritjuir.php
from /images/jw.php?i= to /navigator/frf3.php?i=

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: