Schwab Report

The spam train kept rolling today. We saw another interesting template on 2012-03-29 spoofing communications from Charles Schwab. The observed sample had a subject line of “Schwab Report”.

This malicious missive contained the following links:

http://gorilascountry.com.br/dbcrLxFh/index.html
http://www.chapliniana.com/a1UZ9Deb/index.html

These pages contained the following javascript redirectors:

<script type=”text/javascript” src=”http://shultzfamily.com/6bCo6tHS/js.js”></script&gt;
<script type=”text/javascript” src=”http://telefonspass24.de/w2ziooxT/js.js”></script&gt;
<script type=”text/javascript” src=”http://eawebagency.com.ar/6FtHNTPa/js.js”></script&gt;
<script type=”text/javascript” src=”http://gpatrol.com/XwWWQjzf/js.js”></script&gt;
<script type=”text/javascript” src=”http://rregenttours.com/fZAALpHW/js.js”></script&gt;

These javascripts redirect victims to a Blackhole Exploit kit at http://88.85.99.44:8080/showthread.php?t=8d80b8c3f87a9538. Note this is the same exploit kit seen in the Apple Store-themed spam campaign.

This kit dropped a Pony downloader with the following properties:

File: contacts.exe
Size: 150569
MD5: 6DD2CB441698AF52A35FDC5388B6C387

This Pony downloader was configured to send stolen FTP credentials to the following dropzones:

http://50.56.208.113:8080/pony/gate.php
http://83.174.131.142:8080/pony/gate.php

The Pony downloader was also configured to download a Gameover Zeus variant from the following locations:

http://roosevelt.edu.ec/rxnUJD.exe
http://harris-tuban-bali.com/ZZKyoGUd.exe

This Gameover Zeus variant had the following properties:

File: rxnUJD.exe
Size: 319528
MD5: 3BD6BD0EE4C2FAF78C23FC41D87FBE5E

Like all recent Zeus variants, this Gameover variant was signed with a self-certificate digital certificate:

 

This Gameover variant had a botid of “rnato30”.

Advertisements

One Comment

  1. Posted December 6, 2012 at 1:22 pm | Permalink | Reply

    Öncelikle yazınız için teşekkür.ederiz. Böyle yazıların bilgilendirici nitelikte olduğunu düşünüyoruz. Tekrar teşekkürler.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: