Thank you for your order

On 2012-03-29 we observed an Apple Store-themed spam. The observed sample had a subject line of “Thank you for your order” and the following text:

Dear Customer,

Thank you for shopping at Apple Store.

Here is a notice that your Order Number: W259985718 has been successfully charged to your credit card for 4,200.10 USD.

Please CLICK HERE to see your ORDER.

Your Apple Store Customer Service Team

This email contained a link to Hmm, that pattern definitely looks familiar, right? It sure is ..

Predictably, the malicious link contained the following html code with the request javascript redirects:

<h1>WAIT PLEASE</h1>
<script type=”text/javascript” src=””></script&gt;
<script type=”text/javascript” src=””></script&gt;

These javascripts redirected victims to a Blackhole Exploit kit at

This Blackhole Exploit unfortunately contained an upgraded Java Exploit (CVE-2012-0507). The malicious .jar file dropped by this kit had the following properties:

File: Pol.jar
Size: 14765
MD5: 8E300391CB3011ED76390C021E20F728

The kit then dropped the following Pony downloader:

File: readme.exe
Size: 150569
MD5: C1D691E2FCE076E58463DB5F5DF441CA

The Pony downloader was configured to send stolen FTP credentials to the following dropzones:

The Pony downloader then downloaded a Gameover Zeus variant from the following locations:

This Zeus variant had the following properties:

Size: 319528
MD5: A374A4151C893BA731833E60655FAD26

This Zeus variant had a botid of “NR29”.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: