US Airways online check-in

File under: Old Wine, Old Bottles.

On 2012-04-02 we saw more US Airways-themed spam. We believe this was a very big spam run that included many malicious links. The spam sample we analyzed had a subject line of “US Airways online check-in”.

This sample included malicious links t0:

http://ftp.halsat.sk/0drnFhv7/index.html
http://alislam4all.com/zUGqdj5E/index.html

These malicious pages both include the following javascript redirectors:

<script type=”text/javascript” src=”http://benetts.com.br/C9gxJgMX/js.js”></script&gt;
<script type=”text/javascript” src=”http://devendier.com/KmdXU7zM/js.js”></script&gt;
<script type=”text/javascript” src=”http://fillmorerents.com/5gBHnHim/js.js”></script&gt;
<script type=”text/javascript” src=”http://silca.com.ar/eFArJfsH/js.js”></script&gt;
<script type=”text/javascript” src=”http://oyasigorta.com/BEswPnYb/js.js”></script&gt;

The same random 8 alpha numeric pattern that weve observed in previous spam campaigns is still used in this campaign and should still serve as a valuable indicator of malicious activity.

These javascript files redirect victims to a Blackhole Exploit kit at 174.140.171.173/showthread.php?t=d44175c6da768b70. We noted that the Blackhole Exploit moved at least once during the day to http://207.210.101.44/showthread.php?t=d44175c6da768b70.

This Blackhole Exploit Kit continued to use a .jar file that targeted CVE-2012-0507. This .jar was only detected by 2 of 42 AV Vendors on VirusTotal and file had the following properties:

File: Pol.jar
Size: 14184
MD5: F48070F2E18FBEDE54046DD844B6A35D

The integration of this very new java exploit kit is a helpful reminder that we should all keep java patched and up to date on our machines. Heck, lets keep all our software up to date 🙂

The Blackhole Exploit kit then dropped a Pony downloader with the following properties:

Size: 153129
MD5: A3AF0BAF306A03D3FD8C8CD6FCFBBD81

This Pony variant was configured to send stolen FTP and other web admin credentials to the following dropzones:

http://50.56.223.113:8080/pony/gate.php
http://91.121.178.156:8080/pony/gate.php

The Pony variant was also configured to download a Gameover Zeus variant from the following locations:

http://datasig.com.ar/EK8jt.exe
http://restaurantlebed.com/Fec9gmYQ.exe
http://heregospel.com.br/GTKP.exe
http://ibcalvario.com.br/gV6Z8.exe

This Gameover Zeus variant had a botid of ‘ppcz2’ and the following properties:

File: gV6Z8.exe
Size: 318504
MD5: 0A37C0166A1B37B30228AC73E1E1D9EF

It had a botid of ‘ppcz2’.

UPDATE: We were able to analyze headers from a few US Airways spam samples. The originating IPs from the samples we analyzed were as follows:

  • 109.98.113.72
  • 178.17.116.73
  • 189.0.101.146
  • 95.155.46.254

We are truly shocked to report that these IPs are all nodes in a Cutwail spambot. Shocked, i tell you!

Advertisements

One Trackback

  1. […] this same template had been previously used in high-profile Gameover Zeus laden spam campaigns, this particular campaign was a bit different. The sample we analyzed had a […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: