Check from Christian Liberty Financial

On 2012-04-02 we observed a spam email via Cisco’s Security Intelligence Operations with the subject line “Check from Christian Liberty Financial, Mon, 2 Apr 2012 12:33:29 +0100”.

This spam message contained the following body:

Advance Notice
Enter this code:
Pay-day Application Enclosed – Please Review
Money Today
Today Only!
Payble to:
—————— AXLB1KQE-IFB0-KP39-C84Y-QRFSYWDQLW61 ——————————————-
Money for:
Bills, Shopping, Vacation, Rent, Anything
***** For Immediate Processing Refer to Attached Instructions*****
CAN-SPAM Compliant
341 Raven Circle
Wyoming, DE 19934

This spam message had a .zip file attached with the filename This .zip file contained a malicious executable with the following properties:

File: Your_Check_Details_042012.exe
Size: 149504
MD5: A6D4F87E65359ACBB1640611D36E4685

This malicious executable is an ICE IX Zeus variant. This ICE IX Zeus variant communicates with a command and control server at via the following POST request:

POST /lampard.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727)
Content-Length: 77
Cache-Control: no-cache

The command and control server was configured to return an encrypted configuration file with the filename “setusating.bin”. During testing the server did not return this file.

It is worthwhile to note that the control server at was hosted on a fast flux infrastructure. Via we see that had an A record with a TTL of 300 seconds and currently resolved to both and This particular fast flux infrastructure is the same infrastructure that was used in the previous spam campaign documented in our post “Triple Barrel Spam Cannon“.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: