Xerox, Your Flight, and Intuit

Just when we thought we had the attackers figured out, they went and switched things up on us.  Previously any of the spam campaigns that had an .htm attachment redirected to a Phoenix exploit kit which then installed Bugat/Feodo/Cridex.  Well, today, we noticed that these spam messages with .htm attachments are still redirecting to a Phoenix exploit kit but installing a Pony Loader binary which then installs Gameover Zeus.

3 separate spam themes were observed:

Your Intuit.com software order.

Fwd: Scan from a Xerox W. Pro #858678

Fwd: Your Flight F 458-37826

These .htm attachments contain scripts with are used to redirect to Phoenix exploit kits at the following URL’s:

sumanoidos[.]ru:8080/navigator/jueoaritjuir.php
selenasopka[.]ru:8080/navigator/jueoaritjuir.php
sonografx[.]ru:8080/navigator/jueoaritjuir.php

All of the above Phoenix domains are hosted via the same fast flux network at the following IP addresses:

78.83.233.242
78.107.82.98
89.218.55.51
118.97.9.60
125.19.103.198
41.66.137.155
41.168.5.140
61.187.191.16
62.85.27.129
219.94.194.138
180.235.150.72
194.85.97.121
200.169.13.84
202.149.85.37
210.56.23.100
210.56.24.226
210.109.108.210

The payload, Pony Loader, is installed via poosdfhhsppsdns[.]su:8080/navigator/frf3.php?i=6&f=c0af9&e=0:

file name:  dsarcubqinhsjqkugsbm.exe
file size: 95.272 bytes
md5:  90222ad40f07231a35c37fbbc4a6e91d
This file is digitally signed:

This Pony Loader posts to a C&C at 91.121.178[.]156/pony/gate.php.  It then attempts to download a Gameover Zeus binary from the following URL’s:

http://www.ciupanezu[.]ro/6rBQWWdx/9ZR.exe
hosbos.com[.]br/rvrsraDu/p7t.exe
http://www.omegaconstrucciones.com[.]ar/UK90biGf/QS6TvK2.exe

file size:  304,168 bytes
md5:  a2e0ac37b5cd193262ce7eb1ea72ba50
Ironically, this file has the exact same digital signature as the above Pony Loader:

The Gameover Zeus variant connects to a drop at 173.166.31.129:15471 and uses a bot ID of mf222a3.

So what does this new trend tell us?  Well, it looks like the actors using Bugat may switch to Gameover Zeus to supplement their infections.  We have yet to see any Bugat installs today.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: