Xerox, Your Flight, and Intuit

Just when we thought we had the attackers figured out, they went and switched things up on us.  Previously any of the spam campaigns that had an .htm attachment redirected to a Phoenix exploit kit which then installed Bugat/Feodo/Cridex.  Well, today, we noticed that these spam messages with .htm attachments are still redirecting to a Phoenix exploit kit but installing a Pony Loader binary which then installs Gameover Zeus.

3 separate spam themes were observed:

Your software order.

Fwd: Scan from a Xerox W. Pro #858678

Fwd: Your Flight F 458-37826

These .htm attachments contain scripts with are used to redirect to Phoenix exploit kits at the following URL’s:


All of the above Phoenix domains are hosted via the same fast flux network at the following IP addresses:

The payload, Pony Loader, is installed via poosdfhhsppsdns[.]su:8080/navigator/frf3.php?i=6&f=c0af9&e=0:

file name:  dsarcubqinhsjqkugsbm.exe
file size: 95.272 bytes
md5:  90222ad40f07231a35c37fbbc4a6e91d
This file is digitally signed:

This Pony Loader posts to a C&C at 91.121.178[.]156/pony/gate.php.  It then attempts to download a Gameover Zeus binary from the following URL’s:


file size:  304,168 bytes
md5:  a2e0ac37b5cd193262ce7eb1ea72ba50
Ironically, this file has the exact same digital signature as the above Pony Loader:

The Gameover Zeus variant connects to a drop at and uses a bot ID of mf222a3.

So what does this new trend tell us?  Well, it looks like the actors using Bugat may switch to Gameover Zeus to supplement their infections.  We have yet to see any Bugat installs today.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: