You sent a payment

The spam hits kept a rollin’ today. On 2012-04-02 we observed a Paylpal-themed spam campaign.

The spam sample that we analyzed had a subject line of “You sent a payment.” This sample contained the following malicious links:

The malicious pages contained the following javascript redirectors:

<script type=”text/javascript” src=””></script&gt;
<script type=”text/javascript” src=””></script&gt;
<script type=”text/javascript” src=””></script&gt;

The javascripts redirected victims to a Blackhole Exploit Kit at

Note that we previously saw the the IP used as a dropzone for the Pony downloader variant used in the attack documented in our post US Airways online check-in. This is a pattern weve observed in the past were IPs were used both to host Blackhole Exploit kits and Pony downloader drop zones.

The Blackhole kit at dropped a Pony downloader variant with the following properties:

File: info.exe
Size: 94761
MD5: C150FCEA73F3B2904BBEBE0E601B53AC

This Pony downloader variant was configured to send stolen FTP and web admin credentials to the following dropzeons:

The Pony variant also downloaded a Gameover Zeus variant from the following locations:

The Gameover variant had the following properties:

Size: 297512
MD5: 1E3AA9BCFB6300F426030532821525EA

This variant had a botid of “NRa3”. Note that the day counter in the botid had been incremented to 3. This is significant because we analayzed this sample at approximately 8pm EDT on 2012-04-02. That the botid had be incremented to 3 suggests that the bot was compiled in and distributed from a different timezone … perhaps somewhere in Europe?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: