Your AT&T wireless bill is ready to view

On 2012-04-03 we observed another new spam template circulating in the wild. This spam template spoofed communications from AT&T Wireless. I guess the Verizon Wireless spam campaigns weve seen in the last few weeks were a success and the spammers behind these attacks decided to try out a new brand. The AT&T Wireless spam template that we analyzed had a subject line of “Your AT&T wireless bill is ready to view”.

The spam message that we analyzed was loaded with malicious links. These links were as follows:

Each spam message associated with this campaign likely contains a different assortment of malicious links. The common characteristic of all these malicious links is that they all contain a random set of 8 alpha-numeric characters in the URI path. This identifier has remained consistent across all the different spam templates associated with this particular campaign.

The malicious pages above hosted the following javascript redirectors:

Note that these javascript redirectors also contained the same pattern of 8 alpha-numeric characters in the URI path.

These javascripts redirected victims to a Blackhole Exploit kit at http://174.140.171.100/showthread.php?t=d7ad916d1c0396ff.

As with the previous Blackhole Exploit kits weve documented on this blog, this exploit kit targets an assortment of PDF, Flash, MSFT, and Java vulnerabilities. These most effective exploit code hosted at this and other Blackhole kits used in this ongoing campaign appears to be the Java Atomic Exploit which targets CVE-2012-0507. This exploit was hosted on the Blackhole Exploit kit at 174.140.171.100 as a .jar file with the following properties:

File: Pol.jar
Size: 14314
MD5: 8050B15A9D6A530BBADC564813BCB2EB

This .jar file was only detected by 2 of 41 AV Vendors on Virustotal.

The Blackhole Exploit Kit at http://174.140.171.100/showthread.php?t=d7ad916d1c0396ff dropped the following Pony downloader on vulnerable victims:

File: contacts.exe
Size: 95272
MD5: FFDC8980585A48DF7B63388A1B3C3642

This Pony variant was configured to send stolen FTP and other web admin credentials to dropzones at”

We know that 91.121.178.156 was previously home to a Blackhole Exploit Kit. We know because urlQuery.net told us. While the domain subdatapro.com is not currently on our radar, we would not be surprised if it served a Blackhole Exploit Kit in the not too distant future.

The Pony variant (FFDC8980585A48DF7B63388A1B3C3642) was also configured to download a Gameover Zeus variant from the following locations:

This Gameover Zeus variant had the following properties:

Size: 296488
MD5: 54A3D8C0F15E16655CAF35306EFC87E5

This variant had a botid of NRa3. The criminals behind this campaign utilized a proxy at 77.43.1.67:443 to control victims infected with this Gameover variant.

Advertisements

3 Comments

  1. nick
    Posted May 17, 2012 at 3:36 pm | Permalink | Reply

    if i accidentally clicked one of the malicious links, does it mean my PC is infective?

    • nightrover
      Posted May 18, 2012 at 8:56 am | Permalink | Reply

      Yes. As mentioned in the analysis, check if you have any random named folder in your %APPDATA%. If it is there, you are surely infected.

  2. Posted December 22, 2012 at 9:31 pm | Permalink | Reply

    Hi i am kavin, its my first occasion to commenting anywhere, when i read this post i thought i could also create
    comment due to this sensible article.

One Trackback

  1. […] The fake AT&T email analyzed by Spamalysis contained 15 malicious links, although it states different spam messages likely contain slight variations of the URIs analyzed. However, every link is identifiable as malicious if it contained a random set of eight alpha-numeric characters. Full list of malicious links is available at the Spamalysis. […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: