Subject: Re_Wire Transfer (3935SH506).
URL: ceroonce.com /loadit/fondos/file-index.htm
Subject: Fedex Delivery Confirmation 351301.
Victim is eventually redirected to a Phoenix Exploit kit at sonografx[.]ru:8080 /navigator/jueoaritjuir.php hosted at IP addresse(s):
Phoenix controller downloads a PDF from samsonikonyou[.]ru:8080 /navigator/alisgtypezfq1.pdf. This PDF is identified as exploiting CVE-2010-0188. This flash exploit had following properties.
Size: 13,237 bytes
Exploit forces victim to download a Pony downloader from poosdfhhsppsdns[.]su:8080 /navigator/frf3.php?i=15. This pony downloader had following properties:
Size: 94,760 bytes
Timestamp: 2012:04:04 17:09:33+02:00
Pony downloader’s dropzone is running at infovega.lt /pony/gate.php. Pony then downloads 3 identical Gameover Zeus payloads from:
1. http://www.ciupanezu.ro /6rBQWWdx/9ZR.exe
2. burmak.com.tr /bo0B7BgS/bhsuZJdf.exe
3. hotelritmotropical.net /dCWhyHtG/XbKbb5L.exe
Gameover Zeus is installed as %AppData%/ikwyp.exe with following properties:
Size: 3,04,168 bytes
Timestamp: 2010:10:28 15:51:02+02:00
This payload is digitally signed by ‘GggvpYSuFAF7Uqd’. Certificate is valid from 04/04/2012 to 01/01/2040.
Note, this Gameover payload connects to a dropzone at 18.104.22.168:22675 and uses bot id of “mf2222a4”.