DHL, Your Flight, Xerox


DHL Delivery 393258

Subject: Scan from a Xerox WorkCentre Pro #633567

Scan from Xerox 633567

Subject: Fwd: Your Flight KP256-05746

Your Flight KP256


Through encoded javascript, victim is eventually redirect to a Phoenix Exploit kit at hxxp:// This domain is hosted on a fast flux infrastructure at following IP addresses:

Phoenix controller is configured to drop a PDF exploit CVE-2010-0188 from the hxxp:// This flash file had the following properties.

Name: klhzbqiuhsktan.pdf
Size: 13,177 bytes
MD5: f9f5332d38aabb729d9971bfd9639eee

The PDF exploits CVE-2010-0188 and was detected by 27 of 42 AV vendors on VirusTotal.

Successful exploit will redirect victim to popperwith[.]su:8080 /navigator/frf3.php?i=15 and install Pony Loader on the victim machine. This Pony loader had following properties:

File: dsarcubqinhsjqkugsbm.exe
MD5: 6e393cef3d812c115f2cccaa1a2ec14a
Size: 93,736 bytes
Digital Signature: j99zWTOf8FdlY6t
Certificate Validity: 04/05/2012 to 01/01/2040

This Pony Loader posts to a C&C at /pony/gate.php before downloading 3 identical Gameover Zeus payloads from the following URL’s:

1. /6rBQWWdx/9ZR.exe
2. /bo0B7BgS/bhsuZJdf.exe
3. /dCWhyHtG/XbKbb5L.exe

Gameover installed in %APPDATA%\Axheyt\adpee.exe

MD5: c23bf5f0fcc4c56a039889edc56c9c0a
Size: 2,77,032 bytes
Signature: This file is digitally signed by ‘j99zWTOf8FdlY6t’
Certificate Validity: 04/05/2012 to 01/01/2040
Timestamp: 2010:11:02 07:09:01+01:00

Ironically, Pony Loader and Gameover Zeus both have exact same digital signature.

This Gameover Zeus variant posts to a dropzone at Webinjects were downloaded from The Gameover variant had a botID of “mf222a5”.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: