DHL, Your Flight, Xerox

Subject: DHL DELIVERY CONFIRMATION 393258
Attachment: DHL-invoce-9240104.zip

DHL Delivery 393258

Subject: Scan from a Xerox WorkCentre Pro #633567
Attachment: 13249638783_Xerox_Document-L134.zip

Scan from Xerox 633567

Subject: Fwd: Your Flight KP256-05746
Attachment: Flight_N8358.zip

Your Flight KP256

 

Through encoded javascript, victim is eventually redirect to a Phoenix Exploit kit at hxxp://popperwith.su:8080/navigator/jueoaritjuir.php. This domain is hosted on a fast flux infrastructure at following IP addresses:

78.83.233.242
78.107.82.98
89.218.55.51
125.19.103.198
41.66.137.155
41.168.5.140
62.85.27.129
194.85.97.121
200.169.13.84
202.149.85.37
210.56.23.100
210.56.24.226
210.109.108.210
211.44.250.173
219.94.194.138
180.235.150.72

Phoenix controller is configured to drop a PDF exploit CVE-2010-0188 from the hxxp://popperwith.su:8080/navigator/klhzbqiuhsktan.pdf. This flash file had the following properties.

Name: klhzbqiuhsktan.pdf
Size: 13,177 bytes
MD5: f9f5332d38aabb729d9971bfd9639eee

The PDF exploits CVE-2010-0188 and was detected by 27 of 42 AV vendors on VirusTotal.

Successful exploit will redirect victim to popperwith[.]su:8080 /navigator/frf3.php?i=15 and install Pony Loader on the victim machine. This Pony loader had following properties:

File: dsarcubqinhsjqkugsbm.exe
MD5: 6e393cef3d812c115f2cccaa1a2ec14a
Size: 93,736 bytes
Digital Signature: j99zWTOf8FdlY6t
Certificate Validity: 04/05/2012 to 01/01/2040

This Pony Loader posts to a C&C at infovega.lt /pony/gate.php before downloading 3 identical Gameover Zeus payloads from the following URL’s:

1. http://www.ciupanezu.ro /6rBQWWdx/9ZR.exe
2. burmak.com.tr /bo0B7BgS/bhsuZJdf.exe
3. hotelritmotropical.net /dCWhyHtG/XbKbb5L.exe

Gameover installed in %APPDATA%\Axheyt\adpee.exe

MD5: c23bf5f0fcc4c56a039889edc56c9c0a
Size: 2,77,032 bytes
Signature: This file is digitally signed by ‘j99zWTOf8FdlY6t’
Certificate Validity: 04/05/2012 to 01/01/2040
Timestamp: 2010:11:02 07:09:01+01:00

Ironically, Pony Loader and Gameover Zeus both have exact same digital signature.

This Gameover Zeus variant posts to a dropzone at 46.49.110.114:11199. Webinjects were downloaded from 46.49.41.238:17973. The Gameover variant had a botID of “mf222a5”.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: