AMEX-Confirmation of email address change

Confirmation of email address change.

This sample contained the following malicious links:


The malicious pages above hosted the following javascript redirectors:

<script type=”text/javascript” src=”hxxp://”></script>
<script type=”text/javascript” src=”hxxp://”></script>

The javascripts redirected victims to a Blackhole Exploit Kit at hxxp://

The Blackhole kit at hxxp://, hosted at IP address, dropped a Pony downloader variant with the following properties:

File: calc.exe
Size: 93,736 bytes
MD5: 88364481b9eef29abc1811f75082eb30

This Pony downloader variant was configured to send stolen FTP and web admin credentials to the following dropzeons:


The Pony variant also downloaded a Gameover Zeus variant from the following locations:


These Gameover installer variant had following properties:

MD5: 2d82c58785df8ddf53b0f911ebf779d8
Size: 2,75,496 bytes
Timestamp: 2012:04:06 22:50:26+02:00

Gameover installes in %APPDATA%\Took\orkiov.exe

MD5: bdd0c50f6a6e6b18e417049933f93f0b
Size: 2,75,496 bytes
Signature: This file is digitally signed by ‘ADt82UxX8ndawrW’
Certificate Validity: 04/06/2012 to 01/01/2040
Timestamp: 2010:10:31 11:50:03+01:00

During analysis, Gameover Zeus variant dropzone was identified at Webinjects were pulled from same IP at The Gameover variant had a botid “NRa7” and cid “3005”.



  1. Posted December 25, 2012 at 3:08 am | Permalink | Reply

    Hello, Neat post. There’s a problem together with your website in internet explorer, would test this? IE nonetheless is the market leader and a huge part of folks will miss your excellent writing due to this problem.

  2. Posted December 25, 2012 at 8:21 pm | Permalink | Reply

    There is certainly a great deal to learn about this topic.
    I love all the points you made.

  3. Posted March 22, 2013 at 12:16 am | Permalink | Reply

    Hi to every one, since I am genuinely eager of reading this website’s post to be updated regularly. It carries good stuff.

  4. Posted April 27, 2013 at 4:02 am | Permalink | Reply

    It is really a nice and useful piece of information.
    I am satisfied that you shared this helpful info with us.
    Please stay us up to date like this. Thanks for sharing.

  5. Posted May 7, 2013 at 2:19 am | Permalink | Reply

    Hi! This is my 1st comment here so I just wanted to
    give a quick shout out and say I really enjoy reading your articles.
    Can you suggest any other blogs/websites/forums that deal with the same subjects?
    Thanks for your time!

One Trackback

  1. By – Payment Charged | colors on April 16, 2012 at 5:26 am

    […] home to a Pony drop in this campaign, was also home to a Blackhole Exploit kit in a previous American Express-themed spam […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: