AMEX-Confirmation of email address change

Subject:
Confirmation of email address change.

This sample contained the following malicious links:
hxxp://webchatroom.net/EsotgtDa/index.html

AMEX-Confirmation

The malicious pages above hosted the following javascript redirectors:

<script type=”text/javascript” src=”hxxp://znr.com.tr/2bhYPWTN/js.js”></script>
<script type=”text/javascript” src=”hxxp://silginc.com/HJn4XCCU/js.js”></script>

The javascripts redirected victims to a Blackhole Exploit Kit at hxxp://www.alberghi.com:8080/showthread.php?t=d7ad916d1c0396ff

The Blackhole kit at hxxp://www.alberghi.com:8080/q.php?f=ba33e&e=2, hosted at IP address 109.168.126.112, dropped a Pony downloader variant with the following properties:

File: calc.exe
Size: 93,736 bytes
MD5: 88364481b9eef29abc1811f75082eb30

This Pony downloader variant was configured to send stolen FTP and web admin credentials to the following dropzeons:

hxxp://www.alberghi.com/pony/gate.php

The Pony variant also downloaded a Gameover Zeus variant from the following locations:

hxxp://3dtaller.com.ar/uLLGRaXP.exe
hxxp://jmservice.servicos.ws/Mk4Lf.exe
hxxp://strategyq.net/9x9gs.exe
hxxp://vidyocini.com/VDR2PNG6.exe
hxxp://mestraimoveis.com.br/0Ev34x.exe

These Gameover installer variant had following properties:

MD5: 2d82c58785df8ddf53b0f911ebf779d8
Size: 2,75,496 bytes
Timestamp: 2012:04:06 22:50:26+02:00

Gameover installes in %APPDATA%\Took\orkiov.exe

MD5: bdd0c50f6a6e6b18e417049933f93f0b
Size: 2,75,496 bytes
Signature: This file is digitally signed by ‘ADt82UxX8ndawrW’
Certificate Validity: 04/06/2012 to 01/01/2040
Timestamp: 2010:10:31 11:50:03+01:00

During analysis, Gameover Zeus variant dropzone was identified at 94.137.177.252:18847. Webinjects were pulled from same IP at 122.99.102.189:28515. The Gameover variant had a botid “NRa7” and cid “3005”.

Advertisements

5 Comments

  1. Posted December 25, 2012 at 3:08 am | Permalink | Reply

    Hello, Neat post. There’s a problem together with your website in internet explorer, would test this? IE nonetheless is the market leader and a huge part of folks will miss your excellent writing due to this problem.

  2. Posted December 25, 2012 at 8:21 pm | Permalink | Reply

    There is certainly a great deal to learn about this topic.
    I love all the points you made.

  3. Posted March 22, 2013 at 12:16 am | Permalink | Reply

    Hi to every one, since I am genuinely eager of reading this website’s post to be updated regularly. It carries good stuff.

  4. Posted April 27, 2013 at 4:02 am | Permalink | Reply

    It is really a nice and useful piece of information.
    I am satisfied that you shared this helpful info with us.
    Please stay us up to date like this. Thanks for sharing.

  5. Posted May 7, 2013 at 2:19 am | Permalink | Reply

    Hi! This is my 1st comment here so I just wanted to
    give a quick shout out and say I really enjoy reading your articles.
    Can you suggest any other blogs/websites/forums that deal with the same subjects?
    Thanks for your time!

One Trackback

  1. By Newegg.com – Payment Charged | colors on April 16, 2012 at 5:26 am

    […] home to a Pony drop in this campaign, was also home to a Blackhole Exploit kit in a previous American Express-themed spam […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: