Newegg.com – Payment Charged

On 2012-04-09 we observed a Newegg.com-themed spam template. The spam message that we observed had a subject line of “Newegg.com – Payment Charged” and was sent from a Cutwail spambot.

The observed spam contained a malicious link to http://game.knightscricket.co.za/SpwNjjYt/index.html. There were likely other Newegg.com-themed spam messages associated with this campaign that contained different malicious links and had different subject lines.

The above malicious page, http://game.knightscricket.co.za/SpwNjjYt/index.html, contained the following javascript redirectors:

<script type=”text/javascript” src=”http://congress-assistants.fi/idm2TZP1/js.js”></script&gt;
<script type=”text/javascript” src=”http://primasaleorganik.com/3N6zKxSS/js.js”></script&gt;

These javascript redirectors bounced victims to an exploit kit at http://216.224.182.94/showthread.php?t=d7ad916d1c0396ff.

This exploit kit dropped a Pony downloader with the following properties:

Size: 147496
MD5: DFDA409D8BCC7CDDBBB39A40E388E8BA

This Pony downloader was signed with a digital certificate labeled “4mb5gWTlIemu0h0”.

This Pony downloader was configured to send stolen FTP and other wed admin credentials to dropzones at:

http://www.alberghi.com:8080/pony/gate.php
http://buyandsmile.atomclick.co:8080/pony/gate.php

Hrm, notice that the domain alberghi.com, home to a Pony drop in this campaign, was also home to a Blackhole Exploit kit in a previous American Express-themed spam campaign.

The above Pony downloader, DFDA409D8BCC7CDDBBB39A40E388E8BA, was also configured to download a Gameover Zeus payload from the following locations:

http://finskiydom.com.ua/JdS.exe
http://developerspk.com/DeYhzGj.exe
http://mestraimoveis.com.br/0Ev34x.exe
http://www.bmsevero.com.br/J1eGwcP.exe

This Zeus payload had the following properties:

Size: 305704
MD5: D76F25DF18F89830323CD6DECD657574

Interesting … this Zeus payload was signed with the same digital cert as the above Pony downloader. The Zeus payload’s digital cert had the same “4mb5gWTlIemu0h0” label.

This Zeus variant had a botid of “NRa10”.

Advertisements

One Comment

  1. Posted October 1, 2012 at 11:27 pm | Permalink | Reply

    Magnificent site. Plenty of helpful information here. I am sending it to some pals ans also sharing in delicious.
    And certainly, thanks on your sweat!

One Trackback

  1. By Your Flightticket | colors on April 16, 2012 at 5:31 am

    […] have we seen that digital cert before? Oh yeah, the Newegg.com-themed campaign from April 9, 2012 also signed its Pony and Zeus payloads with the same digital […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: