Your Flightticket

On Monday April 9, 2012, we examined a spam email with the subject line “Your Flightticket”. This spam message contained the following text:

Dear Customer,

FLIGHT NUMBER 3702-5114295

DATE/TIME : APRIL 16, 2011, 17:16 PM
PRICE : 3872.58 USD

Your bought ticket is attached to the letter as a scan document (Internet Exlporer File).

To use your ticket you should print it.

Nelda Sharpe,

The attached zip file had an MD5 of b9502c28044ad8335beca132c3c81b12. The zip file contained an html file. This html file contained malicious javascript that redirected victims to a Phoenix Exploit kit at Victims were then redirected to a second Phoenix Exploit kit at

The Phoenix kit at dropped a Pony downloader with the following properties:

File: dsarcubqinhsjqkugsbm.exe
Size: 147496
MD5: E6F5310AC836E48C3B4181E1C00CE4CD

This Pony downloader was signed with a digital certificate labeled “4mb5gWTlIemu0h0”.

This Pony downloader was configured to send stolen FTP and other web admin credentials to dropzones at:

This Pony downloader was also configured to download a Gameover Zeus payload from the following locations:

This Gameover Zeus variant had the following properties:

Size: 305704
MD5: 01D994DF6DBDA4F49E8A6D9CB0005485

This Gameover variant had a botid of mf222a10. Oh yeah, it was also signed with the same digital cert – “4mb5gWTlIemu0h0”.

Where have we seen that digital cert before? Oh yeah, the campaign from April 9, 2012 also signed its Pony and Zeus payloads with the same digital certificate.

This fact is significant because the Newegg campaign leveraged a Blackhole Exploit Kit infrastructure whereas the Flightticket-themed campaign leveraged a Pheonix Exploit kit-themed infrastructure. While these campaign leverage different exploit kit infrastructures it seems clear that they are related as they are dropping the same malware families and are signing payloads with the same digital certificates.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: