Re: Fwd: Wire Transfer Confirmation (FED REFERENCE 2862ZO31)

On 2012-04-11 we observed a NACHA-themed spam email with the subject line “Re: Fwd: Wire Transfer Confirmation (FED REFERENCE 2862ZO31)”. The spam sample we analyzed was sent from This IP is a node in a Cutwail spambot.

This spam sample contained a malicious link to It appears the the is an otherwise legitimate site that was hacked. The spammers placed page-15.html in the webroot directory of this compromised site. We were able to locate other hacked that also contained a malicious page-15.htm. Other hacked sites included:

While there were likely many other hacked sites, the page-15.htm file appears to be a good indicator for this particular campaign. Unfortunately, this indicator is likely to be short lived and the spammers will almost certainly alter this pattern in future attacks.

The malicious page-15.htm files contained malicious javascript that redirected victims to a Phoenix Exploit kit at It is worth noting that this Phoenix Kit at imports content from the legitimate website in an effort to construct a well designed phishing websites. We previously saw this same technique in an earlier NACHA-themed campaign on 2012-02-28.

This exploit kit in turn handed victims off to another exploit kit at The kit at drops the following Gameover Zeus variant on its victims:

Size: 301096
MD5: C23C96D34C2D408E20C24F07DFE8E078

Victims that clicked on the report-ACH285369733632711US.exe link in the NACHA phishing site also downloaded the same Gameover Zeus variant (i.e. the same Md5 hash). This payload was digitally signed with a certificate labeled ‘t9H2RXj1BlhxLEQ’.

This Gameover variant had a botid of mf222a11. The operators of this campaign controlled victims via a proxy server at over port 443. This is the same proxy server used in the BillMeLater spam campaign seen earlier today.



  1. K.Mohan
    Posted July 20, 2012 at 1:16 pm | Permalink | Reply

    Wire Transfer Confirmation (FED REFERENCE 3395T31) , i got the spam mail like this. I did not any idea about this. can you help me please……

  2. Posted March 7, 2013 at 2:14 pm | Permalink | Reply

    Somebody essentially help to make seriously posts I would state.
    This is the very

    first time I frequented your website page and thus far?
    I surprised with the research you made to

    make this particular publish extraordinary. Great


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: