Re: Fwd: Wire Transfer Confirmation (FED REFERENCE 2862ZO31)

On 2012-04-11 we observed a NACHA-themed spam email with the subject line “Re: Fwd: Wire Transfer Confirmation (FED REFERENCE 2862ZO31)”. The spam sample we analyzed was sent from 186.46.122.162. This IP is a node in a Cutwail spambot.

This spam sample contained a malicious link to http://www.arydan.pl/page-15.htm. It appears the the www.arydan.pl is an otherwise legitimate site that was hacked. The spammers placed page-15.html in the webroot directory of this compromised site. We were able to locate other hacked that also contained a malicious page-15.htm. Other hacked sites included:

http://www.brochurepedia.nl/page-15.htm
http://www.mocvi.ge/page-15.htm
panda-roux.fr/page-15.htm

While there were likely many other hacked sites, the page-15.htm file appears to be a good indicator for this particular campaign. Unfortunately, this indicator is likely to be short lived and the spammers will almost certainly alter this pattern in future attacks.

The malicious page-15.htm files contained malicious javascript that redirected victims to a Phoenix Exploit kit at webmastaumuren.ru:8080/img/?promo=nacha. It is worth noting that this Phoenix Kit at webmastaumuren.ru imports content from the legitimate nacha.org website in an effort to construct a well designed phishing websites. We previously saw this same technique in an earlier NACHA-themed campaign on 2012-02-28.

This exploit kit in turn handed victims off to another exploit kit at dedovshinaus.su:8080/pages/dq.php?i=8. The kit at dedovshinaus.su drops the following Gameover Zeus variant on its victims:

Size: 301096
MD5: C23C96D34C2D408E20C24F07DFE8E078

Victims that clicked on the report-ACH285369733632711US.exe link in the NACHA phishing site also downloaded the same Gameover Zeus variant (i.e. the same Md5 hash). This payload was digitally signed with a certificate labeled ‘t9H2RXj1BlhxLEQ’.

This Gameover variant had a botid of mf222a11. The operators of this campaign controlled victims via a proxy server at 200.58.99.114 over port 443. This is the same proxy server used in the BillMeLater spam campaign seen earlier today.

Advertisements

2 Comments

  1. K.Mohan
    Posted July 20, 2012 at 1:16 pm | Permalink | Reply

    Wire Transfer Confirmation (FED REFERENCE 3395T31) , i got the spam mail like this. I did not any idea about this. can you help me please……

  2. Posted March 7, 2013 at 2:14 pm | Permalink | Reply

    Somebody essentially help to make seriously posts I would state.
    This is the very

    first time I frequented your website page and thus far?
    I surprised with the research you made to

    make this particular publish extraordinary. Great

    job!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: