Confirm your US airways online reservation

On 2011-04-09 we observed an interesting round of US Airways spam. The sample we analyzed had a subject line of “Confirm your US airways online reservation”.

While this same template had been previously used in high-profile Gameover Zeus laden spam campaigns, this particular campaign was a bit different. The sample we analyzed had a link to a malicious page at go2gamers.com/us.html. Other spam samples from the same campaign had links to hacked websites with malicious us.html pages.

The malicious us.html page contained javascript that redirected victims to a Blackhole Exploit Kit at bamboozlefitclub.net/main.php?page=745b81e2608709b2.  The bamboozlefitclub.net domain resolved to 85.189.11.134.

This Blackhole kit dropped a Bugat* payload with the following properties:

File: about.exe
Size: 71680
MD5: D1455B0C28A145C5D207F276F945ABCA

Unlike other Bugat payloads that weve documented here that used a domain generation algorithm to determine its command and control server, this variant was hardcoded to connect to 4 domains for command and control instructions. This variant was configured to connect to the following:

scanforsecurytyholes.ru
testnosecurity.ru
securytycheckme.ru
krjjfgzzzooooem.ru

The scanforsecurytyholes.ru and securytycheckme.ru are currently offline. The other domains 91.201.4.142. After this variant successfully connected to the first available command and control server, in this case testnosecurity.ru/mev/in, it downloaded a configuration file that included a target list of over 400 websites. The vast majority of these targets were financial institutions. If youd like a copy of the target list hit us up at spamalysis@gmail.com.

The downloaded configuration file also revealed the location of the the domains hosting web injects. Bugat, and other banking malware, use web injects to dynamicly man-in-the-middle a victims online banking session. Basically, when a victim logs into their bank’s website these web injects will take control of their session and steal the victim’s banking information in real-time. The webinjects used by this Bugat variant were pulled from http://lavonoplanet.ru/mev/in/cp.php. The domain lavonoplanet.ru resolved to 91.201.4.142.

In addition to providing a configuration file, the command and control server at testnosecurity.ru also pushed a Bugat update on its victims. This updated Bugat payload had the following properties:

Size: 75271
MD5: 0386F4D83DD84D2F60352E00D3F504A6

This updated variant was configured to connect to the following command and control servers:

securytycheckme.ru
sexnotincity.ru

The domain securytycheckme.ru was offline, but the domain sexnotincity.ru resolved to 91.201.4.143. It seems like these guys like to host their domains in the same neighborhood. Mental note … stay out this /24.

The updated Bugat variant pulled its webinjects from the following domains:

http://gloogle.in/mev/in/cp.php
https://meredianstatserv.com/aqweb/in.php

We apologize for not reporting on this one sooner but unfortunately our real lives got in the way this week.

* note, what we call Bugat others call Feodo or Cridex.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: