Careerbuilder spam….again

Back in March, we wrote about a Careerbuilder spam that was used to drop a Gameover Zeus payload.  It turns out that today, we are seeing an identical spam message dropping not a Gameover Zeus payload, but Bugat.

The body of the spam messages are similar to the following:

Hello,

I am a customer service employee at CareerBuilder. I found a vacant position at Security Finance Corporation that you may be interested in based on information from your resume or a recent online submission you made on our site. You can review the position on the CareerBuilder site here:

Chief Business Development Officer

Best wishes in your job search !

Gretchen
Careerbuilder Customer Service Team
CareerBuilder ,5550-A Peachtree Parkway , Norcross, GA 30092

If you compare the text of this spam to the one we saw in March, you will see they are almost identical except for a few of the words such as the ‘company’ with the open position and the ‘Careerbuilder Customer Service’ team members name.

While the emails utilize several different hyperlink URLs to redirect the victims to an exploit kit, each of these various URLs seems to end in ‘car.html.’

The car.html pages redirect to a Black hole exploit kit at masterinsland[.]net/main.php?page=975982764ed58ec3.  This domain is hosted at IP address 70.32.97.205.  The kit drops the payload via masterisland[.]net/w.php?f=58e0f&e=0.  The Bugat payload has the following properties:

MD5: 518648694d3cb7000db916d930adeaaf
File Size:  62,464 bytes
Description: G Data AntiVirus

This variant utilizes the following C&C’s:

zorberzorberzu[.]ru/mev/in/
internetsexcuritee4dummies[.]ru/mev/in/
prakticalcex[.]ru/mev/in/
nalezivmordu[.]in/mev/in/

So, the question here is, is there any connection between the actor installing the March Gameover Zeus payload and the actor installing the current Bugat payload?  Or is this merely a shared/copied spam template?  Personally, Im betting there is far more overlap than a copied spam template.  We’d love to hear other opinions on this as well.

Advertisements

One Comment

  1. Posted January 12, 2013 at 5:31 am | Permalink | Reply

    The criminal gangs that distribute the password stealing Trojan.Zeus have altered their spam campaigns in a frightening new direction. Already seen targeting their emails at credit point-of-sale users and wire transfer users , their latest spams are now crafted to appeal to tax preparation professionals by posing as an official IRS communication. What’s even worse is that their payload isn’t an attachment or a link to a download. Rather, the payload is a link to a Web site hosting an exploit kit that probes your computer’s software and automatically installs the Zeus password stealer.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: