ADP Funding Notification – Debit Draft

Weve been quiet recently, but we havent stopped our work. Behind the scenes weve been developing some new tools and techniques that we hope will enable us to more efficiently track the bad guys. We used some of these new tools and techniques in our analysis of a new spam run today that spoofed communications from ADP. We observed spam messages with the subject line “ADP Funding Notification – Debit Draft”. The spam sample we analyzed was sent from 78.96.173.243 – a known Cutwail spambot.

The link in this message directed victims to junnioreadriano.com.br/MZ0PnMj5/index.html. Note that our bad guys are still using the same /8-random-character/index.html pattern. This page contained the following two malicious javascript redirectors:

http://ftp.leocardz.com/BhSFTbq9/js.js
http://www.webondemand.altervista.org/V4uags9T/js.js

These javascripts redirector victims to a Blackhole Exploit kit at 50.116.38.183. This Blackhole exploit kit was hosting at least 9 different malicious payloads. Detected malware payloads identified by MD5 hash included the following:

ce03b87d1d10e76526883077d3924528
937b44fbb5fec18f53c6de60a801d8ed
13fd74a6dc4f1e8e952ea2bc692ede5e
58859d47ccd39461a52a9455f3b0a8ac
9af1128108aac221fd16ddc213c8147a
48a5cd662c66fcdf3ee96ea2126096c7
a08780b691232573e9895589b7f0b76f
1b1bbf726902beb3b25d11fbdc58720f
ededc8b9d03ded0cb7818dc2ef72ad4c

All of these binaries appear, upon initial inspection, to be Pony downloaders.

Advertisements

One Comment

  1. Posted July 6, 2012 at 3:25 pm | Permalink | Reply

    So what dose it do?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: