ADP Security Management Update

We analyzed following malicious URL which is used in ADP themed spam on June 28/29 2012:

hxxp://web.abmes.org.br/EiqyDBxS/index.html

ADP Security Update

The spam sample we analyzed was sent from 95.41.229.91 – a known Cutwail spambot.

This malicious page contained 4 javascripts as shown below:

<script type=”text/javascript” src=”hxxp://firmowa.malopolska.pl/WVfNMNHn/js.js”></script>
<script type=”text/javascript” src=”hxxp://egerak.ipislam.edu.my/vp0BYhy2/js.js”></script>
<script type=”text/javascript” src=”hxxp://humas.poltek-malang.ac.id/w28K6pb6/js.js”></script>

Eventually these malicious JS redirects victim to a Blackhole Exploit kit at 173.255.228.171.

This Blackhole exploit kit was hosting at least 14 different malicious payloads. Detected malware payloads identified by MD5 hash included the following:

  • e6341e75dc5413720cbb03f6836ac39d
  • 1277be3dfecd932a1b4b32b1f0942146
  • 13b08f673c05c81b1f5b3344b23f79a2
  • 53fdca7c26b10de657cb4a4906cf6510
  • 488559808a353430357f4c3db9fb126f
  • 13b08f673c05c81b1f5b3344b23f79a2
  • 48a89c2e1816e2f8ec38071b45c72e6e
  • fe05f07e54adbf2d55946643f9a76f83
  • bee7603e2fb3dcb9dcf1c5589d551cb5
  • 1b1bbf726902beb3b25d11fbdc58720f
  • 017c71a4f156df3300d01ace4e01087a
  • e11534af5bb6a69726524e6851d8136d
  • 017c71a4f156df3300d01ace4e01087a
  • ced5d89b3d27b85e9418a94ef2aac990

All of these binaries appear, upon initial inspection, to be Pony downloaders.
Pony downloader posts to its dropzone at hxxp://182.23.41.18/pony/gate.php and also downloads 3 identical Gameover Zeus from following locations:

1. hxxp://ftp.fundwaysofmo.com/pdqPv.exe
2. hxxp://www.artevoz.com.br/9D0JP.exe
3. hxxp://diclebaliksepeti.com/fJoqfYi.exe

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: