Monthly Archives: April 2013

Update: 950 Euro transfer to Intesa Sanpaolo

New Hostile URLs observed on April 5, 2013:

 

hxxp://www.freerider.it/info1.html
hxxp://heartmecouture.com/info1.html
hxxp://www.milservice.pl/info1.html
hxxp://moneysystem.50webs.com/info1.html
hxxp://www.schmerbachskeller.de/info1.html
hxxp://svdnet.com/info1.html
hxxp://elima-docs-tpr.narod.ru/info1.html
hxxp://gesfi.com/info1.html
hxxp://www.padcacweb.pwp.blueyonder.co.uk/info1.html
hxxp://50.63.26.224/info1.html
hxxp://www.pon-vonbohlmannsland.de/info1.html
hxxp://ferret.perm.ru/info1.html
hxxp://www.mtetv.it/info1.html
hxxp://www.kkwalberberg.mynetcologne.de/info1.html
hxxp://w0e2fj2b3.homepage.t-online.de/info1.html
hxxp://personal.nbnet.nb.ca/info1.html
hxxp://valleylabel.net/info1.html
hxxp://nightfox.republika.pl/info1.html
hxxp://troop228.info/info1.html
hxxp://matpol.cba.pl/info1.html
hxxp://www.gianlucaboezio.it/info1.html
hxxp://www.wittmann-praxis.de/info1.html
hxxp://champwrestlinginfo.tripod.com/info1.html
hxxp://spiritoftheage.org.uk/info1.html
hxxp://www.stock-marketfair.com/info1.html
hxxp://www.magna4.com.br/info1.html
hxxp://biancas-scrapseite.pytalhost.de/info1.html
hxxp://ostunivilla.com/info1.html
hxxp://papagai.de/info1.html
hxxp://www.stahlvolleyballa.homepage.t-online.de/info1.html
hxxp://www.cyted.com/info1.html
hxxp://sttrni.com.br/info1.html
hxxp://wabostudios.com/info1.html
hxxp://www.ceccatobassano.it/info1.html
hxxp://www.sitkarymowanie.republika.pl/info1.html
hxxp://dokutainment.square7.ch/info1.html
hxxp://www.biglife.de/info1.html
hxxp://www.advmorais.com.br/info1.html
hxxp://www.chenilleawardletters.net/info1.html
hxxp://jkatinc.com/info1.html
hxxp://lawsonprinters.com/info1.html
hxxp://pianowithchris.com/info1.html
hxxp://prod1-imagesvu.integra.fr/info1.html
hxxp://qmbit.de/info1.html

 

This page contain an encoded script which is used to redirect to a Blackhole exploit kit v 2.x at hxxp://bangpleasure.com/news/wanting_book_switch.php. This BH kit is hosted at IP address 97.107.142.157 at the time of this writing.

 

 

 

Advertisements

950 Euro transfer to Intesa Sanpaolo

We analyzed a spam theme distributed from Cutwail SpamBot that is used theme of “950 Euro transfer to Intesa Sanpaolo” on April 04, 2013:

Spam Subject(s):

Si deve essere attestato a 950,00 à dal tuo conto corrente bancario presso Intesa anPaolo.
Richiesta di ammortamento di à 950,00 dal conto bancario di Intesa SanPaolo
Gli ammortamenti delle 950,00 à dal tuo conto bancario in Intesa SanPaolo
à 950,00 sono dal vostro conto di Intesa SanPaolo ammortizzato in 24 ore

Spam Template:

<!DOCTYPE html PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”>
<HTML><HEAD><TITLE></TITLE>
</HEAD>
<BODY>

Gentile Cliente, <br>
Abbiamo ricevuto la richiesta di ammortamento di à 950,00 dal proprio conto bancario in Intesa SanPaolo per risolvere la consegna dei documenti. <br>L’ammortamento dei fondi e la trasmissione di documenti ulteriori fatto in 24 ore.<br><br>
<a href=”hxxp://herr-pferd.de/info1.html”>Vedi i dettagli dell’ordine </a> <br>
Cordiali saluti, Servizio clienti sostegno della Intesa SanPaolo Banca.<br>
</BODY></HTML>

Hostile URL(s):

hxxp://herr-pferd.de/info1.html
hxxp://nwernau.de/info1.html
hxxp://soswciechanow.home.pl/info1.html
hxxp://www.glueckauf-altenburg.de/info1.html
hxxp://nyhus.dk/info1.html
hxxp://barake.de/info1.html
hxxp://renata.weihs.w.interia.pl/info1.html
hxxp://vinkraj.narod.ru/info1.html
hxxp://mmjackofm.w.interia.pl/info1.html
hxxp://217.170.66.122/info1.html
hxxp://209.41.177.143/info1.html
hxxp://www.skemadtc.it/info1.html
hxxp://kumballa.de/info1.html
hxxp://www.samba-loco.de/info1.html
hxxp://brauerildiko.hu/info1.html
hxxp://public.dataproject.com/info1.html
hxxp://www.nationalhymne.de/info1.html
hxxp://angstrem.com.pl/info1.html
hxxp://mojdziennik.cba.pl/info1.html
hxxp://eleganceshop.home.pl/info1.html
hxxp://xchange.thegateworldwide.com/info1.html
hxxp://www.burningwick.pwp.blueyonder.co.uk/info1.html
hxxp://jwjoomla.cwsurf.de/info1.html
hxxp://www.agliati.it/info1.html
hxxp://best-nk.c0.pl/info1.html

The text ‘Vedi i dettagli dell’ordine’ contains a hyperlink to one of the URLs listed above. This page contain an encoded script which is used to redirect to a Blackhole exploit kit v 2.x at hxxp://23.advertisingspecialties.biz/news/wanting_book_switch.php. This BH kit is hosted at IP address 96.126.106.62 at the time of this writing.

The kit attempts to download the following files/exploits:

hxxp://23.advertisingspecialties.biz/news/wanting_book_switch.php?tsltj=1l:30:1l:32:32&gmon=3j&eyoyoeuy=1o:30:32:30:1h:1j:1i:1f:1n:33&ggievtn=1o:1d:1f:1d:1f:1d:1f
Name: a4ccf.pdf
Identifier: CVE-2010-0188 exploit
Type: PDF document, version 1.6
Size: 9895 bytes
MD5sum: 1ef1040ba77c13ddc268ca34a4b030c6

If exploitation is successful, it redirects to hxxp://23.advertisingspecialties.biz/news/wanting_book_switch.php?fvpcpp=1l:30:1l:32:32&irzg=1o:30:32:30:1h:1j:1i:1f:1n:33&phrua=1i&nlcdd=obmoxwk&fdrehtz=gfyuft, a Pony variant with the following properties is downloaded:

Name: contacts.exe
Identifier: Pony downloader
Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Size: 150,528 bytes
MD5: c42105cc624659827773cb62de516d5a

Pony downloader posts to its dropzone at:

hxxp://3ecompany.com:8080/forum/viewtopic.php

hxxp://23.advertisingspecialties.biz/forum/viewtopic.php

hxxp://23.area-plumbing-company.com/forum/viewtopic.php

hxxp://23.debtfreein100days.com/forum/viewtopic.php

 

Pony downloader was configured to download Gameover Zeus payloads from following locations:

1. hxxp://agarest.com/dckWfjue.exe
2. hxxp://kj-supply.com/JUz8cnK.exe
3. hxxp://chadgunderson.com/ZUmJx.exe

Gameover installes in %APPDATA%\Ppro\rfluo.exe and had following file properties:

File: rfluo.exe
Size: 376,832 bytes
MD5: 6e65ca8fa550b03d1f377cc1c685abd8
Build TimeStamp: 2013-03-16 18:17:58
Language Code: Russian
Character Set: Unicode
Company Name: Корпорация Майкрософт
File Description: Монитор устройств неподвижных изображений
File Version: 5.1.2600.5512 (xpsp.080413-0852)

The Gameover variant had a botid of “candyshop” and cid of 8888. Following P2P Drones were found embedded inside the Gameover Zeus payload:

178.122.63.254:26281
99.54.188.39:17053
78.166.181.174:25812
49.49.77.245:11443
95.58.110.195:28758
94.240.224.115:27794
147.8.213.30:18592
95.104.51.216:25833
194.94.127.98:25549
176.73.238.72:22869
69.77.132.197:20764
75.6.222.103:11577
71.136.48.91:22174
203.128.247.114:29667
186.96.66.82:17103
63.139.177.211:11505
78.139.187.6:14384
198.101.63.2:13725
90.176.158.215:15920