Tag Archives: Twitter

Twitter received a request to reset the password for your account.

We analyzed following malicious URL which is used in Twitter themed spam on May 17 2012:

hxxp://lakshmiparthasarathyathreya.com/nwFzPsjZ/index.html

Twitter - Reset Password

This malicious page contained 4 javascripts as shown below:

<script type=”text/javascript” src=”hxxp://www.houard.eu/D2ec6Q6S/js.js”></script>
<script type=”text/javascript” src=”hxxp://egerak.ipislam.edu.my/vp0BYhy2/js.js”></script>
<script type=”text/javascript” src=”hxxp://hardinggraphics.com/ZRRV8K9w/js.js”></script>
<script type=”text/javascript” src=”hxxp://portaldomarmoreegranito.com.br/69zecvvX/js.js”></script>

Eventually these malicious JS redirects victim to a Blackhole Exploit kit at hxxp://69.194.192.218/showthread.php?t=d7ad916d1c0396ff

BlackHole kit first droppes Pony from the following location:

hxxp://69.194.192.218/q.php?f=ba33e&e=4
File: readme.exe
MD5: cc696f9ac857c59be3940791f1dfa9c1
Size: 99,808 bytes

Pony downloader posts to its dropzone at hxxp://50.57.121.196/pony/gate.php. It was also configured to download 2 identical Gameover Zeus payloads from following locations:

1. hxxp://hosting1554269.az.pl/j5EGyoC.exe
2. hxxp://spiritfinancial.net/JqLBEaNt.exe

Gameover installes in %APPDATA%\Micyu\viunbu.exe

MD5: 1a518087bc0cbc1efd869012b2b1a7bd
Size: 3,05,120 bytes
Timestamp: 2010:10:29 20:57:49+02:00
Signature: This file is digitally signed by ‘gHA6’
Certificate Validity: 05/16/2012 to 01/01/2040

This Gameover Zeus variant posts to a dropzone at 189.78.66.155:29620. Webinjects were downloaded from 87.23.103.64:19802. The Gameover variant had a botid of “NRm18”.

As we have been seeing for past few weeks, Pony Downloader and Gameover Zeus both payloads share same file properties indicating both these payloads were built by same group/people, around same time(?):

Signature: This file is digitally signed by ‘gHA6’
Certificate Validity: 05/16/2012 to 01/01/2040
Company Name: bhq93888888888 Corporation
File Description: CTF Loader
Internal Name: CTFMON
Legal Copyright: © bhq93888888888 Corporation. All rights reserved.
Original Filename: CTFMON.EXE
Product Name: bhq93888888888® Windows® Operating System
Product Version: 6.1.7600.16385
Ole Self Register: D