"/Info.zip?" some parameters, e.g., n=033-5834, id=4561392, 1091-2905, etc.
The
spam message arrives in a variety of different languages, presumably
attempting to guess the native language of the recipient and/or evade
spam detection. The order Id used in the subject, message, and link
varies in every message to attempt to evade spam detection. The
messages translate to:
"Your order has been accepted.
Id Order 1947-210.Terms of delivery and the date can be found in the self-generated MSWord file."
The ZIP is detected by a few A/V vendors, for example:
MD5: 30b9a90029e129a6114dae7bce8a15c6
(11/41)
Once unzipped the Trojan appears as an 83 character filename:
Info.Doc_________~snip~__________.exe
MD5: 19f6d8f565d465f3ee9c03881cbc3893
(12/43)
From
what we've seen so far, the MD5 for the malware samples are all the
same. The binary executable is UPX packed, and drops
"5ee2fffe0001a11d.exe" (or similar hexadecimal filename) to the user's
temp directory and is set to run at startup. It then checks in:
POSTing infection details to:
hxxp://heppishopdrm.ru/stat/image.php
And retrieving an update from:
hxxp://
MD5: 4d02fbd17529a1fc867d991c6fd22b61
(28/42) - goes by a few names: Trojan Lebag, Graftor.
which checks into: duffiduffii.ru/dbs/logo90.php, likely for an encrypted config:
We have seen these sites utilize five IPs in round-robin with a short TTL of 300 (fast-flux). IPs seen so far, include:
67.40.211.116 (AS209 - QWEST)
60.19.30.135 (AS4837 - CN UNICOM-LN)
218.24.113.3 (AS4837 - CN UNICOM-LN)
205.185.117.149 (AS18779 - PONYNET)
82.210.157.9 (AS12476 - ASTERCITYNET)
122.194.5.110 (AS4837 - CN UNICOM-LN)
for many of the IPs show a recent history of C&C abuse for cyber-crime (Zeus and SpyEye)
The malware domains were recently registered and currently utilizes the nameservers:
ns1.locatormate.net
ns1.anzbankingnz.net
Which
both currently point to 108.59.35.213 (AS32413 - North Texas Connect) -
this IP has an October 2011 Spamhaus SBL advisory for it related to SpyEye. Other domains using these nameservers should be treated as suspicious/malicious.
The "familytindoor.net" domain was recently registered with this information and gmail address:
Here's
a list of what we have seen spammed out so far related to this campaign
(most/all of these are not yet in any blacklist and appear to be
compromised sites):
hxxp://
hxxp://jump-float.org/downloads/azienda/Info.zip
hxxp://
hxxp://
hxxp://modsart.in/downloads/azienda/Info.zip
hxxp://fattoconamore.it/downloads/azienda/Info.zip
hxxp://
hxxp://evacuazione.com/downloads/kantoor/Info.zip
hxxp://marcobasile.com/downloads/kantoor/Info.zip
hxxp://knuttisportebike.it/downloads/azienda/Info.zip
hxxp://modsart.in/downloads/kantoor/Info.zip
hxxp://leoparquet.it/downloads/azienda/Info.zip
hxxp://funimont.it/downloads/azienda/Info.zip
hxxp://eskilito.com/downloads/azienda/Info.zip
hxxp://duediemme.it/downloads/azienda/Info.zip
hxxp://cosmick.it/downloads/kantoor/Info.zip
hxxp://
hxxp://
hxxp://
hxxp://
hxxp://villamontesiro.com/downloads/azienda/Info.zip
hxxp://reginaisabella.org/downloads/kantoor/Info.zip
hxxp://marcobasile.com/downloads/azienda/Info.zip
hxxp://leoparquet.it/downloads/kantoor/Info.zip
hxxp://jump-float.org/downloads/kantoor/Info.zip
hxxp://fattoconamore.it/downloads/kantoor/Info.zip
hxxp://cosmick.it/downloads/azienda/Info.zip
hxxp://
hxxp://villamontesiro.com/downloads/kantoor/Info.zip
hxxp://eskilito.com/downloads/kantoor/Info.zip
hxxp://arcocurvatrici.com/downloads/azienda/Info.zip
hxxp://
hxxp://funimont.it/downloads/kantoor/Info.zip
hxxp://reginaisabella.org/downloads/azienda/Info.zip
hxxp://duediemme.it/downloads/kantoor/Info.zip
hxxp://evacuazione.com/downloads/azienda/Info.zip
hxxp://arcocurvatrici.com/downloads/kantoor/Info.zip
hxxp://
hxxp://
hxxp://
hxxp://
hxxp://
hxxp://knuttisportebike.it/downloads/kantoor/Info.zip
hxxp://
hxxp://
hxxp://
hxxp://
hxxp://
hxxp://
hxxp://
hxxp://
hxxp://
hxxp://
hxxp://
hxxp://
hxxp://
hxxp://
hxxp://radionotizie.biz/downloads/azienda/Info.zip
I will make updates to this post as I continue my analysis.