ZeuS Crimeware Serving 123Greetings Ecard Themed Campaign in the Wild

Ubiquitous social engineering schemes, never fade away. ZeuS crimeware campaigners are currently using a 123greetings.com ecard-themed campaign, in an attempt to entice users to "enjoy their ecard".

Subject: "You have received an Greeting eCard"
Message: "Good day. You have received an eCard

To pick up your eCard, choose from any of the following options: Click on the following link (or copy & paste it into your web browser): matt-levine.com /ecard.exe; secondary URL offered: forestarabians.nl /ecard.exe Your card will be aviailable for pick-up beginning for the next 30 days. Please be sure to view your eCard before the days are up! We hope you enjoy you eCard. Thank You!

Detection rate:
- ecard.exe - Cryp_Zbot-12; Trojan/Win32.Vundo - Result: 9/42 (21.43%)
File size: 147968 bytes
MD5...: e6f3aa226bf9733b7e8c07cab339f4dc
SHA1..: e983767931900a13b88a615d6c1d3f6ff8fb6b60

Upon execution, the sample phones back to:
zephehooqu.ru /bin/koethood.bin -, AS42560 - Email: skit@5mx.ru
jocudaidie.ru /9xq/_gate.php -, AS3462 - Email: skit@5mx.ru - FAST-FLUXED

Multiple MD5s are also currently active at zephehooqu.ru.
Detection rates:
aimeenei.exe - Win32/Zbot.CJI - Result: 30/42 (71.43%)
File size: 149504 bytes
MD5...: 096b7e8c4f611f0eb69cfb776f3a0e7e
SHA1..: 909d7c2740f84599d5e30ffed7261e19ad4a962a

cahdoigu.exe - Mal/Zbot-U - Result: 27/42 (64.29%)
File size: 147968 bytes
MD5...: 11f9f96c17584a672c2a563744130a46
SHA1..: f31c40c5c766c7628023105be6f004e5322b17b6

koethood.exe - Troj/Zbot-SW - Result: 30/42 (71.43%)
File size: 147968 bytes
MD5...: da1979227141844be69577f7f31a7309
SHA1..: 5ada2c390e63ca051c9582fe723384ce52a45912

loobuhai.exe - BKDR_QAKBOT.SMB - Result: 33/42 (78.58%)
File size: 147968 bytes
MD5...: df4e19af8c356b3ff810bc52f6081ccc
SHA1..: d4a1d2f147ae0d24a3eaac66e8d2f9de50cf7a0c

oovaenai.exe - Packed.Win32.Katusha.j - Result: 32/42 (76.2%)
File size: 147456 bytes
MD5...: f0fd5579f06d5b581b5641546ae91d52
SHA1..: c81fa66c546020f3c1c34a0d1aa191b2d9578f07

quohthei.exe - Win32/Spy.Zbot.YW - Result: 33/42 (78.58%)
File size: 147968 bytes
MD5...: ffc0d66024f690e875638f4c33ba86f1
SHA1..: c958f3426a3e6fedd76b86a5aef16c90915ac539

sofeigoo.exe - Win32/Spy.Zbot.YW - Result: 31/42 (73.81%)
File size: 148992 bytes
MD5...: 45e98426fafd221ffb7d55ce8a1ae531
SHA1..: 8235b3a80ba6611779dfd4db40a48627af7374eb

teemaeko.exe - PWS:Win32/Zbot.gen!Y - Result: 32/42 (76.2%)
File size: 148992 bytes
MD5...: 9758f04d2f1bd664f37c4285a013372a
SHA1..: 4273dc48f9aeaf69cb7047c4a882af74479fb635

thaigogo.exe - Win32/Spy.Zbot.YW - Result: 34/42 (80.96%)
File size: 147968 bytes
MD5...: b667d75f5bb9f23a8ae249f7de4000a5
SHA1..: 7b57783dcf2aeaafbab3407bb608469851d342bb

ziejaing.exe - Trojan.Zbot.610 - Result: 30/42 (71.43%)
File size: 147456 bytes
MD5...: 7592e957de01e53956517097c0e9ccd8
SHA1..: e7c04d2c8c5d4a51e2615a2ee015d87d28655320

Related .ru cybercrime-friendly domains, sharing fast-flux infrastructure with this campaign's C&C:
adaichaepo.ru - Email: subtle@maillife.ru
aroolohnet.ru - Email: brawn@bigmailbox.ru
dahzunaeye.ru - Email: celia@freenetbox.ru
esvr3.ru - Email: bender@freenetbox.ru
hazelpay.ru - Email: owed@bigmailbox.ru
iesahnaepi.ru - Email: heel@bigmailbox.ru
iveeteepew.ru - Email: atomic@freenetbox.ru
jocudaidie.ru - Email: skit@5mx.ru
ohphahfech.ru - Email: warts@maillife.ru
railuhocal.ru - Email: celia@freenetbox.ru
sdlls.ru - Email: vc@bigmailbox.ru

Name servers of notice within the fast-flux infrastructure:
ns1.tophitnews.net - - Email: worldchenell@ymail.com
ns2.tophitnews.net -
ns1.usercool.net -
ns2.usercool.net -
ns1.welcominternet.net - - Email: admin@rangermadeira.com
ns2.welcominternet.net -
ns1.gamezoneland.com - - Email: xtrail.corp@gmail.com
ns2.gamezoneland.com -
ns1.tropic-nolk.com -  - Email: greysy@gmx.com
ns2.tropic-nolk.com -
ns1.interaktivitysearch.net - - Email: ssupercats@yahoo.com
ns2.interaktivitysearch.net -
ns1.openworldwhite.net - - Email: xtrail.corp@gmail.com
ns2.openworldwhite.net -
ns1.helphotbest.net - Email: worldchenell@ymail.com

It gets even more interesting.  

greysy@gmx.com has already been profiled in an Avalanche botnet campaign using TROYAK-AS's services back then (The Avalanche Botnet and the TROYAK-AS Connection), followed by another assessment "TorrentReactor.net Serving Crimeware, Client-Side Exploits Through a Malicious Ad" where the same email was also used to register a name server part of the fast-flux infrastructure of the ZeuS crimeware's C&Cs.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.


Post a Comment

Note: Only a member of this blog may post a comment.

My Instagram