One of our users got a suspicious email this morning inviting to him to apply for a job with stable income. The email claims to be from Tina Shaffer from AKVA PROGRESSIVE LLC. The email spam is using the Careerbuilder job alerts to entice the victim.
At first glance, the spam appears to be looking for a money mule. However, after a deep look at the embedded link -www.akvaprogressive.com – and we find the payload to include the Zeus/ Zbot Attack.
<Email Sample>
<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>
CareerBuilder Job Application Re:
…
From:
Tina Shaffer <hanalizabeth@gmail.com>
…
To: Joe54@aol1.com
Thank you for uploading your resume on Career Builder.
We looked through your resume and would like to offer you a simple job
with a stable income. We are looking for candidates for a Service
Manager position. Even if you already have a job you can still apply
for this position because it can be used as a part-time job. You can
visit our web-site:
http://www.akvaprogressive.com<– Embeddelink points to IP: IP: 193.104.34.59
Any operational experience is not required. Our company will sign an
agreement with you and you will be trained by us for free. To get
started you’ll need to create an account with any local bank to
process the transactions from our clients and sign the agreement. You
will be able to get your first profit in about 5 business days. We
offer base pay plus commission on top of it.
Please complete the registration on our website:
hxxp://akvaprogressive.com/r.php?i=4<—— Malware link and payload.
and give me a call or send me an e-mail ( t84white@hotmail.com) after
finishing the process.
Best,
Tina Shaffer
Manager AKVA PROGRESSIVE LLC
t84white@hotmail.com
<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
<Malware Link Analyzed: hxxp: akvaprogressive.com/r.php>
- IP: 193.104.34.59
<Links>
- hxxp://akvaprogressive.com/index.php?option=com_comprofiler&task=registers&Itemid=2&adminid=4
- hxxp://akvaprogressive.com/index.php?option=com_comprofiler&task=registers&Itemid=2&adminid=4
- Opening page hxxp://akvaprogressive.com/index.php?option=com_comprofiler&task=registers&Itemid=2&adminid=4…
<Malicious Files Created includes Java Scripts>
- C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4X23OP2B\overlib_mini[1].js
- C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GPURSX23\template[1].css
- C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ODM3O1U3\overlib_hideform_mini[1].js
- C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ODM3O1U3\template_css[1].css
- C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WDUF49AN\center-bg-center[1].png
- C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WDUF49AN\index[1].htm
<Malware Variants>
- Troj/ExpLogHm-A
- mdl_pdf exploit
- mdl_zeus/wsnpoem v2 config file
<Malware HTTP Traffic>
- From site:1039 to 193.104.34.59:80 – [akvaprogressive.com]
- Request: GET /r.php?i=4
- Response: 302 “Found”
- 93.104.34.59:80 – [akvaprogressive.com]
- Request: GET /templates/stroy/css/template_css.css
- Response: 200 “OK”
- From site:1042 to 193.104.34.59:80 – [akvaprogressive.com]
- Request: GET /sites/all/themes/stroy/fix-ie.css
- Response: 404 “Not Found”
- From site:1043 to 193.104.34.59:80 – [akvaprogressive.com]
- Request: GET /components/com_comprofiler/plugin/templates/default/template.css
- Response: 200 “OK”
- From site:1044 to 193.104.34.59:80 – [akvaprogressive.com]
- Request: GET /components/com_comprofiler/js/overlib_mini.js
- Response: 200 “OK”
- From site:1046 to 193.104.34.59:80 – [akvaprogressive.com]
- Request: GET /components/com_comprofiler/js/overlib_hideform_mini.js
<Traced Site>
- estate-management.valor.ua [217.12.206.6] <— Malware
- junya.goodnet.com.ua [91.203.144.14] <— Fake Antivirus
- 193.104.34.98<<<========================Zeus/Zbot
- 193.104.34.59<—<— Zeus/Zbot
<Malware Sites with Trojans, Exploits and Zeus/Zbot>
- hxxp://hmcompany.info/faw/zasa.bin
- IP:193.104.34.98
- 193.104.34.59
- prodesgroup.com
- ip:109.196.143.27
- musicjoker.org
- IP: 91.203.147.60
- bizelitt.com
- 193.104.34.98
- sofort-bank.com
- iP:193.104.32.201