Sponsored by..

Friday 25 January 2013

UPS spam / eziponoma.ru

This fake UPS spam leads to malware on eziponoma.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn Password
Sent: 25 January 2013 04:12
Subject: UPS Tracking Number H0931698016

You can use UPS Services to:
 Ship Online
 Schedule a Pickup
 Open a UPS Services Account
    
Welcome to UPS .com Customer Services
Hi, [redacted].

DEAR CLIENT , RECIPIENT'S ADDRESS IS WRONG

PLEASE PRINT OUT THE INVOICE COPY ATTACHED AND COLLECT THE PACKAGE AT OUR DEPARTMENT.

With Respect , Your UPS Customer Services.    


    ________________________________________
Copyright 2011 United Parcel Service of America, Inc. UNITED STATES POSTAL SERVICES, the Your USPS TEAM brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
Please do not reply directly to this e-mail. USPS CUSTOMER SERVICES will not receive any reply message. For questions or comments, visit Contact UPS.
We understand the importance of privacy to our customers. For more information, please consult the USPS Team Privacy Policy.
This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.    
The malicious payload is at [donotclick]eziponoma.ru:8080/forum/links/column.php which is hosted on:

94.23.3.196 (OVH, France)
195.210.47.208 (PS Internet Company, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)

2 comments:

unixfreaxjp said...

Hello Conrad,
I made the as comprehensive as possible the malware analysis of this infection of Blackhole eziponoma,ru:8080.

I also put samples, captured data of registry, file accessed, network/PCAP data including the cracked data like landing page & config of the stealer itself.

The CnC and panel of the credential stealer portal also exposed, a lot of domains and IP can be put for blocked.
Hope this helps
Access: http://malwaremustdie.blogspot.jp/2013/01/when-tte-pws-stealer-try-to-improve.html

unixfreaxjp said...

Hello Conrad,

Popped the hood of the malware saved credential server & we passed it to authority.

PoC: http://malwaremustdie.blogspot.jp/2013/01/when-tte-pws-stealer-try-to-improve.html#crack

It showed:
Total bots: 85 // Alive infected PC
Total finished: 58 // dunno this..
Total opened: 332 // infection case

I guess we will not seeing spams coming from these guys for quite some time. But if you spot it please kindly let us know quickly?

My best regards, keep on the good work!

#MalwareMustDie!