Fujacks Variant Using ACH Lure (more accurately Blackhole spreading Zeus via ACH Lure)

Published: 2011-11-18. Last Updated: 2011-11-18 21:11:09 UTC
by Kevin Liston (Version: 3)
4 comment(s)

During my shift we received and email claiming to be from "The Electronic Payments Association" with the subject of "Rejected ACH transfer."  It informed us that our ACH transfer was "canceled by the other financial institution," and provided a link to the supporting documentation.

If you click on the link (hXXp://masterwall.com.au/8ymksg/index.html -- I'm sharing the link so you can check you logs) you'll go off on a short trip through a few sites (and pull down some Google Ads-- you might want to look at who's making money off of that Google,) and eventually if you're running a system vulnerable to CVE-2010-1885 you'll eventually install a loader for what Ikarus is calling Worm.Win32.Fujack.o.

I've spent more time informing webmasters than really analyzing the code, but that's usually how it goes.

The defaced sites have all be informed.  I've sent a message to the main hosting site as well (but don't expect and answer.)

The particular indicators for this event:

Initial defaced site: hXXp://masterwall.com.au/8ymksg/index.html

Intermediate sites can be pulled from the wepawet report here: http://wepawet.iseclab.org/view.php?hash=26a057f6807d39560631bfe7039d78ad&t=1321628919&type=js

The endpoint (the one you want to block and search your logs for: hXXp://aquasrc.com/w.php?f=100&e=8

The MD5 of what I pulled down: b4d9e3639b1bb326938efd9b6700f26d

This will install itself on the victim's machine and autostart after reboot, it will also try to spread via internal network shares.

I haven't spotted what it uses for it's command and control yet, so all I know for certain is that it spreads.  I hope to update this later with the C&C server details.

Update:

The malware looks to be a variant of the banking trojan Zeus.  Look in your DNS logs for systems requesting quiversea.com.

Update 2:

As Chris W points out below, this appears to be a Blackhole exploit kit.  So the cited CVE above is simply the exploit that was appropriate for the honey-monkey visiting the site, it'll identify the victim's system and send an appropriate exploit.

Keywords: worm
4 comment(s)

Comments

I have been seeing that caught by our SPAM filters for months. That and my favorite.. a FEDEX missed your delivery notice. Lately the deactivate your mail account if you do not fill in our form is making the rounds.
A variant we saw was hxxp://overnightclippingpath.com/a3g2pwc/index.html, subject ACH payment rejected
Actually this looks like the Blackhole exploit kit (interesting to see it triggered via e-mail links rather than malicious ads) and you should look for :-

/[a-z].php?f=[0-9]+e=[0-9]+ (payload binaries: f=file number, e=successful exploit number)

/[12]ddfp.php?f=[0-9]+ (PDF exploits -> e=6)

also (with more risk of false positives):-

/content/field.swf (Flash exploit -> e=8)

/content/*.jar (Java exploits -> e=1, e=10; names vary)
/main.php?page=[0-9a-f]{16} (exploit kit landing page, but other URL forms exist)

plus files fetched from integer "hosts" (e.g. "hXXp://521014283/Gmail") by Java < 1.6.0_24 (exploit -> e=0, but more than just Blackhole uses this!)
We've been seeing this for a few months as well. When a campaign goes out it seems that quite a few different URLs are used in the messages.

The one we saw last night: http://mysubmissionservice.com/~sabaidee/f5e3zpp/index.html

Also, FWIW, I had multiple unrelated email accounts hit with the ACH themed messages last night.

Diary Archives