Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Fujacks Variant Using ACH Lure - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Fujacks Variant Using ACH Lure

During my shift we received and email claiming to be from "The Electronic Payments Association" with the subject of "Rejected ACH transfer."  It informed us that our ACH transfer was "canceled by the other financial institution," and provided a link to the supporting documentation.

If you click on the link (hXXp://masterwall.com.au/8ymksg/index.html -- I'm sharing the link so you can check you logs) you'll go off on a short trip through a few sites (and pull down some Google Ads-- you might want to look at who's making money off of that Google,) and eventually if you're running a system vulnerable to CVE-2010-1885 you'll eventually install a loader for what Ikarus is calling Worm.Win32.Fujack.o.

I've spent more time informing webmasters than really analyzing the code, but that's usually how it goes.

The defaced sites have all be informed.  I've sent a message to the main hosting site as well (but don't expect and answer.)

The particular indicators for this event:

Initial defaced site: hXXp://masterwall.com.au/8ymksg/index.html

Intermediate sites can be pulled from the wepawet report here: http://wepawet.iseclab.org/view.php?hash=26a057f6807d39560631bfe7039d78ad&t=1321628919&type=js

The endpoint (the one you want to block and search your logs for: hXXp://aquasrc.com/w.php?f=100&e=8

The MD5 of what I pulled down: b4d9e3639b1bb326938efd9b6700f26d

This will install itself on the victim's machine and autostart after reboot, it will also try to spread via internal network shares.

I haven't spotted what it uses for it's command and control yet, so all I know for certain is that it spreads.  I hope to update this later with the C&C server details.

Kevin Liston

292 Posts
ISC Handler
I have been seeing that caught by our SPAM filters for months. That and my favorite.. a FEDEX missed your delivery notice. Lately the deactivate your mail account if you do not fill in our form is making the rounds.
Al of Your Data Center

80 Posts
A variant we saw was hxxp://overnightclippingpath.com/a3g2pwc/index.html, subject ACH payment rejected
Al of Your Data Center
1 Posts
Actually this looks like the Blackhole exploit kit (interesting to see it triggered via e-mail links rather than malicious ads) and you should look for :-

/[a-z].php?f=[0-9]+e=[0-9]+ (payload binaries: f=file number, e=successful exploit number)

/[12]ddfp.php?f=[0-9]+ (PDF exploits -> e=6)

also (with more risk of false positives):-

/content/field.swf (Flash exploit -> e=8)

/content/*.jar (Java exploits -> e=1, e=10; names vary)
/main.php?page=[0-9a-f]{16} (exploit kit landing page, but other URL forms exist)

plus files fetched from integer "hosts" (e.g. "hXXp://521014283/Gmail") by Java < 1.6.0_24 (exploit -> e=0, but more than just Blackhole uses this!)
Anonymous
We've been seeing this for a few months as well. When a campaign goes out it seems that quite a few different URLs are used in the messages.

The one we saw last night: http://mysubmissionservice.com/~sabaidee/f5e3zpp/index.html

Also, FWIW, I had multiple unrelated email accounts hit with the ACH themed messages last night.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!