BlackHole leading to Feodo: Bank of America account frozen

I've received a Christmas gift some hours ago. In fact there were two gifts but only one has survived the trip. They are from Russia...with love. Of course I'm talking about two e-mails I've received with two suspicious links. Even the e-mail bodies were suspicious, I think they have packed very quickly my gifts or they are not very attentive to me...:( The From field included "bankofamerica" and the Subject "Accountfrozen" so I suppose this means that my Bank of America account is frozen, right?

After some redirections we can find the typical obfuscated Javascript code made in BlackHole:

After decoding the Javascript code we obtain the next step, also related to BlackHole. This time I can only see a unique Flash exploit trying to download and execute a binary from the same domain where the exploit kit is located (shellcode is XORed with 0x28).

The binary, downloaded from a URL with format http://domain/w.php?f=18&e=6, has a very low detection rate (5/43) and it's identified as a generic Downloader. If we take a closer look at its network traffic we can see some interesting strings:
Because of this and other strings, like HTML code asking for credentials, we can say that we have a banker here and Feodo is its name. The related domains have been registered with Russian identities this week (some of them today) and their IP addresses also belong to Russian net-blocks:
Registrant ID:DI_20058793 
Registrant Name:Maksim Karpov
Registrant Organization:N/A
Registrant Street1:Kozlova 38/33
Registrant Street2:
Registrant Street3:
Registrant City:Vsevolojsk
Registrant State/Province:
Registrant Postal Code:346940
Registrant Country:RU
Registrant Phone:+7.4955259668
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:

It's not new, BlackHole leading to ZeuS / SpyEye / Feodo...but I think it's worth mentioning ;)


Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

Type the characters you see in this picture. (verify using audio)
Type the characters you see in the picture above; if you can't read them, submit the form and a new image will be generated. Not case sensitive.