Historical cybercrime performance activity of multiple gangs and individuals has shown us that, in order for them to secure multiple revenue streams, they have the tendency to multi-task on multiple fronts while operating and serving the needs of customers within different cybercrime-friendly market segments.

A logical question emerges in the context of the fact that 99% of all the spamvertised campaigns we’re currently intercepting rely on the latest version of the Black Hole Exploit Kit – is Paunch, the author of the kit, multi-tasking as well? What’s the overall impact of his ‘vertical market integration‘ practices across the Web beyond maintaining the largest market share of malicious activity in regard to Web malware exploitation kits?

Let’s find out by discussing two of his well known revenue sources and sample a campaign that’s relying on the managed iFrame/Javascript crypting/obfuscating service that he’s also operating.

More details:

Sample advertisement for the iFrame/Javascript crypting/obfuscating service operated by Paunch, within the kit’s control panel:

Paunch_Black_Hole_Exploit_Kit_Advertising

This is the most popular advertisement that was featured within the kit since day one, in an attempt by its author to not only achieve a decent brand awareness for the service, but also actually convert his current Black Hole Exploit Kit customers into customers of the crypting/obfuscating service as well. The results? Pretty decent conversion rates, based on a systematic tracking of the pseudo-random obfuscations generated by the service, and actually used in campaigns intercepted in the wild.

At a later stage, things slightly changed, perhaps due to the fact that Paunch’s service has gained the necessary market share. The author of the kit started soliciting advertisements from fellow cybercriminals, like the following ad:

Paunch_Black_Hole_Exploit_Kit_Advertising_02

What’s so special about the iFrame/Javascript crypting/obfuscation service operated by Paunch? It supports multiple crypting/obfuscating algorithms, as well as API keys, allowing ‘on-the-fly’ obfuscation for his customers to take advantage of.

Sample entry page for Paunch’s crypting/obfuscating service:

Paunch_Black_Hole_Exploit_Kit_Advertising_05

Sample Black Hole Exploit Kit campaigns’ pseudo-random obfuscation examples that used Paunch’s service:

Paunch_Black_Hole_Exploit_Kit_Advertising_03

Sample static javascript obfuscation courtesy of Paunch’s service, and known to have been used in previously profiled malicious campaigns:
script>try{abre++}
script>v=”va”+”l”
script>try{vfE++;}

Paunch_Black_Hole_Exploit_Kit_Advertising_04

URLs known to have included the same obfuscated Javascript in the past:
hxxp://blue-lotusgrove.net/main.php?page=559e008e5ed98bf7
hxxp://dushare.net/main.php?page=c82ec1c8d6998cf0
hxxp://nf4.admonstr.net/ad/?id=735
hxxp://forehmailywt.ontheweb.nu/vc.php?go=2
hxxp://blacklabelblogs.com/fedinv.html
hxxp://feverjoensuu.fi/AC_RunActiveContent.js
hxxp://hotels-in-india.in/about-us.html

Sample campaign that relied on the same Javascript obfuscation:

hxxp://graciemgt.huntwalker.com/clients.php -> hxxp://mrtwimcraiprwogw.info/in.cgi?14 – 37.59.236.138 (AS16276) – Email: davis_osburn56@saintmail.net -> hxxp://eheph.AlmostMy.COM/hulk -> hxxp://pornadvocate.com

The following malicious redirectors are known to have responsed to the same IP (37.59.236.138) in the past:
effehilmhgctrpia.info
qprfhoerftcpwfoc.info
pictptrjgmtfhwqc.info
ijwwgrjiolhhzpwc.info
frjwdrfjwwwreife.info
fepzjrdeqwppzpre.info
teihjtzmjjppzccf.info
foppwrijcjweczgf.info
twefwhiogaemawif.info
wricfffjewcmricg.info
cwwppthwwwlejiwg.info
wdgffiapcrhpgcch.info
dcfocihgaoffhteh.info
zqiwfheeehfjchdi.info
ftctwpcrrchwqdfi.info
cwfdrdwjfwolhegi.info
iwdddhfmozlrpewj.info
clmrcwwhfdqghjgl.info
fcirpfgfiwrcgjol.info
wfhfppacfefepwzl.info
mwpzgwoeewemfewm.info
jtrjjfcgprmdqawo.info
gchecwwgqwwefhgp.info
rwhgwgjmwqffjlip.info
whieggaowrcpiljp.info
hdhgwwqgflwiqwtp.info
pjjppdwhrrpjjccq.info
hfmeqigghicwrwar.info
hfgwlfpizfwottcr.info
wgeffroawwfhthir.info
effjhejwrjghrcat.info
rwgwziiwgrwciwct.info
lidgegrragewhdqt.info
wwirfwqfiwizzgtt.info
hhcdlfccqftweeew.info
mrtwimcraiprwogw.info
ijdewiritmhcqhcz.info
gogopro.pro
safeperl.net
gogoperl.net

What’s particularly interesting about these domains is that we have a seperate MD5 phoning back to two of these domains, namely, safeperl.net and gogoperl.net (MD5: 8545473E7F34B5D5A611D757D9444E3D – detected by 2 out of 42 antivirus scanners as Trojan-Ransom.Win32.Birele.aegw).

This campaign is just the tip of the iceberg, and so is Paunch’s underground ecosystem multi-tasking projects. What’s for certain is the fact that, just like the majority of cybercriminals, he’s got multiple sources of revenue through ‘vertical market integration’ development projects.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This