Malicious ‘Data Processing Service’ ACH File ID themed emails serve client-side exploits and malware

by

Share this news now.

A cybercriminal/gang of cybercriminals that we’ve been closely monitoring for a while now has just launched yet another spam campaign, this time impersonating the “Data Processing Service” company, in an attempt to trick its customers into interacting with the malicious emails. Once they do so, they are automatically exposed to the client-side exploits served by the Black Hole Exploit Kit.

In this post, I’ll profile their latest campaign and the dropped malware. I will also establish a direct connection between this and three other previously profiled malicious campaigns, as well as an ongoing money mule campaign, all of which appear to have been launched by the same cybercriminal/gang of cybercriminals.

More details:

Sample screenshot of the spamvertised email:

Fake_Email_Spam_Exploits_Malware_Black_Hole_Exploit_Kit_Data_Processing_Service_ACH

Sample compromised URLs used in the campaign:
hxxp://www.gravitomagnetics.com/includes/prcsucsf.html
hxxp://www.granitex-chojnow.com/includes/prcsucsf.html
hxxp://www.gozdeemlakofis.com/includes/prcsucsf.html
hxxp://www.gracehospiceaz.com/includes/prcsucsf.html
hxxp://www.greekwebstar.com/includes/prcsucsf.html
hxxp://www.godaintnojoke.com/includes/prcsucsf.html
hxxp://www.gloson.com/includes/prcsucsf.html
hxxp://www.gonzamatis.com/includes/prcsucsf.html
hxxp://www.greateasternsteamship.com/includes/prcsucsf.html
hxxp://www.greencastleflorist.com/includes/prcsucsf.html

Sample client-side exploits serving URL:
hxxp://dekolink.net/detects/when-weird-contrast.php

Sample malicious payload dropping URL:
hxxp://dekolink.net/detects/when-weird-contrast.php?xlefrmal=1f:33:1h:1n:2v&sak=2w:32:1g:1n:33:1m:1o:30:1n:2v&dxebz=1i&wcmmaqap=fqbmcta&dwhhjmjf=xxinnuik

Upon successful client-side exploitation, the campaign drops MD5: faa3a6c7bbf5b0449f60409c8bf63859 – detected by 16 out of 46 antivirus scanners as Trojan-Spy.Win32.Zbot.jfpy.

Once executed, the sample creates the following process on the affected hosts:
%AppData%Vyeffefuod.exe

The following Mutexes:
Global{5B039399-8854-D5EB-89D3-085A9A492B48}
Global{CE6286DB-9D16-408A-89D3-085A9A492B48}
Global{A4C81E13-05DE-2A20-BB82-B06DA818937F}
Local{E41AB6D2-AD1F-6AF2-89D3-085A9A492B48}
Global{A4C81E13-05DE-2A20-238C-B06D3016937F}
Global{A4C81E13-05DE-2A20-F38E-B06DE014937F}
Global{A4C81E13-05DE-2A20-578F-B06D4415937F}
Global{A4C81E13-05DE-2A20-AF8F-B06DBC15937F}
Global{A4C81E13-05DE-2A20-9B8F-B06D8815937F}
Global{A4C81E13-05DE-2A20-EF8F-B06DFC15937F}
Global{A4C81E13-05DE-2A20-5388-B06D4012937F}
Global{A4C81E13-05DE-2A20-EF88-B06DFC12937F}
Global{A4C81E13-05DE-2A20-6789-B06D7413937F}
Global{A4C81E13-05DE-2A20-4B89-B06D5813937F}
Global{A4C81E13-05DE-2A20-9789-B06D8413937F}
Global{A4C81E13-05DE-2A20-6B8B-B06D7811937F}
Global{A4C81E13-05DE-2A20-438B-B06D5011937F}
Global{A4C81E13-05DE-2A20-AF8B-B06DBC11937F}
Global{A4C81E13-05DE-2A20-D78C-B06DC416937F}
Global{A4C81E13-05DE-2A20-578E-B06D4414937F}
Global{A4C81E13-05DE-2A20-9F8E-B06D8C14937F}
Global{A4C81E13-05DE-2A20-D78E-B06DC414937F}
Global{A4C81E13-05DE-2A20-3F8F-B06D2C15937F}
Global{A4C81E13-05DE-2A20-0B8F-B06D1815937F}

Creates the following Registry Keys:
HKEY_CURRENT_USERSoftwareMicrosoftVexiha

And sets the following Values:
[HKEY_CURRENT_USERIdentities] -> Identity Login = 0×00098053
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] -> {3DFA1AE4-115C-AD7B-A6BA-A75086AF8442} = “”%AppData%Vyeffefuod.exe”"
[HKEY_CURRENT_USERSoftwareMicrosoftVexiha] -> 3599i3fd = B2 B9 9F 4C 37 04; 31e81747 = 0x4CADB9B2; 14j3bcgj = “hOetTLFUg8u5P1IH”

It then attempts to connect to the following IPs:
24.120.165.58
66.117.77.134
64.219.121.189
66.117.77.134
75.47.231.138
108.211.64.46
91.99.146.167
108.211.64.46
71.43.217.3
81.136.230.235
101.162.73.132
99.76.3.38
85.29.177.249
24.126.54.116
108.130.34.42
99.116.134.54
80.252.59.142

Malicious domain name reconnaissance:
dekolink.net – 50.7.251.59; 176.120.38.238 – Email: wondermitch@hotmail.com
Name Server: NS1.THEREGISTARS.COM – 31.170.106.17 – Email: lockwr@rocketmail.com
Name Server: NS2.THEREGISTARS.COM – 67.15.223.219 – Email: lockwr@rocketmail.com

We’ve already seen the same email (wondermitch@hotmail.com) in the following malicious campaign – “‘Your Kindle e-book Amazon receipt’ themed emails lead to Black Hole Exploit Kit“, as well as in a recent money mule recruitment campaign.

The same name servers were also used in yet another recently profiled campaign – “Fake ‘Verizon Wireless Statement” themed emails lead to Black Hole Exploit Kit“, and we’ve also seen the (lockwr@rocketmail.com) email used in the ”Fake ‘You’ve blocked/disabled your Facebook account’ themed emails serve client-side exploits and malware” campaign.

These name servers are also used by the following malicious domains:
participamoz.com – Email: dort.dort@live.com
pesarbadeh.net – Email: onetoo@gmx.com
theatreli.net
azsocseclawyer.net

Responding to 50.7.251.59 are also the following malicious domains:
betheroot.net
open-uav.org

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Share this news now.
Malicious 'Data Processing Service' ACH File ID themed emails serve client-side exploits and malware by

Trackbacks

  1. [...] Not surprisingly, we’ve already seen the onetoo@gmx.com email in the following previously profiled malicious campaign – “Malicious ‘Data Processing Service’ ACH File ID themed emails serve client-side exploits and mal…“. [...]

  2. [...] NS1.BLACKRAGNAROK.NET – 209.140.18.37 – Email: onetoo@gmx.com – email has already been profiled Name Server: NS2.BLACKRAGNAROK.NET – 6.20.13.25 Name Server: NS1.LINGUAAPE.NET – [...]

  3. [...] of days ago our sensors picked up two separate malicious email campaigns, both impersonating Data Processing Services, that upon successful client-side exploitation (courtesy of the Black Hole Exploit Kit), drops an [...]