Reading Time: ~ 3 min.

Cybercriminals have recently launched yet another massive spam campaign attempting to trick e-banking users into thinking that their ability to process ACH transactions has been temporarily disabled. Upon clicking on the link found in the malicious email, users are exposed to the client-side exploits served by the Black Hole Exploit Kit.

More details

Sample screenshot of the spamvertised email:


Sample spamvertised compromised URLs:

Sample client-side exploits serving URLs:

Malicious domains reconnaissance: – (AS8560); (AS24514); (AS40676)

Name servers: - – – – – (AS24514)

Name servers: – – – –

Sample detection rate for the redirection script: MD5: 35e6ddb6ce4229d36c43d9d3ccd182f3 – detected by 21 out of 44 antivirus scanners as Trojan-Downloader.JS.Iframe.dby.

Although we couldn’t reproduce the malicious exploitation taking place through and, we found out that, during the time of the attack, similar client-side exploit serving URls were also responding to the same IPs, leading us to the actual malicious payload found on two of these domains.

Responding to same IPs at the time of the attack were also the following malicious domains:

Upon successful client-side exploitation, both domains serve MD5: 3a1d644172308dc358121bd2984a57a4 – detected by 30 out of 46 antivirus scanners as Trojan:Win32/Tobfy.I.

Upon execution, it creates the following process in the system:

It also creates the following Registry Keys:
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCFBDC89D4
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTS25BC2D7B

Next it also creates the following mutexes on the system:

It then phones back to (AS40676). The IP responds to – Email:

Another MD5 is known to have phoned back to the same IP: MD5: 3bf5c62fe6e18bc93073ecf79e079020 – detected by 15 out of 45 antivirus scanners as Trojan-Ransom.Win32.PornoAsset.biiy.

We’ve already seen the same static command and control server characters used in the following previously profiled campaigns:


Responding to the IPs of the client-side exploits serving domains – (AS8560); (AS24514); (AS40676) – are also the following malicious/fraudulent domains:


A huge percentage of these domains have been previously profiled in a series of malicious campaigns, indicating that these campaigns continue getting launched by the same cybercriminal/gang of cybercriminals.

Name servers part of the campaign’s infrastructure: – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This