A cybercriminal/gang of cybercriminals that we’ve been closely monitoring for a while now has just launched yet another spam campaign, this time impersonating the “Data Processing Service” company, in an attempt to trick its customers into interacting with the malicious emails. Once they do so, they are automatically exposed to the client-side exploits served by the Black Hole Exploit Kit.

In this post, I’ll profile their latest campaign and the dropped malware. I will also establish a direct connection between this and three other previously profiled malicious campaigns, as well as an ongoing money mule campaign, all of which appear to have been launched by the same cybercriminal/gang of cybercriminals.

More details:

Sample screenshot of the spamvertised email:

Fake_Email_Spam_Exploits_Malware_Black_Hole_Exploit_Kit_Data_Processing_Service_ACH

Sample compromised URLs used in the campaign:
hxxp://www.gravitomagnetics.com/includes/prcsucsf.html
hxxp://www.granitex-chojnow.com/includes/prcsucsf.html
hxxp://www.gozdeemlakofis.com/includes/prcsucsf.html
hxxp://www.gracehospiceaz.com/includes/prcsucsf.html
hxxp://www.greekwebstar.com/includes/prcsucsf.html
hxxp://www.godaintnojoke.com/includes/prcsucsf.html
hxxp://www.gloson.com/includes/prcsucsf.html
hxxp://www.gonzamatis.com/includes/prcsucsf.html
hxxp://www.greateasternsteamship.com/includes/prcsucsf.html
hxxp://www.greencastleflorist.com/includes/prcsucsf.html

Sample client-side exploits serving URL:
hxxp://dekolink.net/detects/when-weird-contrast.php

Sample malicious payload dropping URL:
hxxp://dekolink.net/detects/when-weird-contrast.php?xlefrmal=1f:33:1h:1n:2v&sak=2w:32:1g:1n:33:1m:1o:30:1n:2v&dxebz=1i&wcmmaqap=fqbmcta&dwhhjmjf=xxinnuik

Upon successful client-side exploitation, the campaign drops MD5: faa3a6c7bbf5b0449f60409c8bf63859 – detected by 16 out of 46 antivirus scanners as Trojan-Spy.Win32.Zbot.jfpy.

Once executed, the sample creates the following process on the affected hosts:
%AppData%Vyeffefuod.exe

The following Mutexes:
Global{5B039399-8854-D5EB-89D3-085A9A492B48}
Global{CE6286DB-9D16-408A-89D3-085A9A492B48}
Global{A4C81E13-05DE-2A20-BB82-B06DA818937F}
Local{E41AB6D2-AD1F-6AF2-89D3-085A9A492B48}
Global{A4C81E13-05DE-2A20-238C-B06D3016937F}
Global{A4C81E13-05DE-2A20-F38E-B06DE014937F}
Global{A4C81E13-05DE-2A20-578F-B06D4415937F}
Global{A4C81E13-05DE-2A20-AF8F-B06DBC15937F}
Global{A4C81E13-05DE-2A20-9B8F-B06D8815937F}
Global{A4C81E13-05DE-2A20-EF8F-B06DFC15937F}
Global{A4C81E13-05DE-2A20-5388-B06D4012937F}
Global{A4C81E13-05DE-2A20-EF88-B06DFC12937F}
Global{A4C81E13-05DE-2A20-6789-B06D7413937F}
Global{A4C81E13-05DE-2A20-4B89-B06D5813937F}
Global{A4C81E13-05DE-2A20-9789-B06D8413937F}
Global{A4C81E13-05DE-2A20-6B8B-B06D7811937F}
Global{A4C81E13-05DE-2A20-438B-B06D5011937F}
Global{A4C81E13-05DE-2A20-AF8B-B06DBC11937F}
Global{A4C81E13-05DE-2A20-D78C-B06DC416937F}
Global{A4C81E13-05DE-2A20-578E-B06D4414937F}
Global{A4C81E13-05DE-2A20-9F8E-B06D8C14937F}
Global{A4C81E13-05DE-2A20-D78E-B06DC414937F}
Global{A4C81E13-05DE-2A20-3F8F-B06D2C15937F}
Global{A4C81E13-05DE-2A20-0B8F-B06D1815937F}

Creates the following Registry Keys:
HKEY_CURRENT_USERSoftwareMicrosoftVexiha

And sets the following Values:
[HKEY_CURRENT_USERIdentities] -> Identity Login = 0x00098053
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] -> {3DFA1AE4-115C-AD7B-A6BA-A75086AF8442} = “”%AppData%Vyeffefuod.exe””
[HKEY_CURRENT_USERSoftwareMicrosoftVexiha] -> 3599i3fd = B2 B9 9F 4C 37 04; 31e81747 = 0x4CADB9B2; 14j3bcgj = “hOetTLFUg8u5P1IH”

It then attempts to connect to the following IPs:
24.120.165.58
66.117.77.134
64.219.121.189
66.117.77.134
75.47.231.138
108.211.64.46
91.99.146.167
108.211.64.46
71.43.217.3
81.136.230.235
101.162.73.132
99.76.3.38
85.29.177.249
24.126.54.116
108.130.34.42
99.116.134.54
80.252.59.142

Malicious domain name reconnaissance:
dekolink.net – 50.7.251.59; 176.120.38.238 – Email: wondermitch@hotmail.com
Name Server: NS1.THEREGISTARS.COM – 31.170.106.17 – Email: lockwr@rocketmail.com
Name Server: NS2.THEREGISTARS.COM – 67.15.223.219 – Email: lockwr@rocketmail.com

We’ve already seen the same email (wondermitch@hotmail.com) in the following malicious campaign – “‘Your Kindle e-book Amazon receipt’ themed emails lead to Black Hole Exploit Kit“, as well as in a recent money mule recruitment campaign.

The same name servers were also used in yet another recently profiled campaign – “Fake ‘Verizon Wireless Statement” themed emails lead to Black Hole Exploit Kit“, and we’ve also seen the (lockwr@rocketmail.com) email used in the “Fake ‘You’ve blocked/disabled your Facebook account’ themed emails serve client-side exploits and malware” campaign.

These name servers are also used by the following malicious domains:
participamoz.com – Email: dort.dort@live.com
pesarbadeh.net – Email: onetoo@gmx.com
theatreli.net
azsocseclawyer.net

Responding to 50.7.251.59 are also the following malicious domains:
betheroot.net
open-uav.org

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This