Bogus ‘Your Paypal Transaction Confirmation’ themed emails lead to Black Hole Exploit Kit


By Dancho Danchev

Financial institutions and online payment processors are a common target for cybercriminals, who systematically brand-jack and abuse the reputation of their trusted brands, in an attempt to scam or serve malware to their customers.

Over the past 24 hours, cybercriminals have launched yet another spam campaign, impersonating PayPal, in an attempt to trick its users into thinking that they’ve received a “Transaction Confirmation“, which in reality they never really made. Once users click on any of the links found in the malicious emails, they’re exposed to the client-side exploits served by the Black Hole Exploit Kit.

More details:

Sample screenshot of the spamvertised email:

Fake_PayPal_Transaction_Confirmation_Email_Spam_Exploits_Malware_Black_Hole_Exploit_Kit

Sample spamvertised URLs:
hxxp://echo05.ru/wp-content/themes/toolbox/pp-purchase-details.html
hxxp://bloggerzone.ru/wp-content/themes/toolbox/pp-purchase-details.html
hxxp://coviemcali.com/wp-content/themes/toolbox/pp-purchase-details.html

Sample client-side exploits serving URL:
hxxp://duriginal.net/detects/seen-taste.php

Sample malicious payload dropping URL:
hxxp://duriginal.net/detects/seen-taste.php?of=1n:30:1j:2w:1i&we=1h:30:1n:1f:1f:2v:1g:1m:2w:1h&r=1f&ke=q&do=s

Malicious domain name reconnaissance:
duriginal.net – 222.238.109.66 – Email: blackchromedesign2@ymail.com
Name server: NS1.HTTP-PAGE.NET – 31.170.106.17 – Email: ezvalue@yahoo.com
Name server: NS2.HTTP-PAGE.NET – 7.129.51.158 – Email: ezvalue@yahoo.com

The campaign shares the same infrastructure as the following previous profiled malicious campaigns:

indicating that the three of these campaigns have been launched by the same malicious party.

Upon successsful client-side exploitation, the campaign drops MD5: 423daf9994d552ca43f8958634ede6ee – detected by 23 out of 46 antivirus scanners as Trojan-Spy.Win32.Zbot.ilmw.

Once executed, the sample creates the following processess on the affected hosts:
C:\Documents and Settings\<USER>\Application Data\Cesa\zuyv.exe
C:\WINDOWS\system32\cmd.exe” /c “C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\tmp14241653.bat

As well as the following Mutexes:
Global\{CB561546-E774-D5EA-8F92-61FCBA8C42EE}

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

3 thoughts on “Bogus ‘Your Paypal Transaction Confirmation’ themed emails lead to Black Hole Exploit Kit

  1. Pingback: Fake ‘FedEx Online Billing – Invoice Prepared to be Paid’ themed emails lead to Black Hole Exploit Kit « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  2. Pingback: ‘Your Kindle e-book Amazon receipt’ themed emails lead to Black Hole Exploit Kit « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  3. Pingback: Fake “You’ve blocked/disabled your Facebook account’ themed emails serve client-side exploits and malware « Webroot Threat Blog – Internet Security Threat Updates from Around the World

Join the Conversation

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s