Malicious ‘Data Processing Service’ ACH File ID themed emails serve client-side exploits and malware


By Dancho Danchev

A cybercriminal/gang of cybercriminals that we’ve been closely monitoring for a while now has just launched yet another spam campaign, this time impersonating the “Data Processing Service” company, in an attempt to trick its customers into interacting with the malicious emails. Once they do so, they are automatically exposed to the client-side exploits served by the Black Hole Exploit Kit.

In this post, I’ll profile their latest campaign and the dropped malware. I will also establish a direct connection between this and three other previously profiled malicious campaigns, as well as an ongoing money mule campaign, all of which appear to have been launched by the same cybercriminal/gang of cybercriminals.

More details:

Sample screenshot of the spamvertised email:

Fake_Email_Spam_Exploits_Malware_Black_Hole_Exploit_Kit_Data_Processing_Service_ACH

Sample compromised URLs used in the campaign:
hxxp://www.gravitomagnetics.com/includes/prcsucsf.html
hxxp://www.granitex-chojnow.com/includes/prcsucsf.html
hxxp://www.gozdeemlakofis.com/includes/prcsucsf.html
hxxp://www.gracehospiceaz.com/includes/prcsucsf.html
hxxp://www.greekwebstar.com/includes/prcsucsf.html
hxxp://www.godaintnojoke.com/includes/prcsucsf.html
hxxp://www.gloson.com/includes/prcsucsf.html
hxxp://www.gonzamatis.com/includes/prcsucsf.html
hxxp://www.greateasternsteamship.com/includes/prcsucsf.html
hxxp://www.greencastleflorist.com/includes/prcsucsf.html

Sample client-side exploits serving URL:
hxxp://dekolink.net/detects/when-weird-contrast.php

Sample malicious payload dropping URL:
hxxp://dekolink.net/detects/when-weird-contrast.php?xlefrmal=1f:33:1h:1n:2v&sak=2w:32:1g:1n:33:1m:1o:30:1n:2v&dxebz=1i&wcmmaqap=fqbmcta&dwhhjmjf=xxinnuik

Upon successful client-side exploitation, the campaign drops MD5: faa3a6c7bbf5b0449f60409c8bf63859 – detected by 16 out of 46 antivirus scanners as Trojan-Spy.Win32.Zbot.jfpy.

Once executed, the sample creates the following process on the affected hosts:
%AppData%\Vyef\fefuod.exe

The following Mutexes:
Global\{5B039399-8854-D5EB-89D3-085A9A492B48}
Global\{CE6286DB-9D16-408A-89D3-085A9A492B48}
Global\{A4C81E13-05DE-2A20-BB82-B06DA818937F}
Local\{E41AB6D2-AD1F-6AF2-89D3-085A9A492B48}
Global\{A4C81E13-05DE-2A20-238C-B06D3016937F}
Global\{A4C81E13-05DE-2A20-F38E-B06DE014937F}
Global\{A4C81E13-05DE-2A20-578F-B06D4415937F}
Global\{A4C81E13-05DE-2A20-AF8F-B06DBC15937F}
Global\{A4C81E13-05DE-2A20-9B8F-B06D8815937F}
Global\{A4C81E13-05DE-2A20-EF8F-B06DFC15937F}
Global\{A4C81E13-05DE-2A20-5388-B06D4012937F}
Global\{A4C81E13-05DE-2A20-EF88-B06DFC12937F}
Global\{A4C81E13-05DE-2A20-6789-B06D7413937F}
Global\{A4C81E13-05DE-2A20-4B89-B06D5813937F}
Global\{A4C81E13-05DE-2A20-9789-B06D8413937F}
Global\{A4C81E13-05DE-2A20-6B8B-B06D7811937F}
Global\{A4C81E13-05DE-2A20-438B-B06D5011937F}
Global\{A4C81E13-05DE-2A20-AF8B-B06DBC11937F}
Global\{A4C81E13-05DE-2A20-D78C-B06DC416937F}
Global\{A4C81E13-05DE-2A20-578E-B06D4414937F}
Global\{A4C81E13-05DE-2A20-9F8E-B06D8C14937F}
Global\{A4C81E13-05DE-2A20-D78E-B06DC414937F}
Global\{A4C81E13-05DE-2A20-3F8F-B06D2C15937F}
Global\{A4C81E13-05DE-2A20-0B8F-B06D1815937F}

Creates the following Registry Keys:
HKEY_CURRENT_USER\Software\Microsoft\Vexiha

And sets the following Values:
[HKEY_CURRENT_USER\Identities] -> Identity Login = 0x00098053
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] -> {3DFA1AE4-115C-AD7B-A6BA-A75086AF8442} = “”%AppData%\Vyef\fefuod.exe””
[HKEY_CURRENT_USER\Software\Microsoft\Vexiha] -> 3599i3fd = B2 B9 9F 4C 37 04; 31e81747 = 0x4CADB9B2; 14j3bcgj = “hOetTLFUg8u5P1IH”

It then attempts to connect to the following IPs:
24.120.165.58
66.117.77.134
64.219.121.189
66.117.77.134
75.47.231.138
108.211.64.46
91.99.146.167
108.211.64.46
71.43.217.3
81.136.230.235
101.162.73.132
99.76.3.38
85.29.177.249
24.126.54.116
108.130.34.42
99.116.134.54
80.252.59.142

Malicious domain name reconnaissance:
dekolink.net – 50.7.251.59; 176.120.38.238 – Email: wondermitch@hotmail.com
Name Server: NS1.THEREGISTARS.COM – 31.170.106.17 – Email: lockwr@rocketmail.com
Name Server: NS2.THEREGISTARS.COM – 67.15.223.219 – Email: lockwr@rocketmail.com

We’ve already seen the same email (wondermitch@hotmail.com) in the following malicious campaign – “‘Your Kindle e-book Amazon receipt’ themed emails lead to Black Hole Exploit Kit“, as well as in a recent money mule recruitment campaign.

The same name servers were also used in yet another recently profiled campaign – “Fake ‘Verizon Wireless Statement” themed emails lead to Black Hole Exploit Kit“, and we’ve also seen the (lockwr@rocketmail.com) email used in the “Fake ‘You’ve blocked/disabled your Facebook account’ themed emails serve client-side exploits and malware” campaign.

These name servers are also used by the following malicious domains:
participamoz.com – Email: dort.dort@live.com
pesarbadeh.net – Email: onetoo@gmx.com
theatreli.net
azsocseclawyer.net

Responding to 50.7.251.59 are also the following malicious domains:
betheroot.net
open-uav.org

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

3 thoughts on “Malicious ‘Data Processing Service’ ACH File ID themed emails serve client-side exploits and malware

  1. Pingback: Spamvertised BBB ‘Your Accreditation Terminated” themed emails lead to Black Hole Exploit Kit | Webroot Threat Blog - Internet Security Threat Updates from Around the World

  2. Pingback: ‘ADP Package Delivery Notification’ themed emails lead to Black Hole Exploit Kit | Webroot Threat Blog - Internet Security Threat Updates from Around the World

  3. Pingback: ‘Terminated Wire Transfer Notification/ACH File ID” themed malicious campaigns lead to Black Hole Exploit Kit | Webroot Threat Blog - Internet Security Threat Updates from Around the World

Join the Conversation

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s