‘Terminated Wire Transfer Notification/ACH File ID” themed malicious campaigns lead to Black Hole Exploit Kit


By Dancho Danchev

A couple of days ago our sensors picked up two separate malicious email campaigns, both impersonating Data Processing Services, that upon successful client-side exploitation (courtesy of the Black Hole Exploit Kit), drops an identical piece of malicious software.

Let’s dissect the campaigns, expose the malicious domains portfolio, connect them to previously profiled malicious campaigns, and analyze the behavior of the dropped malware.

More details:

Sample screenshot of the “ACH File ID” themed spamvertised campaign:

ACH_File_ID_Email_Spam_Malware_Exploits_Social_Engineering_Black_Hole_Exploit_Kit

Sample compromised URLs used in the campaign:
hxxp://may.kz/dataach_proc.html
hxxp://kimsee.co.kr/dataach_proc.html
hxxp://katja-korotynsky.de/dataach_proc.html
hxxp://raketa.molo.by/dataach_proc.html
hxxp://union-allegro.ru/dataach_proc.html
hxxp://medsintes.ru/dataach_proc.html
hxxp://bora-bora.travel/dataach_proc.html
hxxp://lexa.razor.w2c.ru/dataach_proc.html
hxxp://niko-bor.ru/dataach_proc.html
hxxp://4ord-rj.com.br/dataach_proc.html
hxxp://may.kz/dataach_proc.html
hxxp://medsintes.ru/dataach_proc.html
hxxp://zar.aero/dataach_proc.html
hxxp://www.sib-intech.ru/dataach_proc.html

Sample client-side exploits serving domain: hxxp://neo-webnet.com/kill/reading_screen.php – 24.111.157.113; 58.26.233.175; 155.239.247.247 – Email:
bannerpick45@yahoo.com
Name Server: NS1.STREETCRY.NET
Name Server: NS2.STREETCRY.NET

Sample malicious payload dropping URL: hxxp://neo-webnet.com/kill/reading_screen.php?
zwp=1n:33:2v:1l:1h&ppqf=38&zrdlkj=2v:1i:2w:2w:1o:1l:1g:1n:1i:2w&pyo=1n:1d:1f:1d:1f:1d:1j:1k:1l

We’ve already seen the same Name Servers in the following previously profiled malicious campaigns:

Sample screenshot of the “Terminated Wire Transfer Notification” themed spamvertised campaign:

Terminated_Wire_Transfer_Notification_Data_Processing_Service_Email_Spam_Malware_Exploits_Black_Hole_Exploit_Kit

Sample compromised URLs participating in the second “Terminated Wire Transfer Notification” campaign:
hxxp://forum.prb-fight.dp.ua/achinfo_2013_03_21.html
hxxp://rnckidsclothing.com/achinfo_2013_03_21.html
hxxp://mamnonduhangkenh1.edu.vn/achinfo_2013_03_21.html
hxxp://forum.dungeon-defenders.ru/achinfo_2013_03_21.html
hxxp://chongjisyj.com/achinfo_2013_03_21.html
hxxp://forums.iboxgames.org/achinfo_2013_03_21.html
hxxp://20h27.com/achinfo_2013_03_21.html

Sample client-side exploits serving URL: hxxp://dataprocessingservice-reports.com/kill/chosen_wishs_refuses-limits.php – 24.111.157.113; 58.26.233.175; 155.239.247.247 – Email: calnroam@yahoo.com
Name Server: NS1.STREETCRY.NET
Name Server: NS2.STREETCRY.NET

Sample malicious payload dropping URL: hxxp://dataprocessingservice-reports.com/kill/chosen_wishs_refuses-limits.php?
zwp=1n:33:2v:1l:1h&ppqf=38&zrdlkj=2v:1i:2w:2w:1o:1l:1g:1n:1i:2w&pyo=1n:1d:1f:1d:1f:1d:1j:1k:1l

Responding to 58.26.233.175 are also the following malicious domains:
crackedserverz.com
webpageparking.netseen here
picturesofdeath.netseen here, and here

Upon successful client-side exploitation, both of the campaigns drop MD5: 00c7693681d111c0b74121ea513abe91 – detected by 5 out of 43 antivirus scanners as
Trojan.Necurs.97.

Once executed, the sample stores the following modified files on the affected hosts:
C:\Documents and Settings\Administrator\Application Data\KB00635017.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\expF.tmp.bat
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\89OC5JKA\2MB9vCAAAA[1].txt
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\exp10.tmp.exe
C:\Documents and Settings\Administrator\Application Data\9CC20790\9CC20790
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\exp11.tmp.exe
C:\Documents and Settings\Administrator\Application Data\9CC20790\9CC20790
C:\Documents and Settings\Administrator\Application Data\9CC20790\9CC20790.srv
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\89OC5JKA\2MB9vCAAAA[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\89OC5JKA\2MB9vCAAAA[2].txt
C:\Documents and Settings\Administrator\Application Data\KB00635017.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\exp12.tmp.bat

Creates the following Registry Keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CFBDC89D4
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S25BC2D7B
\REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows NT\S9CC20790
\REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows NT\CBA6D3F36
\REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\WinRAR

Sets the following Registry Values:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] -> KB00121600.exe = “”%AppData%\KB00121600.exe””

Creates the following Mutexes:
Local\XMM00000418
Local\XMI00000418
Local\XMRFB119394
Local\XMM0000009C
Local\XMI0000009C
Local\XMM000000D8
Local\XMI000000D8
Local\XMM000001C4
Local\XMI000001C4

It then phones back to the following C&C (command and control servers):
50.57.99.48:8080/AJtw/UCyqrDAA/Ud+asDAA/
156.56.94.212/J9/vp//EGa+AAAAAA/2MB9vCAAAA/
85.214.143.90/J9/vp//EGa+AAAAAA/2MB9vCAAAA/

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

One thought on “‘Terminated Wire Transfer Notification/ACH File ID” themed malicious campaigns lead to Black Hole Exploit Kit

  1. Pingback: Spamvertised ‘Re: Changelog as promised’ themed emails lead to malware | Webroot Threat Blog - Internet Security Threat Updates from Around the World

Join the Conversation

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s