A couple of days ago our sensors picked up two separate malicious email campaigns, both impersonating Data Processing Services, that upon successful client-side exploitation (courtesy of the Black Hole Exploit Kit), drops an identical piece of malicious software.

Let’s dissect the campaigns, expose the malicious domains portfolio, connect them to previously profiled malicious campaigns, and analyze the behavior of the dropped malware.

More details:

Sample screenshot of the “ACH File ID” themed spamvertised campaign:

ACH_File_ID_Email_Spam_Malware_Exploits_Social_Engineering_Black_Hole_Exploit_Kit

Sample compromised URLs used in the campaign:
hxxp://may.kz/dataach_proc.html
hxxp://kimsee.co.kr/dataach_proc.html
hxxp://katja-korotynsky.de/dataach_proc.html
hxxp://raketa.molo.by/dataach_proc.html
hxxp://union-allegro.ru/dataach_proc.html
hxxp://medsintes.ru/dataach_proc.html
hxxp://bora-bora.travel/dataach_proc.html
hxxp://lexa.razor.w2c.ru/dataach_proc.html
hxxp://niko-bor.ru/dataach_proc.html
hxxp://4ord-rj.com.br/dataach_proc.html
hxxp://may.kz/dataach_proc.html
hxxp://medsintes.ru/dataach_proc.html
hxxp://zar.aero/dataach_proc.html
hxxp://www.sib-intech.ru/dataach_proc.html

Sample client-side exploits serving domain: hxxp://neo-webnet.com/kill/reading_screen.php – 24.111.157.113; 58.26.233.175; 155.239.247.247 – Email:
bannerpick45@yahoo.com
Name Server: NS1.STREETCRY.NET
Name Server: NS2.STREETCRY.NET

Sample malicious payload dropping URL: hxxp://neo-webnet.com/kill/reading_screen.php?
zwp=1n:33:2v:1l:1h&ppqf=38&zrdlkj=2v:1i:2w:2w:1o:1l:1g:1n:1i:2w&pyo=1n:1d:1f:1d:1f:1d:1j:1k:1l

We’ve already seen the same Name Servers in the following previously profiled malicious campaigns:

Sample screenshot of the “Terminated Wire Transfer Notification” themed spamvertised campaign:

Terminated_Wire_Transfer_Notification_Data_Processing_Service_Email_Spam_Malware_Exploits_Black_Hole_Exploit_Kit

Sample compromised URLs participating in the second “Terminated Wire Transfer Notification” campaign:
hxxp://forum.prb-fight.dp.ua/achinfo_2013_03_21.html
hxxp://rnckidsclothing.com/achinfo_2013_03_21.html
hxxp://mamnonduhangkenh1.edu.vn/achinfo_2013_03_21.html
hxxp://forum.dungeon-defenders.ru/achinfo_2013_03_21.html
hxxp://chongjisyj.com/achinfo_2013_03_21.html
hxxp://forums.iboxgames.org/achinfo_2013_03_21.html
hxxp://20h27.com/achinfo_2013_03_21.html

Sample client-side exploits serving URL: hxxp://dataprocessingservice-reports.com/kill/chosen_wishs_refuses-limits.php – 24.111.157.113; 58.26.233.175; 155.239.247.247 – Email: calnroam@yahoo.com
Name Server: NS1.STREETCRY.NET
Name Server: NS2.STREETCRY.NET

Sample malicious payload dropping URL: hxxp://dataprocessingservice-reports.com/kill/chosen_wishs_refuses-limits.php?
zwp=1n:33:2v:1l:1h&ppqf=38&zrdlkj=2v:1i:2w:2w:1o:1l:1g:1n:1i:2w&pyo=1n:1d:1f:1d:1f:1d:1j:1k:1l

Responding to 58.26.233.175 are also the following malicious domains:
crackedserverz.com
webpageparking.netseen here
picturesofdeath.netseen here, and here

Upon successful client-side exploitation, both of the campaigns drop MD5: 00c7693681d111c0b74121ea513abe91 – detected by 5 out of 43 antivirus scanners as
Trojan.Necurs.97.

Once executed, the sample stores the following modified files on the affected hosts:
C:Documents and SettingsAdministratorApplication DataKB00635017.exe
C:DOCUME~1ADMINI~1LOCALS~1TempexpF.tmp.bat
C:Documents and SettingsAdministratorLocal SettingsTemporary Internet FilesContent.IE589OC5JKA2MB9vCAAAA[1].txt
C:DOCUME~1ADMINI~1LOCALS~1Tempexp10.tmp.exe
C:Documents and SettingsAdministratorApplication Data9CC207909CC20790
C:DOCUME~1ADMINI~1LOCALS~1Tempexp11.tmp.exe
C:Documents and SettingsAdministratorApplication Data9CC207909CC20790
C:Documents and SettingsAdministratorApplication Data9CC207909CC20790.srv
C:Documents and SettingsAdministratorLocal SettingsTemporary Internet FilesContent.IE589OC5JKA2MB9vCAAAA[1].txt
C:Documents and SettingsAdministratorLocal SettingsTemporary Internet FilesContent.IE589OC5JKA2MB9vCAAAA[2].txt
C:Documents and SettingsAdministratorApplication DataKB00635017.exe
C:DOCUME~1ADMINI~1LOCALS~1Tempexp12.tmp.bat

Creates the following Registry Keys:
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCFBDC89D4
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTS25BC2D7B
REGISTRYUSERS-1-5-21-299502267-926492609-1801674531-500SoftwareMicrosoftWindows NTS9CC20790
REGISTRYUSERS-1-5-21-299502267-926492609-1801674531-500SoftwareMicrosoftWindows NTCBA6D3F36
REGISTRYUSERS-1-5-21-299502267-926492609-1801674531-500SoftwareWinRAR

Sets the following Registry Values:
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] -> KB00121600.exe = “”%AppData%KB00121600.exe””

Creates the following Mutexes:
LocalXMM00000418
LocalXMI00000418
LocalXMRFB119394
LocalXMM0000009C
LocalXMI0000009C
LocalXMM000000D8
LocalXMI000000D8
LocalXMM000001C4
LocalXMI000001C4

It then phones back to the following C&C (command and control servers):
50.57.99.48:8080/AJtw/UCyqrDAA/Ud+asDAA/
156.56.94.212/J9/vp//EGa+AAAAAA/2MB9vCAAAA/
85.214.143.90/J9/vp//EGa+AAAAAA/2MB9vCAAAA/

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This