Psychcentral.com infected with Angler EK: Installs bedep, vawtrak and POS malware

November 2, 2015 by Paul Kimayong

 On October 26, 2015, Cyphort Labs discovered that psychcentral[.]com has been compromised and is currently infecting visitors via drive-by-download malwares. We immediately contacted psychcentral about this infection as early as we have discovered it. As of October 29, their technical team identified the problem and addressed the issue. Psychcentral[.]com is a leading independent metal health social network. It receives about 163,846 unique visitors per day.

The site was infected with an iframe injector that redirects to  Angler EK. It uses a flash exploit that targets the recent vulnerability in Adobe flash. We found it to be installing bedep and vawtrak. Bedep was known to be the notorious ad fraud malware and vawtrak is a banking trojan following the success of Zeus. We have seen Angler to be using bedep as its payload  but adding vawtrak in its arsenal is something we haven’t seen in the past until recently. Moroever, the vawtrak sample we got downloads a new memory scraping malware that scans for credit card data in memory. This is typical of Point Of Sale malware like the ones that affected Target stores.

 

Infection Chain

injected_iframe

 

Psychcentral.com infected with Angler EK: Installs bedep, vawtrak and POS malware

 

The iframe injection originates from an Ad server script that is using Open AdStream (OAS).
The script makes a request to oascentral[.]spineuniverse[.]com which leads to a function OAS_RICH() responsible for injecting iframes on the web page.

psychcentral_ifram_injector
Ad server script injecting iframe

 

 

The webpage finally leads to Angler EK landing page on margueriteyellow[.]bitcoininvesting[.]net. It uses a flash exploit that targets the following vulnerability:

  • CVE-2015-5560, Adobe Flash Player versions prior to 18.0.0.232 on Windows and OS X.

The said vulnerability was already patched on 18.0.0.232 flash update.

psychcentral_Angler Chain
network activity during infection
 

 

Payloads

We were able to obtain 3 executable payloads from this infection:

  • a2ee0c22d0cbdaa1c8de45c4a487b96a – Bedep
  • 28639b2c93a24ed6d178f3098ca23f2e – Vawtrak
  • a1d1ba04f3cb2cc6372b5986fadb1b9f – POS malware

 

Bedep

As we have seen in the past, bedep’s  function is to execute Ad fraud campaigns. It usually arrives encrypted over the network to protect itself against traditional IDS/IPS solutions. It resides in the system as a dll file, usually in %PROGRAMDATA% folder. It also creates a folder using the machine GUID and drops itself there.

 

Vawtrak

Vawtrak (aka Neverquest) is a rising star in the field of financial trojans. It was first discovered in-the-wild in 2013. It arrives using several methods, usually via exploit kits, or as an attachment to spam email, or downloaded by macro malware embedded in Microsoft Office documents and spreadsheets.

It employs similar functions used by Zeus, like using webinjects to collect confidential  banking information and hooking APIs to intercept browser traffic. It also downloads an encrypted configuration which contains URLs it targets to inject.

It also contains a list of download URLs that points to its additional modules. The sample we obtained has the following download links in its config:

vawtrak_config
Vawtrak Config file snapshot

 

Samples downloaded from 176[.]99[.]11[.]154 are its additional modules. One interesting url is http://46[.]30[.]41[.]16/files/970.exe which is a downloader of a new RAM-scraping malware akin to the ones used in typical POS malware as described in a Cyphort Special Report.

 

Vawtrak resides in the system as a dll file in the %PROGRAMDATA% using random names such as:

  • C:\ProgramData\Nuxbu\Zuzhot.dll

It creates a run key using regsvr32.exe to execute the DLL. e.g.,

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    • Value:{FFCF9B6F-7C01-4D05-9D5E-7F8BDD6E0481}
    • Data:regsvr32.exe “C:\ProgramData\Nuxbu\Zuzhot.dll”

It downloads its configuration file from:

  • http://ninthclub.com/Work/new/index.php

 

 

RAM scraping malware

Vawtrak downloads and execute  “970.exe ” which then downloads a dll component from from 91.234.34.44 via TCP port 30970. It saves this as follows:

  • %ALLUSERS%\Application Data\{random}.dll

 

It then downloads additional file via HTTP Get from:

  • 50.7.143.61/a_p/a_970.exe

And saves it as:

  • %ALLUSERS%\Application Data\taskhost.exe

 

taskhost.exe scans for every running process and check the memory for credit card information. If it finds such a process, it creates a new thread that checks for track 1 and track 2 data:

 

psychcentral_ScanForProcess
process enumeration to scrape credit card data

 

 

It specifically checks for credit cards that starts with 3, 4, 5, or 6 which means cards like AMEX, Visa, MasterCard, Diners Club, Discover, etc.

psychcentral_track1track2
track 1 and track 2 checking

 

 

We see in this infection how cybercriminals use multiple infection methods. Exploit kits are usually packaged to target multiple software with vulnerabilities to increase their coverage. We have reports how angler generates $34 Million annually from ransomware alone. We see in this infection that the group is after the money. We are not sure how much money are they raking in. Bedep and Vawtrak targets consumers while the RAM scrapping malware targets POS systems. One thing is for sure, the group behind this are looking to cash in.

Special thanks to Alex Burt and the rest of Cyphort Labs for their help in discovering and analyzing this infection.