On October 26, 2015, Cyphort Labs discovered that psychcentral[.]com has been compromised and is currently infecting visitors via drive-by-download malwares. We immediately contacted psychcentral about this infection as early as we have discovered it. As of October 29, their technical team identified the problem and addressed the issue. Psychcentral[.]com is a leading independent metal health social network. It receives about 163,846 unique visitors per day.
The site was infected with an iframe injector that redirects to Angler EK. It uses a flash exploit that targets the recent vulnerability in Adobe flash. We found it to be installing bedep and vawtrak. Bedep was known to be the notorious ad fraud malware and vawtrak is a banking trojan following the success of Zeus. We have seen Angler to be using bedep as its payload but adding vawtrak in its arsenal is something we haven’t seen in the past until recently. Moroever, the vawtrak sample we got downloads a new memory scraping malware that scans for credit card data in memory. This is typical of Point Of Sale malware like the ones that affected Target stores.
Infection Chain
The iframe injection originates from an Ad server script that is using Open AdStream (OAS).
The script makes a request to oascentral[.]spineuniverse[.]com which leads to a function OAS_RICH() responsible for injecting iframes on the web page.
![psychcentral_ifram_injector]()
- Ad server script injecting iframe
The webpage finally leads to Angler EK landing page on margueriteyellow[.]bitcoininvesting[.]net. It uses a flash exploit that targets the following vulnerability:
- CVE-2015-5560, Adobe Flash Player versions prior to 18.0.0.232 on Windows and OS X.
The said vulnerability was already patched on 18.0.0.232 flash update.
![psychcentral_Angler Chain]()
- network activity during infection
Payloads
We were able to obtain 3 executable payloads from this infection:
- a2ee0c22d0cbdaa1c8de45c4a487b96a – Bedep
- 28639b2c93a24ed6d178f3098ca23f2e – Vawtrak
- a1d1ba04f3cb2cc6372b5986fadb1b9f – POS malware
Bedep
As we have seen in the past, bedep’s function is to execute Ad fraud campaigns. It usually arrives encrypted over the network to protect itself against traditional IDS/IPS solutions. It resides in the system as a dll file, usually in %PROGRAMDATA% folder. It also creates a folder using the machine GUID and drops itself there.
Vawtrak
Vawtrak (aka Neverquest) is a rising star in the field of financial trojans. It was first discovered in-the-wild in 2013. It arrives using several methods, usually via exploit kits, or as an attachment to spam email, or downloaded by macro malware embedded in Microsoft Office documents and spreadsheets.
It employs similar functions used by Zeus, like using webinjects to collect confidential banking information and hooking APIs to intercept browser traffic. It also downloads an encrypted configuration which contains URLs it targets to inject.
It also contains a list of download URLs that points to its additional modules. The sample we obtained has the following download links in its config:
![vawtrak_config]( "Vawtrak Config File Snapshot")
- Vawtrak Config file snapshot
Samples downloaded from 176[.]99[.]11[.]154 are its additional modules. One interesting url is http://46[.]30[.]41[.]16/files/970.exe which is a downloader of a new RAM-scraping malware akin to the ones used in typical POS malware as described in a Cyphort Special Report.
Vawtrak resides in the system as a dll file in the %PROGRAMDATA% using random names such as:
- C:\ProgramData\Nuxbu\Zuzhot.dll
It creates a run key using regsvr32.exe to execute the DLL. e.g.,
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- Value:{FFCF9B6F-7C01-4D05-9D5E-7F8BDD6E0481}
- Data:regsvr32.exe “C:\ProgramData\Nuxbu\Zuzhot.dll”
It downloads its configuration file from:
- http://ninthclub.com/Work/new/index.php
RAM scraping malware
Vawtrak downloads and execute “970.exe ” which then downloads a dll component from from 91.234.34.44 via TCP port 30970. It saves this as follows:
- %ALLUSERS%\Application Data\{random}.dll
It then downloads additional file via HTTP Get from:
- 50.7.143.61/a_p/a_970.exe
And saves it as:
- %ALLUSERS%\Application Data\taskhost.exe
taskhost.exe scans for every running process and check the memory for credit card information. If it finds such a process, it creates a new thread that checks for track 1 and track 2 data:
![psychcentral_ScanForProcess]()
- process enumeration to scrape credit card data
It specifically checks for credit cards that starts with 3, 4, 5, or 6 which means cards like AMEX, Visa, MasterCard, Diners Club, Discover, etc.
![psychcentral_track1track2]()
- track 1 and track 2 checking
We see in this infection how cybercriminals use multiple infection methods. Exploit kits are usually packaged to target multiple software with vulnerabilities to increase their coverage. We have reports how angler generates $34 Million annually from ransomware alone. We see in this infection that the group is after the money. We are not sure how much money are they raking in. Bedep and Vawtrak targets consumers while the RAM scrapping malware targets POS systems. One thing is for sure, the group behind this are looking to cash in.
Special thanks to Alex Burt and the rest of Cyphort Labs for their help in discovering and analyzing this infection.
The post Psychcentral.com infected with Angler EK: Installs bedep, vawtrak and POS malware appeared first on Cyphort.