HackDig : Dig high-quality web security articles for hacker

Psychcentral.com infected with Angler EK: Installs bedep, vawtrak and POS malware

2015-11-02 15:30

 On October 26, 2015, Cyphort Labs discovered that psychcentral[.]com has been compromised and is currently infecting visitors via drive-by-download malwares. We immediately contacted psychcentral about this infection as early as we have discovered it. As of October 29, their technical team identified the problem and addressed the issue. Psychcentral[.]com is a leading independent metal health social network. It receives about 163,846 unique visitors per day.

The site was infected with an iframe injector that redirects to  Angler EK. It uses a flash exploit that targets the recent vulnerability in Adobe flash. We found it to be installing bedep and vawtrak. Bedep was known to be the notorious ad fraud malware and vawtrak is a banking trojan following the success of Zeus. We have seen Angler to be using bedep as its payload  but adding vawtrak in its arsenal is something we haven’t seen in the past until recently. Moroever, the vawtrak sample we got downloads a new memory scraping malware that scans for credit card data in memory. This is typical of Point Of Sale malware like the ones that affected Target stores.


Infection Chain




The iframe injection originates from an Ad server script that is using Open AdStream (OAS).
The script makes a request to oascentral[.]spineuniverse[.]com which leads to a function OAS_RICH() responsible for injecting iframes on the web page.

Ad server script injecting iframe



The webpage finally leads to Angler EK landing page on margueriteyellow[.]bitcoininvesting[.]net. It uses a flash exploit that targets the following vulnerability:

  • CVE-2015-5560, Adobe Flash Player versions prior to on Windows and OS X.

The said vulnerability was already patched on flash update.

psychcentral_Angler Chain
network activity during infection



We were able to obtain 3 executable payloads from this infection:

  • a2ee0c22d0cbdaa1c8de45c4a487b96a – Bedep
  • 28639b2c93a24ed6d178f3098ca23f2e – Vawtrak
  • a1d1ba04f3cb2cc6372b5986fadb1b9f – POS malware



As we have seen in the past, bedep’s  function is to execute Ad fraud campaigns. It usually arrives encrypted over the network to protect itself against traditional IDS/IPS solutions. It resides in the system as a dll file, usually in %PROGRAMDATA% folder. It also creates a folder using the machine GUID and drops itself there.



Vawtrak (aka Neverquest) is a rising star in the field of financial trojans. It was first discovered in-the-wild in 2013. It arrives using several methods, usually via exploit kits, or as an attachment to spam email, or downloaded by macro malware embedded in Microsoft Office documents and spreadsheets.

It employs similar functions used by Zeus, like using webinjects to collect confidential  banking information and hooking APIs to intercept browser traffic. It also downloads an encrypted configuration which contains URLs it targets to inject.

It also contains a list of download URLs that points to its additional modules. The sample we obtained has the following download links in its config:

Vawtrak Config file snapshot


Samples downloaded from 176[.]99[.]11[.]154 are its additional modules. One interesting url is http://46[.]30[.]41[.]16/files/970.exe which is a downloader of a new RAM-scraping malware akin to the ones used in typical POS malware as described in a Cyphort Special Report.


Vawtrak resides in the system as a dll file in the %PROGRAMDATA% using random names such as:

  • C:ProgramDataNuxbuZuzhot.dll

It creates a run key using regsvr32.exe to execute the DLL. e.g.,

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun
    • Value:{FFCF9B6F-7C01-4D05-9D5E-7F8BDD6E0481}
    • Data:regsvr32.exe “C:ProgramDataNuxbuZuzhot.dll”

It downloads its configuration file from:

  • http://ninthclub.com/Work/new/index.php



RAM scraping malware

Vawtrak downloads and execute  “970.exe ” which then downloads a dll component from from via TCP port 30970. It saves this as follows:

  • %ALLUSERS%Application Data{random}.dll


It then downloads additional file via HTTP Get from:


And saves it as:

  • %ALLUSERS%Application Datataskhost.exe


taskhost.exe scans for every running process and check the memory for credit card information. If it finds such a process, it creates a new thread that checks for track 1 and track 2 data:


process enumeration to scrape credit card data



It specifically checks for credit cards that starts with 3, 4, 5, or 6 which means cards like AMEX, Visa, MasterCard, Diners Club, Discover, etc.

track 1 and track 2 checking



We see in this infection how cybercriminals use multiple infection methods. Exploit kits are usually packaged to target multiple software with vulnerabilities to increase their coverage. We have reports how angler generates $34 Million annually from ransomware alone. We see in this infection that the group is after the money. We are not sure how much money are they raking in. Bedep and Vawtrak targets consumers while the RAM scrapping malware targets POS systems. One thing is for sure, the group behind this are looking to cash in.

Special thanks to Alex Burt and the rest of Cyphort Labs for their help in discovering and analyzing this infection.


The post Psychcentral.com infected with Angler EK: Installs bedep, vawtrak and POS malware appeared first on Cyphort.

Source: rawlam-sop-dna-kartwav-pedeb-sllatsni-ke-relgna-htiw-detcefni-moc-latnechcysp/moc.trohpyc.www

“Psychcentral.com infected with Angler EK: Installs bedep, vawtrak and POS malware”0 Comments

Submit A Comment



Blog :

Verification Code:


Share high-quality web security related articles with you:)


Tag Cloud