Friday, April 09, 2010

Keeping Money Mule Recruiters on a Short Leash - Part Four


UPDATED: Saturday, April 10, 2010: Some of the mule recruitment sites appear to be interested in something else, rather than recruiting mules -- must be the oversupply of people unknowingly participating in the cybercrime ecosystem.

Several of the domains (for instance ortex-gourpinc.tw  and augmentgroupinc.tw) are not accepting registrations, instead, but are attempting to trick the visitor into downloading and executing a bogus psychological test.

"Below is a test prepared by professional psychologists and is required in order to be considered a competent candidate for the offered position. After successful completion of your test, you will be asked to register on our web site. If you are not ready to register right away, please wait to take the test at a later point. To REGISTER, simply run the test and you will be prompted to click on the "Register Now" button at any time and you will be redirected to the login page, without having to take the test again.


*This test is under development and we are grateful for all comments and suggestions." *If you are having trouble running the test and your computer is requesting administrative rights, download the test and simply right-click on the Test icon and select "Run As Administrator" from the menu."

- testAugmentInc.exe - Result: 3/38 (7.9%) - Trojan/Win32.Chifrax.gen; Reser.Reputation.1
- testOrtexGroup.exe - Result: 3/39 (7.7%) - Trojan/Win32.Chifrax.gen; Reser.Reputation.1

UPDATED: AS34305, EUROACCESS has taken down the IPs within their network. The money mule recruiters naturally have a contingency plan in place, and have migrated to  AS38356 - TimeNet (222.35.143.112; 222.35.143.234; 222.35.143.235; 222.35.143.237) and AS21793 - GOGAX (76.76.100.2; 76.76.100.4; 76.76.100.5).


Based on the already established patterns of this group, it was only a matter of time until they re-introduced yet another portfolio of money mule recruitment domains, combining them with spamvertised recruitment messages, and forum postings.

Just like their campaign from last month (Keeping Money Mule Recruiters on a Short Leash - Part Three) the current one is once again interacting exclusively with AS34305, EUROACCESS Global Autonomous System, including the newly introduced name servers.

What has changed? It's the migration towards the use of fast-flux infrastructure for ZeuS crimeware serving campaigns, and in an isolated incident profiled in this post, a money mule recruitment campaign that's also sharing the same fast-flux infrastructure. Combined with the BIZCN.COM, INC. domain registrar's practice of accepting domain registrations using example.com emails, next to ignoring domain suspension requests - you end up with the perfect safe haven for a cybercrime operation.

In March, 2010, it took EUROACCESS less then 10 minutes to undermine their campaigns, including ones residing within the AS of a cyber-crime friendly customer known as 193.104.22.0/24 KratosRoute. However, it's interesting to observe their return to the same ISP, given that they were within a much more cybercrime-friendly neighborhood once EUROACCESS kicked them out last month.

Although the take down activities from last month may seem to have a short-lived effect, now that they're not only back, but are once again abusing EUROACCESS, the loss of OPSEC (operational security) did happen, just like it happened in the wake of the TROYAK-AS takedown.

Let's dissect the currently ongoing campaign, and emphasize on a second money mule recruitment campaign, that's not just using a fast-flux infrastructure, but is also connected to hilarykneber@yahoo.com (The Kneber botnet - FAQ).


Spamvertised, and parked domains on 85.12.46.3; 85.12.46.2; 193.104.106.30 - AS34305, EUROACCESS Global Autonomous System are as follows:
altitudegroupinc.tw - Email: weds@fastermail.ru
altitude-groupli.com - Email: mylar@5mx.ru
altitude-groupmain.tw - Email: gutsy@qx8.ru
amplitude-groupmain.net - Email: tabs@5mx.ru
arvina-groupco.tw - Email: hv@qx8.ru
arvina-groupinc.tw - Email: jerks@5mx.ru
arvina-groupnet.cc - Email: mat.mat@yahoo.com
asperity-group.com - Email: okay@qx8.ru
asperitygroup.net - Email: cde@freenetbox.ru
asperitygroupinc.tw - Email: ti@fastermail.ru
asperity-groupmain.tw - Email: gutsy@qx8.ru
astra-groupnet.tw - Email: logic@qx8.ru
astra-groupinc.tw - Email: gv@fastermail.ru
augment-group.com - Email: mylar@5mx.ru
augmentgroup.net - Email: glean@fastermail.ru
augmentgroupinc.tw - Email: weds@fastermail.ru
augment-groupmain.tw - Email: gutsy@qx8.ru
celerity-groupmain.net - Email: cde@freenetbox.ru
celerity-groupmain.tw - Email: weds@fastermail.ru
excel-groupco.tw - Email: thaws@bigmailbox.ru
excel-groupsvc.com - Email: carlo@qx8.ru
fincore-groupllc.tw - Email: jerks@5mx.ru
fecunda-group.com - Email: okay@qx8.ru
fecundagroupllc.tw - Email: omega@fastermail.ru
fecunda-groupmain.net - Email: mylar@5mx.ru
fecunda-groupmain.tw - Email: ti@fastermail.ru
foreaim-group.com - Email: cde@freenetbox.ru
foreaimgroup.net - Email: glean@fastermail.ru


foreaimgroupinc.tw - Email: gutsy@qx8.ru
foreaim-groupmain.tw - Email: weds@fastermail.ru
impact-groupinc.net - Email: cde@freenetbox.ru
impact-groupnet.com - Email: okay@qx8.ru
luxor-groupco.tw - Email: logic@qx8.ru
luxor-groupinc.cc - Email: mat.mat@yahoo.com
luxor-groupinc.tw - Email: gv@fastermail.ru
magnet-groupco.tw - Email: gv@fastermail.ru
magnet-groupinc.cc - Email: mat.mat@yahoo.com
millennium-groupco.tw - Email: thaws@bigmailbox.ru
millennium-groupsvc.tw - Email: thaws@bigmailbox.ru
optimusgroupnet.cc - Email: mat.mat@yahoo.com
optimus-groupsvc.tw - Email: jerks@5mx.ru
ortex-gourpinc.tw - Email: clad@bigmailbox.ru
ortex-groupinc.cc - Email: mat.mat@yahoo.com
pacer-groupnet.tw - Email: omega@fastermail.ru
point-groupco.tw - Email: wxy@qx8.ru
point-groupinc.cc - Email: mat.mat@yahoo.com
spark-groupco.tw - Email: clad@bigmailbox.ru
spark-groupsv.tw - Email: clad@bigmailbox.ru
spark-groupsvc.com - Email: trim@freenetbox.ru
synapse-groupfine.net - Email: okay@qx8.ru
synapse-groupinc.tw - Email: omega@fastermail.ru
synapsegroupli.com - Email: tabs@5mx.ru
target-groupinc.cc - Email: mat.mat@yahoo.com
tnm-group.tw - Email: troop@bigmailbox.ru
tnmgroupinc.com - Email: tabs@5mx.ru
tnmgroupsvc.net - Email: tabs@5mx.ru
starlingbusinessgroup.com - 212.150.164.201 - Email: tahli@yahoo.com (spamvertised separately from the campaign)

Newly introduced name servers:
ns3.sandhouse.cc - 74.118.194.82 - Email: taunt@freenetbox.ru
ns1.volcanotime.com (Parked on the same IP is also ns1.jockscreamer.net Email: free@freenetbox.ru) - 64.85.174.144 - Email: hs@bigmailbox.ru
ns2.weathernot.net - (Parked on the same IP is also ns2.worldslava.cc Email: fussy@bigmailbox.ru) 204.12.217.252 - Email: bowls@5mx.ru
ns1.uleaveit.com - 64.85.174.146 - Email: plea@qx8.ru
ns2.pesenlife.net - 204.12.217.254 - Email: erupt@qx8.ru
ns3.greezly.net - 204.124.182.151 - Email: erupt@qx8.ru

Name servers known from previous campaigns remain active, using AS34305:
ns1.chinegrowth.cc - 92.63.111.196 - Email: duly@fastermail.ru
ns1.partytimee.cn - 92.63.111.196 - Email: chunk@qx8.ru
ns1.benjenkinss.cn - 92.63.110.85 - Email: chunk@qx8.ru
ns1.translatasheep.net - 92.63.111.127 - Email: stair@freenetbox.ru
ns1.bizrestroom.cc - 92.63.110.85 - Email: hook@5mx.ru
ns2.alwaysexit.com - 85.12.46.2 - Email: sob@bigmailbox.ru
ns2.trythisok.cn - 85.12.46.2 - Emaik: chunk@qx8.ru

It's been a while, since I came across a money mule recruitment campaign using fast-flux infrastructure (Money Mule Recruiters use ASProx's Fast Fluxing Services) that's also currently being used by domains registered using the same emails as the original Hilary Kneber campaigns (Celebrity-Themed Scareware Campaign Abusing DocStoc) from December, 2009, as well as related mule recruitment campaigns (Dissecting an Ongoing Money Mule Recruitment Campaign) from February, 2010.

Moreover, one of the domains sharing the fast-flux infrastructure with the money mule recruitment site asapfinancialgroup.com - Email: admin@asapfinancialgroup.com, was also profiled in last month's "Zeus Crimeware/Client-Side Exploits Serving Campaign in the Wild".



The following ZeuS crimeware, client-side exploits service, and malware phone back C&C domains, all share the same fast-flux infrastructure:
allaboutc0ntrol.cc - Email: HilaryKneber@yahoo.com
agreement52.com - Email: Davenport@example.com
smotri123.com - Email: smot-smot@yandex.ru - C&C profiled last month
jdhyh1230jh.net - Email: None@aol.com
mabtion.cn - Email: Michell.Gregory2009@yahoo.com
wooobo.cn - Email: Michell.Gregory2009@yahoo.com
mmjl3l45lkjbdb.ru - Email: none@none.com
domainsupp.net - Email: ErnestJBooth@example.com

first-shockabsorbers.com - Email: ring.redlink@yandex.ru
this-all-clean.info - Email: ring.redlink@yandex.ru
f45rugfj98hj9hjkfrnk.com - Email: holsauto@live.com
financialdeposit.com - Email: crWright@gmail.com
connectanalyst.com - Email: Mildred44@gmail.com - NOT ACTIVE
vmnrjiknervir.com - Email: holsauto@live.com - NOT ACTIVE
longtermrelations.com - Email: admin@schumachercomeback.com - NOT ACTIVE, SUSPENDED

Name servers of the fast-fluxed domains include:
ns1.hollwear.com - 87.239.22.240 - Email: kymboll@rocketmail.com
ns1.kentinsert.net - 64.120.135.214 - Email: rackmodule@writemail.com
ns1.dimplemolar.net - 207.126.161.29 - Emaik: carruawau@gmail.com
ns1.megapricelist.net - 66.249.23.63 - Email: jobwes@clerk.com
ns1.bighelpdesk.net - 76.10.203.46 - Email: galaxegalaxe@gmail.com
ns1.linejeans.com - 95.211.86.140 - Email: palmatorz@aol.com
ns1.ceberlin.com - 204.12.210.235

EUROACCESS have been notified, an updated will be posted as soon as they take care of the campaign.

Related coverage of money laundering in the context of cybercrime:
Money Mule Recruitment Campaign Serving Client-Side Exploits
Keeping Money Mule Recruiters on a Short Leash - Part Three
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

No comments:

Post a Comment