Jerome Segura at the Malware Diaries is reporting that TorrentReactor.net, a high-trafficked torrents tracker, is currently serving live-exploits through a malicious ad served by "Fulldls.com - Your source for daily torrent downloads".
Why deja vu? It's because the TorrentReactor.net malware campaign takes me back to 2008, among the very first extensive profiling of Russian Business Network activity, with their mass "input validation abuse" campaign back then, successfully appearing on numerous high-trafficked web sites, serving guess what? Scareware.
Moreover, despite the surprisingly large number of people still getting impressed by the use of http referrers as an evasive practice applied by the cybercriminals, these particular campaigns (ZDNet Asia and TorrentReactor IFRAME-ed; Wired.com and History.com Getting RBN-ed; Massive IFRAME SEO Poisoning Attack Continuing) are a great example of this practice in use back then:
- So the malicious parties are implementing simple referrer techniques to verify that the end users coming to their IP, are the ones they expect to come from the campaign, and not client-side honeypots or even security researchers. And if you're not coming from you're supposed to come, you get a 404 error message, deceptive to the very end of it.
The campaign structure, including detection rates, phone back locations and ZeuS crimeware fast-flux related data is as follows:
- ads.fulldls.com /phpadsnew/www/delivery/afr.php?zoneid=1&cb=291476
- ad.leet.la /stats?ref=~.*ads\.fulldls\.com$ - 126.96.36.199 - Email: firstname.lastname@example.org (leet.la - 188.8.131.52 - AS12392, ASBRUTELE AS Object for Brutele SC)
- lo.dep.lt /info/us1.html - 184.108.40.206 - lo.dep.lt - 220.127.116.11 - AS49087, Telos-Solutions-AS Telos Solutions LTD
- 18.104.22.168 /de1/index.php; 22.214.171.124 /ca1/main.php - AS50896, PROXIEZ-AS PE Nikolaev Alexey Valerievich
- 126.96.36.199 responding to gaihooxaefap.com - Nikolay Vukolov, Email: email@example.com
Upon successful exploitation, the following malicious pdf is served:
- eac27d.pdf - Exploit.PDF-JS.Gen (v); JS:Pdfka-AET; - Result: 6/40 (15%) which when executed phones back to 188.8.131.52 /ca1/banner.php/1fda161dab1edd2f385d43c705a541d3?spl=pdf_30apr and drops:
- myexebr.exe - TSPY_QAKBOT.SMG - Result: 17/41 (41.47%) which then phones back to the ZeuS crimeware C&C: saiwoofeutie.com /bin/ahwohn.bin - 184.108.40.206 - Email: firstname.lastname@example.org
Fast-fluxed domains sharing the same infrastructure:
demiliawes.com - Email: email@example.com
jademason.com - 220.127.116.11; 18.104.22.168; 22.214.171.124; 126.96.36.199; 188.8.131.52; 184.108.40.206; 220.127.116.11; 18.104.22.168 - Email: firstname.lastname@example.org
laxahngeezoh.com - 22.214.171.124; 126.96.36.199; 188.8.131.52; 184.108.40.206; 220.127.116.11; 18.104.22.168; 22.214.171.124; 126.96.36.199 - Email: email@example.com
line-ace.com - Email: firstname.lastname@example.org
xareemudeixa.com - 188.8.131.52; 184.108.40.206; 220.127.116.11; 18.104.22.168; 22.214.171.124; 126.96.36.199; 188.8.131.52; 184.108.40.206 - Email: email@example.com
zeferesds.com - 220.127.116.11; 18.104.22.168; 22.214.171.124; 126.96.36.199; 188.8.131.52; 184.108.40.206; 220.127.116.11; 18.104.22.168 - Email: firstname.lastname@example.org
Name servers of notice:
ns1.rexonna.net - 22.214.171.124 - Email: email@example.com
ns2.rexonna.net - 126.96.36.199
ns1.line-ace.com - 188.8.131.52 - Email: firstname.lastname@example.org
ns2.line-ace.com - 184.108.40.206
ns1.growthproperties.net - 220.127.116.11 - Email: email@example.com
ns2.growthproperties.net - 18.104.22.168
ns1.tropic-nolk.com - 22.214.171.124 - Email: firstname.lastname@example.org
ns2.tropic-nolk.com - 126.96.36.199
These particular iFrame injection Russian Business Network's campaigns from 2008, used to rely on the following URL for their malicious purposes - a-n-d-the.com/wtr/router.php (188.8.131.52 - INTERCAGE-NETWORK-GROUP2). Why am I highlighting it? Excerpts from previous profiled campaigns, including one that is directly linked to the Koobface gang's blackhat SEO operations.
U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding:
- The compromised/mis-configured web sites participating in this latest blackhat SEO campaign are surprisingly redirecting to a-n-d-the.com /wtr/router.php - 184.108.40.206 - Email: email@example.com - AS28753 NETDIRECT AS NETDIRECT Frankfurt, DE if the http referrer condition isn't met. This very same domain -- back then parked at INTERCAGE-NETWORK-GROUP2 -- was also used in the same fashion in March, 2008's massive blackhat SEO campaigns serving scareware.
What this proves is fairly simple - with or without the Russian Business Network the way we used to know it, it's customers simply moved on to the competition, whereas the original Russian Business Network simply diversified its netblocks ownership.
ZDNet Asia and TorrentReactor IFRAME-ed
Wired.com and History.com Getting RBN-ed
Massive IFRAME SEO Poisoning Attack Continuing
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.