Monday, August 29, 2011

Keeping Money Mule Recruiters on a Short Leash - Part Eleven


The following intelligence brief is part of the Keeping Money Mule Recruiters on a Short Leash series. In it, I'll expose currently active money mule recruitment domains, their domain registration details, currently responding IPs, and related ASs.

Money mule recruitment domains:

ACWOODE-GROUP.COM - 78.46.105.205 - Email: admin@acwoode-group.com   
ACWOODE-GROUP.NET - 78.46.105.205 - Email: admin@acwoode-group.net
ART-GAPSON.COM - 78.46.105.205 - Email: admin@art-gapson.com
CONDOR-LLC-UK.NET - Email: admin@condor-llc-uk.net
CONDORLLC-UK.COM - Email: plods@fxmail.net
DE-DVFGROUP.BE
ELENTY-CO.NET - Email: abcs@mailti.com
ELENTY-LLC.COM - 78.46.105.205 - Email: admin@elenty-llc.com
fabia-art.com - 209.190.4.91 - Email: adios@cutemail.org
fine-artgroup.com - 209.190.4.91
GAPSONART.NET - 78.46.105.205 - Email: admin@gapsonart.net
gmd-contracting.com - 194.242.2.56 - Email: admin@gmd-contracting.com   
GURU-GROUP.CC - 78.46.105.205 - Email: admin@guru-group.cc
GURU-GROUP.NET - 78.46.105.205 - Email: jj@cutemail.org
INTECHTODEX-GROUP.COM - 78.46.105.205 - Email: uq@mail13.com
ltd-scg.net - 209.190.4.91 - Email: amykylir@yahoo.com
NARTEN-ART.COM - 78.46.105.205 - Email: glamor@fxmail.net
NARTENART.NET - 78.46.105.205 - Email: admin@nartenart.net
panart-llc.com - 78.46.105.205 - Email: admin@panart-llc.com
REFINEMENT-ANTIQUE.COM - 78.46.105.205 - Email: xe@fxmail.net
REFINEMENTUK-LTD.NET - 78.46.105.205 - Email: admin@refinementuk-ltd.net
SKYLINE-ANTIQUE.COM - 78.46.105.205 - Email: blurs@mailae.com
SKYLINE-LTD.NET - 78.46.105.205 - Email: admin@skyline-ltd.net
techce-group.com - 184.168.64.173 - Email: admin@techce-group.com
TODEX-GROUP.NET - 78.46.105.205 - Email: admin@todex-group.net
triad-webs.com - 85.17.24.226

The domains reside within the following ASs: AS24940, HETZNER-AS Hetzner Online AG RZ; AS16265, LeaseWeb B.V. Amsterdam; AS26496, GODADDY .com, Inc.; AS10297, RoadRunner RR-RC-Enet-Columbus.

Name servers of notice:
NS1.MKNS.SU - 85.25.250.244 - Email: mkns@cheapbox.ru
NS2.MKNS.SU - 46.4.148.119
NS3.MKNS.SU - 184.82.158.76
NS1.MNAMEDL.SU - 85.25.250.211 - Email: mnamed@yourisp.ru
NS2.MNAMEDL.SU - 46.4.148.118
NS3.MNAMEDL.SU - 184.82.158.75
NS1.MLDNS.SU - 85.25.145.63 - Email: mldns@free-id.ru
NS2.MLDNS.SU - 46.4.148.74
NS3.MLDNS.SU - 184.82.158.74
NS1.NAMESUKNS.CC - Email: pal@bz3.ru
NS2.NAMESUKNS.CC
NS3.NAMESUKNS.CC
NS1.NAMEUK.AT - Email: admin@nameuk.at
NS2.NAMEUK.AT
NS3.NAMEUK.AT
NS1.UKDNSTART.NET - Email: admin@ukdnstart.ne
NS2.UKDNSTART.NET
NS3.UKDNSTART.NET

Monitoring of ongoing money mule recruitment campaigns is ongoing.

Related posts:
Keeping Money Mule Recruiters on a Short Leash - Part Ten
Keeping Money Mule Recruiters on a Short Leash - Part Nine
Keeping Money Mule Recruiters on a Short Leash - Part Eight - Historical OSINT
Keeping Money Mule Recruiters on a Short Leash - Part Seven
Keeping Money Mule Recruiters on a Short Leash - Part Six
Keeping Money Mule Recruiters on a Short Leash - Part Five
The DNS Infrastructure of the Money Mule Recruitment Ecosystem
Keeping Money Mule Recruiters on a Short Leash - Part Four
Money Mule Recruitment Campaign Serving Client-Side Exploits
Keeping Money Mule Recruiters on a Short Leash - Part Three
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog.

A Peek Inside Web Malware Exploitation Kits

With web malware exploitation kits, continuing to represent the attack method of choice for the majority of cybercriminals thanks to the overall susceptibility of end and enterprise users to client-side exploitation attacks, it's always worth taking a peek inside them from the perspective of the malicious attacker.

In this post, we'll take a peek inside three web malware exploitation kits, and discuss what makes them think in terms of infected OSs, browser plugins and client-side exploits.

_Dragon Pack Web Malware Exploitation Kit

What we've got here is a rather modest in terms of activity, web malware exploitation kit admin panel. We've got 45 successful loads based on 588 unique visits, with the JavaRox exploit executed 42 times, successfully infecting 20 Firefox users. The exploits have successfully loaded on Windows XP 14 times, on Windows XP SP2 3 times, on Windows Vista 12 times, and on Windows 7 15 times.

_Dragon Exploit Pack

The Dragon Exploit Pack has 45 successful loads based on 587 unique visitors, with the JavaJDK exploit executed successfully 42 times. The kit is counting 13 successful loads on MSIE 8, and another 20 on Firefox, with 14 successful loads recorded for Windows XP, 2 on Windows XP SP2, 12 on Windows Vista and 15 on Windows 7.

_Katrin Exploit Pack
The Katrin Exploit Pack has 3277 successful loads based on 19933 unique visits, which represents a 17.32% infection rate. The Java JSM exploit has been successfully loaded 535 times, Java SMB has been loaded 576 times, Java OBE has been loaded 914 times, Old 4 PDF has been loaded 87 times, Libtiff PDF has been loaded 726 times, MDAC has been loaded 96 times,  Snapshot has been loaded 104 times, and HCP has been loaded 239 times.

The kit is counting 452 successful exploitation attempts against MSIE 5, 786 against MSIE7, 1198 against MSIE 8, 274 against Chrome, 522 against Firefox, 24 against Opera and 14 against Safari. The majority of loads have affected Windows XP installations, with 2107 successful loads targeting the OS, following 625 on Windows Vista, and 503 on Windows 7.

_Liberty Exploit Pack
The Liberty Exploit pack screenshot, is showing the proportion successfully infected web browsers, with total of 555 successful loads based on 3029 unique visitors. 397 loads have affected Internet Explorer 6, 89 Internet Explorer 7, and 54 Firefox.

_Bleeding Life Exploit Pack
In this Bleeding Life web malware exploitation kit, we can clearly seen the dynamics behind the infections taking place. We see 554 successful loads based on 4106 unique visitors. JavaSignedApplet has been executed 161 times, Adobe-90-2010-0188 has been executed 67 times, Adobe-80-2010-0188 has been executed 46 times, Java-2010-0842 has been executed 203 times, Adobe-2008-2992 has been executed 74 times, and Adobe-2010-1297 has been executed 2 times.

The majority of the infected population is based in the U.S, United Kingdom, Qatar, and Malaysia. Windows XP has the highest market share of infected OSs, with 336 successful loads based on 2098 unique visitors. Followed by Windows 7 with 139 loads based on 1256 unique visitors, and 73 unique loads based on 719 unique visitors for Windows Vista.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.