On January 09, 2012 I exposed Koobface botnet master KrotReal. On January 16, 2012, The New York Times went public with data from Facebook Inc. exposing the identities of the rest of the group. What happened? With the botnet masters still at large, and the Koobface botnet currently offline, a logical question emerges - what are these cybercriminals up to now that they're no longer involved in managing Koobface?
Cybercrime as usual!
Continuing to squeeze the cybercrime ecosystem, and keep known bad actors on a short leash, in this intelligence brief I'll expose Anton Nikolaevich Korotchenko a.k.a KrotReal's s latest activities, indicating that he's currently busy experimenting with two projects:
- A Black Hat (SEO) Search Engine Optimization related service/product
- Underground traffic exchange/pay-pay-install network currently distributing localized Ransomware
Let's start by profiling his Black Hat SEO service/product, currently hosted on one of the domains he registered in 2011.
trafficconverter.in - 188.8.131.52 - Email: firstname.lastname@example.org
Created On:28-Jul-2011 12:37:45 UTC
Last Updated On:28-Jun-2012 08:11:43 UTC
Expiration Date:28-Jul-2013 12:37:45 UTC
More domains presumably to be used for Black Hat SEO purposes registered with KrotReal's personal email account (email@example.com):
How is he actually monetizing the hijacked traffic? Keep reading. Now it's time to expose his malicious activities in the form of spreading localized Ransomware variants. For the record, the Koobface gang distributed primarly scareware -- there's evidence that the group was also involved in other malicious campaigns -- and even bragged about the fact that they're not damaging infected user PCs.
What's particularly interesting about profiling this campaign, is that it's a great example of double-layer monetization, as KrotReal is earning revenue through the Traffic Holder Adult Affiliate Program, in between serving client-side exploits and ultimately dropping Ransomware on the affected host using the same redirection chain.
Sample malicious domain name reconnaissance:
traffictracker.in - 184.108.40.206 (AS24940) - Email: firstname.lastname@example.org
Created On:22-Nov-2011 13:42:53 UTC
Last Updated On:22-Nov-2012 22:33:25 UTC
Expiration Date:22-Nov-2013 13:42:53 UTC
Responding to the same IP 220.127.116.11 (AS24940):
Sample malicious activity redirection chain: hxxp://traffictracker.in/in.cgi?11¶meter=nude+girls&CS=1 -> hxxp://celeb-search.com/in.php?source=th&q=nude+girls -> hxxp://celeb-search.com/in3.php?source=th&q=nude+girls -> hxxp://www.trafficholder.com/in/in2.php?ppillow-pics_erotic -> hxxp://hit.trafficholder.com/cgi-bin/traffic/process.fcgi?a=ppillow&c=1&n=pics_erotic&r= -> hxxp://gravityexp.com/go.php?sid=12 -> hxxp://nosnowfevere.com/ZqRqk (exploiting CVE-2008-5353) -> hxxp://nosnowfevere.com/oxsXAE?KpDzQ=61 -> hxxp://nosnowfevere.com/ZqRqk -> hxxp://nosnowfevere.com/EHSvFc -> hxxp://nosnowfevere.com/XMDrkH
KrotReal's Traffic Holder Adult Affiliate Network ID is ppillow-pics_erotic.
Malicious domain names reconnaissance:
gravityexp.com - returns "Digital River GmbH" on its home page - 18.104.22.168 - Email: email@example.com
Updated Date: 30-aug-2012
Creation Date: 30-aug-2012
Expiration Date: 30-aug-2013
nosnowfevere.com - 22.214.171.124 - Email: firstname.lastname@example.org
Updated Date: 25-nov-2012
Creation Date: 25-nov-2012
Expiration Date: 25-nov-2013
Upon successful client-side exploitation, the campaign drops MD5: d234a238eb8686d08cd4e0b8b705da14 - detected by 10 out of 43 antivirus scanners as Trojan.Winlock.7431
Sample screenshot displayed to users from geolocated countries:
MD5: fd47fe3659d7604d93c3ce0c0581fed7 - detected by 4 out of 44 antivirus scanners as Exploit:Java/CVE-2012-5076.BBW
MD5: e47991d7f172e893317f44ee8afe3811 - detected by 5 out of 44 antivirus scanners as JS:Pdfka-gen [Expl]
MD5: 7e58703026c7ffba05ac0d2ae4d3c62f - detected by 5 out of 44 antivirus scanners as Exploit:Java/CVE-2012-1723!generic
Ransomware C&C malicious domain name reconnaissance:
sarscowoy.com - currently responds to 126.96.36.199 (AS20773); 188.8.131.52 (AS20773) - Email: email@example.com
On 2012-06-21 the domain responded to 184.108.40.206 (AS33626), then on 2012-07-01 it changed IPs to 220.127.116.11 (AS20773), then again on 2012-11-14 it changed IP to 18.104.22.168 (AS20773), followed by one last change on 2012-11-24 to 22.214.171.124 (AS20773)
One more MD5 is known to have phoned back to the same Ransomware C&C URL - MD5: 1600577edece1efe11c75158f9dd24db - detected by 28 out of 38 antivirus scanners as Trojan:Win32/Tobfy.H
Interestingly, the cybercriminals behind the Ransomware left the administration panel open to anyone who wants to take a look at the way the whole process works.
Sample screenshot of the administration panel:
More domains are currently responding to the same IPs (126.96.36.199; 188.8.131.52):
bussinesmail.org - Email: firstname.lastname@example.org
elitesecuritynet.com - Email: email@example.com
ideasdeunion.com - Email: firstname.lastname@example.org
ineverworrynet.com - email@example.com
testcitycheckers.com - firstname.lastname@example.org
uneugroup.com - Email: email@example.com
winntegroups.eu - Email: firstname.lastname@example.org
sexchatvideo.org - Email: email@example.com
quasarnet.co - Email: firstname.lastname@example.org
What we've got here is a great example of the following - when you don't fear legal prosecution for your fraudulent activities over a period of several years, earning you potentially hundreds of thousands of dollars, you just launch new projects, continuing to cause more harm and fraudulently obtain funds from infected victims.
For those who are interested in more details on the technical side of this Ransomware, you should consider going through this research.
Hat tip to Steven Adair from Shadowserver for the additional input.
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.