Monday, November 04, 2013

Malicious Script Artifacts at China Green Dot Gov Dot Cn - A Reminiscence of Asprox's Multi-Tasking Activities


Malware artifacts, abandoned mass iframe embedded/injected campaigns, and low Quality Assurance (QA) campaigns, continue popping up on everyone's radar, raising eyebrows as to the extend of incompetence, possible evasive tactics, plain simple lack of applied QA when maintaining these campaigns, or the end of a campaign's life cycle.

What's the value of assessing such a non-active campaign? Can the analysis provide any clues into related currently active malicious campaigns that typically for such type of campaigns, continue relying on the same malicious infrastructure? But of course.

Let's assess the malicious artifacts at hxxp://chinagreen.gov.cn, connect them to the multi-tasking activities conducted on behalf of the Asprox botnet, as well as several spamvertised malware campaigns circa 2010, and most importantly provide actionable intelligence on currently active campaigns that continue using the very same infrastructure for command and control purposes.

Malicious scripts at China Green Dot Gov Dot CN:
update.webserviceftp.ru/js.js - seen in "Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign"
gdi.webserviceftp.ru/js.js - seen in "Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign"
ver.webserivcekota.ru/js.js - seen in "Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign"
batch.webserviceaan.ru/js.js - seen in "Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign"
nemohuildiin.ru/tds/go.php?sid=1 - seen in "Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign"
parkperson.ru:8080/index.php?pid=13 - seen in "Spamvertised Best Buy, Macy's, Evite and Target Themed Scareware/Exploits Serving Campaign"
nutcountry.ru:8080/index.php?pid=13 - seen in "Spamvertised Best Buy, Macy's, Evite and Target Themed Scareware/Exploits Serving Campaign"

What's so special about the spamvertised XeroxWorkCentre Pro campaign is that, back in 2010, it used to drop an Asprox sample, naturally phoning back to well known Asprox C&Cs at the time.

nemohuildiin.ru is known to have responded to 31.31.204.61 and most recently to 5.63.152.19

Known to have responded to the same IP (31.31.204.61) are also the following malicious domains:
000sstd.com
02143.ru
03111991.ru
0414.ru
0424.ru
050175.ru
054ru.ru
06140.ru
0664346910.ru
0801.ru
08108.ru
087474.ru
08755.ru
0925.ru
0go.ru
1-androds.ru
10000taxi.ru
1001domains.ru
100yss.ru
124k.ru

Moreover, we also got a decent number of malicious MD5s known to have used the same IP as C&C ove the last couple of months, indicating that the artifact is still part of the C&C infrastructure of active campaigns.

The following malicious MD5s are also known to have phoned back to the same IP over the last couple of months:
MD5: 3e3d249c43950ac8bedb937f1ea347f5
MD5: 398b5f0c4b8f9adb1db8420801b52562
MD5: 9a1602a2693ae510339ef5f0d25be0b3
MD5: 9bc423773de47d95de1718173ec8485f
MD5: 637db36286b3e300c37e99a0b4772548
MD5: 9829c64613909fbb13fc402f23baff1b
MD5: f23562bafd94f7b836633f1fb7f9e18f
MD5: 7d263c93829447b2399c2e981d66c9df
MD5: 6ee37ead84906711cb2eed6d7f2fcc88
MD5: 54eb099176e7d65817d1b9789845ee4e
MD5: 723618efbd0d3627da09a770e5fd28c2
MD5: 151030c819209af9b7b2ecf2f5c31aa0
MD5: 279d390b9116f0f8ac80321e5fa43453
MD5: f78ff547ce388a403f5ba979025cd556
MD5: afa7090479ac49a3547931fe249c52e3
MD5: a2565684ae4c0af5a99214da83664927
MD5: ce4f032a3e478f4d4cac959b2e999b5a

Known to have responded to 5.63.152.19 are also the following malicious domains:
6tn.ru
azosi.ru
bi-news.ru
buygroup.ru
dnpsirius.ru
enterplus.ru
nemohuildiin.ru
nfs-worlds.ru
rassylka-na-doski.ru
santehnikaoptom.ru
v-odnoklassniki.ru

In a cybercrime ecosystem dominated by leaked DIY mass Web site hacking tools, and sophisticated iframe-ing platforms, malicious artifacts are a great reminder that as long as the Web site remains susceptible to remote exploitation, it's only a matter of time before a potential cybercriminal embeds/injects malicious script on it. That's cybercrime-friendly common sense.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.