Thursday, January 16, 2014

Facebook Spreading, Amazon AWS/Cloudflare/Google Docs Hosted Campaign, Serves P2P-Worm.Win32.Palevo


A currently circulating across Facebook, multi-layered monetization tactics utilizing, Turkish users targeting, malicious campaign, is attempting to trick users into thinking that they need to install a fake Adobe Flash Player, displayed on a fake YouTube Video page, ultimately serving P2P-Worm.Win32.Palevo on the hosts of the socially engineered (international) users.

Let's dissect the campaign, expose its infrastructure in terms of shortened URLs, redirectors, affiliate network IDs, landing pages, pseudo-random Facebook content generation phone back URLs, legitimate infrastructure hosted content, and provide MD5s for the served malicious content.

Sample redirection chain: hxxp://m3mi.com/10469 -> hxxp://facebookikiziniz.com/yon.html?MYtDmZp4xjbUP9A0OHLj -> hxxp://facebookikiziniz.com/yon.html?MYtDmZp4xjbUP9A0OHLj -> hxxp://facebookikiziniz.com/yon.html?MYtDmZp4xjbUP9A0OHLj


Internal campaign redirection structure+associated affiliate network IDs+landing URLs:
hxxp://mobiltrafik.s3.amazonaws.com/mobil.html
hxxp://mobiltrafik.s3.amazonaws.com/yurtdisi-anroid.html -> hxxp://ad.adrttt.com/aff_c?offer_id=1743&aff_id=3236&source=yurtdisi -> hxxp://ads.glispa.com/sw/49399/CD353/1023a788c68361b710b87b8ed4851a -> hxxps://play.google.com/store/apps/details?id=com.mobogenie.markets
hxxp://mobiltrafik.s3.amazonaws.com/yurtdisi-ios.html -> hxxp://ad.rdrttt.com/aff_c?offer_id=302&aff_id=1014 -> hxxp://www.freehardcorepassport.com/?t=116216,1,96,0&x=pornfr_tracker=9208KOm00B0193IbJl3yk01BNW00005m
hxxp://mobiltrafik.s3.amazonaws.com/yurtdisiweb.html -> hxxp://ad.rdrttt.com/aff_c?offer_id=302&aff_id=1014 -> hxxp://ads.polluxnetwork.com/hosted/w2m.php?tid=1023e4f08cae470c2f74aa3d1e2d17&oid=6200&aid=758 -> hxxp://m.pornfr.3013.idhad.com/xtrem/index.wiml
hxxp://mobiltrafik.s3.amazonaws.com/androidwifi.html -> hxxp://ad.adrttt.com/aff_c?offer_id=1743&aff_id=3236&source=yurtici -> hxxp://ads.glispa.com/sw/49399/CD353/1023a788c68361b710b87b8ed4851a
hxxp://mobiltrafik.s3.amazonaws.com/iphonewifi.html -> hxxp://ad.adrttt.com/aff_c?offer_id=1705&aff_id=3236 -> hxxps://itunes.apple.com/tr/app/id451786983?mt=8
hxxp://mobiltrafik.s3.amazonaws.com/turkcell.html -> hxxp://goo.gl/GBKArV
hxxp://mobiltrafik.s3.amazonaws.com/vodofone.html -> hxxp://ad.adrttt.com/aff_c?offer_id=1785&aff_id=3236 -> hxxp://c.mobpartner.mobi/?s=1007465&a=3578&tid1=102afc4360ecadbed491b5c08f7395
hxxp://mobiltrafik.s3.amazonaws.com/avea.html -> hxxp://ad.juksr.com/aff_c?offer_id=709&aff_id=3236 -> hxxp://wap.chatwalk.com/landings/?name=yilbasi2&affid=reklamaction&utm_campaign=3236&clk=1025fa187aca81ce57edf8adca7a9c
hxxp://mobiltrafik.s3.amazonaws.com/trweb.html -> hxxp://ad.adrttt.com/aff_c?offer_id=1689&aff_id=3236&source=yurticidefault -> hxxps://www.matchandtalk.com/splashmobile/10?sid=12&bid=663
hxxp://s3.amazonaws.com/Yonver/tarayici.html -> hxxp://ad.adrttt.com/aff_c?offer_id=1091&aff_id=3236&source=tarayicidan -> hxxps://www.matchandtalk.com/splash/12?sid=12&bid=651&cid=29
hxxp://izleyelim.s3.amazonaws.com/unlu.html -> hxxp://goo.gl/XpNHIL (21,512 clicks) -> hxxps://izleyelim.s3.amazonaws.com/indir.html
hxxps://s3.amazonaws.com/facebookAds/ortaryon.html -> hxxps://www.matchandtalk.com/splash/12?sid=12&bid=651&cid=29


Malicious/fraudulent domain name reconnaissance:
facebookikiziniz.com - 108.162.195.103; 108.162.194.103
ttcomcdn.com - 162.159.241.195; 162.159.242.195 - Email: masallahkilic@hotmail.com
amentosx.com - 141.101.116.113; 141.101.117.113
ad.adrttt.com - 54.236.194.194


The campaign is also mobile device/PC-aware, and is therefore automatically redirecting users to a variety of different locations/affiliate networks. Case in point, the redirection to Google Play's Mobogenie Market App (Windows application detected as Adware.NextLive.2 MD5: 9dd785436752a6126025b549be644e76), and the iOS compatible SK planet's TicToc app.

Now comes the malicious twist, in the form of Fake Adobe Flash Player, that socially engineered users would have to install, in order to view the non-existent YouTube video content.


Actual Fake Adobe Flash Player hosting locations within Google Docs:
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFcWZlRGY0V1IxNVU
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFQVBsdVVOekYyNGs
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFaEN2TnE4M0sxWHM
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFVXRnbkYtNG5wVDA
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFR2NnRXFRUmtNTTQ
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFOWFGZnlxMkZWcUE
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFcWZZbTljMkJWZ3c
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFYkpEdXI4ZGVaaUE
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFMUxzY0dQTTJMV00
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFNmROSXhMSGdCYUU
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFb0RoZVltMmsyRFU
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFb2k2MFN4QTY1ZUE
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFb1AzZXI4emlGR00
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFSDZBRDJ4QjVqdkU
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFUXgtZ1VQVU9OdVU
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFUll6c0Y0MWxLZW8
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFSW55S3R0SWcxdDQ
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFMWtxaGJTMnpMVDA
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFSk9yUW5ldDVKaUU
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFN3pTXzcxcDlObkU
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFQ0p3dV9qcC1uOFU
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFOFZRcDZwa0ZfcVk
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFNkoyNktzQ2dJVlE
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFS2xJdTE4Nk04QnM


Detection rate for the fake Adobe Flash Player:
MD5: 5bf26bd488503a4b2b74c7393d4136e3 - detected by 3 out of 47 antivirus scanners as P2P-Worm.Win32.Palevo.hexb; PE:Trojan.VBInject!1.6546

Once executed, the sample also drops:
MD5: a8234e13f9e3af4c768de6f2d6204b3c

Once executed, the sample phones back to: akillitelefonburada.com (108.162.196.162).


Sample pseudo-random bogus Facebook content generation takes place through: hxxp://www.amentosx.com/ext/r.php -> hxxps://s3.amazonaws.com/facebookAds/arkadaj.html -> hxxp://ttcomcdn.com/tw.php

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.