Tuesday, October 21, 2014

Rogue Android Apps Hosting Web Site Exposes Malicious Infrastructure


With cybercriminals continuing to populate the cybercrime ecosystem with automatically generated and monetized mobile malware variants, we continue to observe a logical shift towards convergence of cybercrime-friendly revenue sharing affiliate networks, and malicious infrastructure providers, on their way to further achieve a posive ROI (return on investment) out of their risk-forwarding fraudulent activities.

I've recently spotted a legitimately looking, rogue Android apps hosting Web site, directly connected to a market leading DIY API-enabled mobile malware generating/monetizing platform, further exposing related fraudulent operations, performed, while utilizing the malicious infrastructure, which I'll expose in this post.

Let's assess the campaign, expose the malicious infrastructure behind it, list the cybercrime-friendly premium rate SMS numbers, involved in it, as well as related malicious MD5s, known to have participated in the campaign/have utilized the same malicious infrastructure.

Sample rogue Android apps hosting URL: hxxp://androidapps.mob.wf - 37.1.206.173

Responding to the same IP (37.1.206.173) are also the following fraudulent domains:
hxxp://22-minuty.ru
hxxp://nygolfpro.com
hxxp://bloomster.dp.ua
hxxp://stdstudio.com.ua
hxxp://autosolnce.ru

Detection rate for sample rogue Android apps:
MD5: 4bf349b601fd73c74eafc01ce8ea8be7
MD5: c4508c127029571e5b6f6b08e5c91415
MD5: bd296d35bf41b9ae73ed816cc7c4c38b

Sample redirection chain exposing the fraudulent infrastructure: hxxp://22-minuty.ru -> hxxp://playersharks2.com/player.php/?userid= - 94.242.214.133; 94.242.214.155

Known to have responded to the same IPs (94.242.214.133; 94.242.214.155) are also the following fraudulent domains, participating in a related revenue-sharing affiliate network based type of monetization scheme:
hxxp://4books.ru
hxxp://annoncer.media-bar.ru
hxxp://booksbutton1.com
hxxp://film-club.ru
hxxp://film-popcorn.ru
hxxp://filmbuttons.ru
hxxp://filmi-doma.com
hxxp://filmonika.ru
hxxp://films.909.su
hxxp://indiiskie.ru
hxxp://kinozond.ru
hxxp://media-bar.ru
hxxp://playersharks2.com
hxxp://playersharks4.com
hxxp://pplayer.ru
hxxp://sharksplayer2.com
hxxp://sharksplayer3.ru
hxxp://sharksreader.ru
hxxp://tema-info.ru
hxxp://toppfilms.ru
hxxp://video-movies.com
hxxp://video.909.su
hxxp://videodomm.ru
hxxp://videozzy.com
hxxp://videozzzz.ru
hxxp://websharks.ru
hxxp://yasmotrju.ru



Malicious MD5s known to have phoned back to the same IP (94.242.214.133):
MD5: 9ec8aef6dc0e3db8596ac54318847328
MD5: 895c38ec4fb1fbee47bfb3b6ee3a170b
MD5: c4d88b32b605500b7f86de5569a11e22
MD5: 49861fd4748dd57c192139e8bd5b71e3
MD5: 8b350f8a32ef4b28267995cf8f0ceae1

Premium rate SMS numbers involved in the fraudulent scheme:
7151; 9151; 2855; 3855; 3858; 2858; 8151; 7155; 7255; 3190; 3200; 3170; 3006; 3150; 6150; 4124; 4481; 7781; 5014; 1151; 4125; 1141; 1131; 1350; 3354; 7122; 3353; 7132; 3352; 8355; 8155; 8055; 7515; 1037; 1953; 3968; 5370; 1952; 3652; 5373; 9191; 1005; 7019; 7250; 1951; 7015; 7099; 7030


Once executed MD5: 9ec8aef6dc0e3db8596ac54318847328 phones back to the following C&C servers, further exposing the malicious infrastructure:
67.215.246.10:6881
82.221.103.244:6881
114.252.58.66:6407
89.136.77.86:45060
212.25.54.183:32822
107.191.223.72:22127
87.89.149.106:24874
82.247.154.128:47988
108.181.68.73:47342
82.74.179.126:52352
121.222.168.146:64043
217.121.30.46:34421
115.143.245.78:51548
110.15.205.16:51477
37.114.69.97:19079
85.229.206.243:55955
95.109.112.178:60018
95.68.195.182:44025
239.192.152.143:6771
109.187.54.101:13100
117.194.5.97:55535
95.29.112.178:59039
109.162.133.97:19459
83.205.112.178:11420
95.68.3.182:53450
175.115.103.140:52696
197.2.133.97:27334
84.55.8.7:10060
27.5.132.243:19962
123.109.176.178:36527
175.157.176.178:22906
188.187.147.247:14745
178.212.133.205:52416
145.255.1.250:41973
213.21.32.190:51413
93.73.165.31:61889
176.97.214.119:46605
185.51.127.134:16447
109.239.42.123:16845
77.232.158.215:40266
178.173.37.2:47126
62.84.24.219:47594
37.144.87.15:13448
5.251.28.179:39620
94.19.66.51:42894
94.51.242.89:35691
93.179.102.216:24458
212.106.62.201:44821
95.52.69.39:12249
46.118.64.45:44172
217.175.33.130:45244
185.8.126.226:32972
93.92.200.202:56664
94.214.220.37:35196
46.182.132.67:32103
46.188.123.131:11510
83.139.188.142:34549
188.232.124.16:27582
91.213.23.226:19751
95.32.142.28:55555
95.83.188.157:15714
95.128.244.10:59239
176.31.240.170:6882
79.109.88.241:6881
91.215.90.109:34600
62.198.229.165:6881
91.148.118.250:21558
81.82.210.40:6881
97.121.23.163:31801
78.186.155.62:6881
78.1.158.105:47475
79.160.62.185:9005
213.87.123.81:17790
178.150.154.26:26816
83.174.247.71:59908
109.87.175.144:29374
86.57.186.171:45013
193.222.140.60:35691
176.115.158.138:24253
42.98.191.90:7085
178.127.152.72:10107
82.239.74.201:61137
185.19.22.192:46337
86.185.92.38:10819
78.214.194.145:24521
37.78.85.173:49001
82.70.112.150:32371
37.131.212.35:18525
79.136.156.151:59659
2.134.48.150:12530
95.29.164.86:6881
37.147.16.242:64954
79.45.36.86:22690
112.208.182.65:56374
62.99.29.74:44822
95.16.12.111:12765
124.169.69.69:41216
5.164.83.49:62348
79.22.73.216:61914
46.63.131.146:6881
89.150.119.203:55029
58.23.49.24:2717
83.41.5.241:45624
87.21.80.23:27949
178.150.176.150:57997
178.127.195.146:58278
5.141.236.13:15784
125.182.35.138:54094
99.228.23.82:29302
14.111.131.146:33433
122.177.90.137:25375
178.223.195.146:54596
182.54.112.150:1058
109.23.145.152:31514
213.241.204.31:27769
188.168.58.6:45823
2.94.4.215:50830
42.91.39.236:13923
116.33.113.4:19973
86.182.170.27:25712
177.82.206.231:39043
122.143.152.35:7890
217.13.219.147:39190
77.75.13.195:16279
87.239.5.144:58749
89.141.116.97:49001
176.106.11.49:44690
112.14.110.199:33243
122.26.6.52:20527
178.223.195.146:23034
98.118.85.85:51413
190.63.131.146:6881
46.151.242.82:16046
176.106.19.185:46114
85.113.157.12:62633
192.168.0.105:58749
211.89.227.34:56333
36.68.16.149:42839
31.15.80.10:42061
130.15.95.112:6881
87.119.245.51:6882
109.173.101.19:19700
193.93.187.234:1214
176.106.18.254:43469
176.183.137.53:19155
176.113.168.51:52672
93.123.60.130:52981
79.100.9.81:14053
91.124.125.16:29914
46.16.228.135:53473
95.61.55.234:22974
190.213.101.39:44376
58.173.158.99:50821
188.25.108.102:31047
95.153.175.173:15563
75.120.194.116:58001
61.6.218.126:63291
128.70.19.98:64296
5.167.193.5:25861
185.57.73.27:47892
109.205.249.105:58449
77.228.235.226:57715
2.62.49.161:49001
67.234.161.61:65228
91.243.100.237:40431
105.155.1.67:16084
73.34.178.71:41864
145.255.169.122:4612
92.241.241.4:61613
145.255.21.166:46596
83.253.71.148:34016
173.246.26.126:12988
79.181.115.213:43853
46.237.69.97:50772
86.159.67.146:48959
213.100.105.54:52147
178.45.129.126:45710
188.78.232.53:39336
70.82.20.41:11248
88.132.82.254:52722
85.198.154.126:35403
89.67.245.2:21705
95.76.128.209:36640
61.242.114.3:6383
79.112.156.169:10236
95.25.111.173:40781
108.36.82.254:57393
88.8.84.79:56740
118.36.49.220:59561
60.197.149.187:12996
86.26.224.104:39597
120.61.161.250:10023
151.249.239.173:6881
86.178.212.41:28489
95.180.244.144:48245
111.171.83.212:52952
122.164.99.166:1024
201.110.110.63:19314
79.100.52.144:54312
194.219.103.45:24008
178.89.171.19:10003
124.12.192.197:6881
92.96.186.112:31100
207.216.138.62:6881
194.8.234.230:51413
92.220.24.133:6881
2.134.203.233:6881
122.169.237.54:17407
36.232.153.137:16001
130.43.123.202:45689
86.73.45.54:56161
37.215.93.59:27997
78.154.164.176:42780
5.10.134.6:50452
98.176.222.50:61000
93.54.90.126:1189
220.81.46.201:51526
39.41.111.173:7702
41.111.41.122:19132
211.108.64.209:20728
178.66.212.41:14865
182.187.103.45:57751
118.41.230.79:52520
186.155.231.45:34294
109.174.113.128:15947
188.6.88.229:16785
99.247.58.79:23197
94.137.237.54:14617
197.203.129.67:10204
5.107.65.67:21618
117.194.114.71:64476
94.153.45.54:32715
2.176.158.50:17404
5.18.178.71:50971
78.130.212.41:63075
86.121.45.54:55858
109.187.1.67:15413
108.199.125.160:38558
83.181.18.121:15859
93.109.242.198:26736
95.86.220.68:27877
37.204.22.24:24146
198.203.28.43:17685

What's particularly interesting, about this campaign, is the fact, that, the Terms of Service (ToS) presented to gullible and socially engineered end users, refers to a well known Web site (jmobi.net), directly connected with the market leading DIY API-enabled mobile malware generating/monetization platform, extensively profiled in a previously published post.

As cybercriminals continue to achieve a cybercrime-ecosystem wide standardization, we'll continue to observe an increase in fraudulent activity, with the cybercriminals behind it, continuing to innovate, on their way to achieve efficient monetization schemes, and risk-forwarding centered fraudulent models, further contributing to the adaptive innovation to be applied to the current TTPs (tactics, techniques and procedures) utilized by them.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.