In this post, I'll profile a money mule recruitment campaign, featuring a custom fake certificate, successfully blocking access to bobbear.co.uk as well as my personal blog, further exposing a malicious infrastructure, that I'll profile in this post.
Let's assess the campaign, and expose the malicious infrastructure behind it.
The fake Sprott Asset Management sites, entices end users into installing the, the fake, malicious certificate, as a prerequisite, to being working with them, with hosting courtesy of ALFAHOSTNET (AS50793), a well known cybercrime-friendly malicious hosting provider, known, to have been involved in a variety of malvertising campaigns, including related malicious campaigns, that I'll expose in this post.
Domain name reconnaissance for the malicious hosting provider:
alfa-host.net - (AS50793) - Email: firstname.lastname@example.org; Name: Mohmmad Ali Talaghat (webalfa.net - 220.127.116.11 also registered with the same email)
Name Server: NS1.ALFA-HOST.NET
Name Server: NS2.ALFA-HOST.NET
Alfa-host LLP - (AS50793)
person: Romanov Artem Alekseevich
address: Kazakhstan, Karagandinskaya obl, Karaganda, ul. Erubaeva 57, 14
Upstream provider reconnaissance:
LLC TC "Interzvyazok"
phone: +380 44 238 6333
fax: +380 44 238 6333
e-mail: dz (at) intersv (dot) com
The same upstream provider (Interzvyazok; intersv.com) is also known to have offered services to yet another bulletproof hosting provider in 2011.
Domain name reconnaissance:
sprottcareers.com - 18.104.22.168; 22.214.171.124
sprottcorporate.com - 126.96.36.199; 188.8.131.52
sprottcorporate.com - 184.108.40.206
sprottweb.com - 220.127.116.11; 18.104.22.168
Domain name reconnaissance:
allianceassetonline.com - 22.214.171.124
allianceassetweb.com - 126.96.36.199
uptusconsulting.net - Email: email@example.com - 188.8.131.52
Known to have responded to the same IP (184.108.40.206) are also the following malicious domains:auditthere.ru
Related MD5s known to have phoned back to the same IP (220.127.116.11):MD5: a9442b894c61d13acbac6c59adc67774
Related malicious domains known to have been active within (AS50793), ALFAHOSTNET:34real.ru
Known to have responded to the same IP (18.104.22.168) in the past, are also the following malicious domains:
liramdelivery.com - Email: firstname.lastname@example.org
ffgroupjobs.com - Email: FfGroupJobs@dnsname.info
ns2.uptusconsulting.net - 22.214.171.124
ns2.sprottcorporate.com - 126.96.36.199
ns2.sprottweb.com - 188.8.131.52
allianceassetweb.com - Email: email@example.com
Surprise, surprise. We've also got the following fraudulent domains, responding to the same name server's IP (184.108.40.206; ns1.oildns.net, ns2.oildns.net) back in 2009.
What's particularly interesting, is the fact, that in 2010, we've also got (220.127.116.11) hosting the following malicious MD5s:
We've also got ns1.oildns.net responding to (18.104.22.168), with the actual name server, known to have hosted, the following malicious MD5s:
Sample detection rate for the malicious certificate:
MD5: ec39239accb0edb5fb923c25ffc81818 - detected by 23 out of 42 antivirus scanners as Gen:Trojan.Heur.SFC.juZ@aC7UB8eib
Sample detection rate for the HOSTS file modifying sample:
MD5: 969001fcc1d8358415911db90135fa84 - detected by 14 out of 42 antivirus scanners as Trojan.Generic.4284920
Once executed, the sample successfully modifies, the HOSTS file on the affected hosts, to block access to:
Sample confirmation email courtesy of Sprott Asset Management:
During all working process you will process incoming and outgoing transfers from our clients. Main duties are: send payments, receive payments, making records of billing, making simple management duties, checking e-mail daily. You have to provide us your cell phone for urgent calls from your manager. If you don’t have a cell phone you will need to buy it. You must have basic computer skills to operate main process of job duties.
During the trial period (1 month), you will be paid 4,600$ per month while working on average 3hours per day, Monday-Friday, plus 8% commission from every payment received and processed. The salary will be sent in the form of wire transfer directly to your account or you may take it from received funds directly. After the trial period your base pay salary will go up to 6,950$ per month, plus 10% commission.
FEES & TRANSFERING PROCEDURE
All fees are covered by the company. The fees for transferring are simply deducted from the payments received. Customer will not contact you during initial stage of the trial period. After three weeks of the trial period you will begin to have contact with the customers via email in regards to collection of the payments. For the first three weeks you will simply receive all of the transferring details, and payments, along with step by step guidance from your supervisor. You will be forwarding the received payments through transferring agents such as Western Union, Money Gram, any P2P agents or by wire transferring.
WESTERN UNION & MONEYGRAM
1. As soon as You receive money transfers from our clients you are supposed to cash it in your bank.
2. You will need to pick up the cash physically at the bank, as well as a transfer to MoneyGram.
3. Please use MoneyGram, located not in your bank, because this providing of anonymosty of our clients.
4. The cashed amounts of money should be transferred to our clients via MoneyGram/Western Union.
according to our transfer instructions except all the fees. The fees are taken from the amount cashed.
5. Not use online service, only physical presence in an office of bank and Western Union.
6. Just after you have transferred money to our clients, please contact your personal manager via e-mail (confirmation of the transfer)
and let him (her) know all the details of your Western Union transfer: SENDER'S NAME, CONTACT DETAILS, ADRESS, AND A REFERENCE NUMBER,
PLEASE BE VERY CAREFUL WHEN YOU RESEND FUNDS, THERE MUST BE NO MISTAKES, because our client will not be able to withdraw the funds.
7. All procedures have to take 1-2 hours, because we have to provide and verify the safety of our clients` money (we have to inform them about all our actions).
Your manager will support you in any step of application process, if you have any questions you may ask it anytime.
Go through related research regarding money mule recruitment:
- Profiling a Novel, High Profit Margins Oriented, Legitimate Companies Brand-Jacking Money Mule Recruitment Scheme
- Spotted: cybercriminals working on new Western Union based ‘money mule management’ script
- Keeping Money Mule Recruiters on a Short Leash - Part Eleven
- Keeping Money Mule Recruiters on a Short Leash - Part Ten
- Keeping Money Mule Recruiters on a Short Leash - Part Nine
- Keeping Money Mule Recruiters on a Short Leash - Part Eight - Historical OSINT
- Keeping Money Mule Recruiters on a Short Leash - Part Seven
- Keeping Money Mule Recruiters on a Short Leash - Part Six
- Keeping Money Mule Recruiters on a Short Leash - Part Five
- The DNS Infrastructure of the Money Mule Recruitment Ecosystem
- Keeping Money Mule Recruiters on a Short Leash - Part Four
- Money Mule Recruitment Campaign Serving Client-Side Exploits
- Keeping Money Mule Recruiters on a Short Leash - Part Three
- Money Mule Recruiters on Yahoo!'s Web Hosting
- Dissecting an Ongoing Money Mule Recruitment Campaign
- Keeping Money Mule Recruiters on a Short Leash - Part Two
- Keeping Reshipping Mule Recruiters on a Short Leash
- Keeping Money Mule Recruiters on a Short Leash
- Standardizing the Money Mule Recruitment Process
- Inside a Money Laundering Group's Spamming Operations
- Money Mule Recruiters use ASProx's Fast Fluxing Services
- Money Mules Syndicate Actively Recruiting Since 2002