Thursday, August 27, 2015

Historical OSINT: OPSEC-Aware Sprott Asset Management Money Mule Recruiters Recruit, Serve Crimeware, And Malvertisements

Cybercriminals continue multitasking, on their way to take advantage of well proven fraudulent revenue sources, further, positioning themselves as opportunistic market participants, generating fraudulent revenues, standardizing and innovating within the context of OPSEC (Operational Security) while enjoying a decent market share within the cybercrime ecosystem.


In this post, I'll profile a money mule recruitment campaign, featuring a custom fake certificate, successfully blocking access to bobbear.co.uk as well as my personal blog, further exposing a malicious infrastructure, that I'll profile in this post.

Let's assess the campaign, and expose the malicious infrastructure behind it.

The fake Sprott Asset Management sites, entices end users into installing the, the fake, malicious certificate, as a prerequisite, to being working with them, with hosting courtesy of ALFAHOSTNET (AS50793), a well known cybercrime-friendly malicious hosting provider, known, to have been involved in a variety of malvertising campaigns, including related malicious campaigns, that I'll expose in this post.


Domain name reconnaissance for the malicious hosting provider:
alfa-host.net - (AS50793) - Email: alitalaghat@gmail.com; Name: Mohmmad Ali Talaghat (webalfa.net - 78.47.156.245 also registered with the same email)
Name Server: NS1.ALFA-HOST.NET
Name Server: NS2.ALFA-HOST.NET

Alfa-host LLP - (AS50793)
person: Romanov Artem Alekseevich
phone: +75.332211183
address: Kazakhstan, Karagandinskaya obl, Karaganda, ul. Erubaeva 57, 14

Upstream provider reconnaissance:
LLC TC "Interzvyazok"
Hvoiki 15/15
04080 Kiev
UKRAINE
phone: +380 44 238 6333
fax: +380 44 238 6333
e-mail: dz (at) intersv (dot) com

The same upstream provider (Interzvyazok; intersv.com) is also known to have offered services to yet another bulletproof hosting provider in 2011.


Domain name reconnaissance:
sprottcareers.com - 193.105.207.105; 88.212.221.46
sprottcorporate.com - 193.105.207.105; 88.212.221.46
sprottcorporate.com - 92.241.162.58
sprottweb.com - 193.105.207.105; 88.212.221.46



Domain name reconnaissance:
allianceassetonline.com - 92.241.162.58
allianceassetweb.com - 88.212.221.41
uptusconsulting.net - Email: terrizziboris@googlemail.com - 92.241.162.58

Known to have responded to the same IP (193.105.207.105) are also the following malicious domains:auditthere.ru
maccrack.ru
nissanmoto.ru
megatuz.ru
basicasco.ru
megatuz.ru
foreks999.ru
monitod.ru
peeeeee.ru
fra8888.ru
inkognittto.ru
lavandas.ru

Related MD5s known to have phoned back to the same IP (193.105.207.105):MD5: a9442b894c61d13acbac6c59adc67774
MD5:7fd31163fe7d29c61767437b2b1234cd
MD5:d90de03caa80506307fc05a0667246ef
MD5:09241426aac7a4aae12743788ce4cff4
MD5:cb74fb88f36b667e26f41671de8e1841
MD5:8efd31e0f3c251a3c7ef63b377edbf9c
MD5:a750359c72de3fc38d2af2670fd1a343
MD5:f0cbef01f5bd1c075274533f164bb06f
MD5:398b06590179be83306b59cea9da79e5

Related malicious domains known to have been active within (AS50793), ALFAHOSTNET:34real.ru
3pulenepro.net
3weselchak.net
analizes.ru
appppa1.ru
arbuz777.ru
arsenalik.ru
assolo.ru
astramani.ru
basicasco.ru
bits4ever.ru
bonokur.ru
boska7.ru
chudachok9.ru
cosavnos.ru
dermidom44.ru
drtyyyt.ru
dvestekkk.ru
ferdinandi.ru
ferzipersoviy.ru
foreks999.ru
fra8888.ru
globus-trio.ru
google-stats.ru
horonili.ru
inkognittto.ru
karlito777.ru
lavandas.ru
ma456.ru
medriop56.ru
megatuz.ru
mnobabla.ru
monitod.ru
offshoreglobal.ru
okrison.com
opitee.ru
otrijek.ru
peeeeee.ru
pohmaroz44.ru
postmetoday.ru
reklamen6.ru
reklamen7.ru
rrrekti.ru
sekretfive.ru
stolimonov.ru
sworo.ru
trio4.ru
update4ever.ru
victorry.ru
vivarino77.ru
vopret.ru
wifipoints.ru

Known to have responded to the same IP (88.212.221.46) in the past, are also the following malicious domains:
liramdelivery.com - Email: carlyle.jeffrey@gmail.com
ffgroupjobs.com - Email: FfGroupJobs@dnsname.info
secretconsumeril.com

Name servers:
ns2.uptusconsulting.net - 92.241.162.58
ns2.sprottcorporate.com92.241.162.58
ns2.sprottweb.com - 92.241.162.58

allianceassetweb.com - Email: martins.allianceam@gmail.com

Surprise, surprise. We've also got the following fraudulent domains, responding to the same name server's IP (92.241.162.58; ns1.oildns.net, ns2.oildns.net) back in 2009.

What's particularly interesting, is the fact, that in 2010, we've also got (92.241.162.58) hosting the following malicious MD5s:
MD5: 8ee5435004ad523f4cbe754b3ecdb86e
MD5: 38f5e6a59716d651915a895c0955e3e6

We've also got ns1.oildns.net responding to (93.174.92.220), with the actual name server, known to have hosted, the following malicious MD5s:
MD5: 5ae4b6235e7ad1bf1e3c173b907def17

Sample detection rate for the malicious certificate:
MD5: ec39239accb0edb5fb923c25ffc81818 - detected by 23 out of 42 antivirus scanners as Gen:Trojan.Heur.SFC.juZ@aC7UB8eib


Sample detection rate for the HOSTS file modifying sample:
MD5: 969001fcc1d8358415911db90135fa84 - detected by 14 out of 42 antivirus scanners as Trojan.Generic.4284920

Once executed, the sample successfully modifies, the HOSTS file on the affected hosts, to block access to:
127.0.0.1 google.com
127.0.0.1 google.co.uk
127.0.0.1 www.google.com
127.0.0.1 www.google.co.uk
127.0.0.1 suckerswanted.blogspot.com
127.0.0.1 ideceive.blogspot.com
127.0.0.1 www.bobbear.co.uk
127.0.0.1 bobbear.co.uk
127.0.0.1 reed.co.uk
127.0.0.1 seek.com.au
127.0.0.1 scam.com
127.0.0.1 scambusters.org
127.0.0.1 www.guardian.co.uk
127.0.0.1 ddanchev.blogspot.com
127.0.0.1 aic.gov.au
127.0.0.1 google.com.au
127.0.0.1 www.reed.co.uk
209.171.44.117 www.sprott.com
209.171.44.117 sprott.com






Sample confirmation email courtesy of Sprott Asset Management:
WORKING PROCESS
During all working process you will process incoming and outgoing transfers from our  clients. Main duties are: send payments, receive payments, making records of billing, making simple management duties, checking e-mail daily. You have to provide us your cell phone for urgent calls from your manager. If you don’t have a cell phone you will need to buy it. You must have basic computer skills to operate main process of job duties.

SALARY
During the trial period (1 month), you will be paid 4,600$ per month while working on average 3hours per day, Monday-Friday, plus 8% commission from every payment received and processed.  The salary will be sent in the form of wire transfer directly to your account or you may take it from received funds directly. After the trial period your base pay salary will go up to 6,950$ per month, plus 10% commission.

FEES & TRANSFERING PROCEDURE
All fees are covered by the company. The fees for transferring are simply deducted from the payments received. Customer will not contact you during initial stage of the trial period. After three weeks of the trial period you will begin to have contact with the customers via email in regards to collection of the payments. For the first three weeks you will simply receive all of the transferring details, and payments, along with step by step guidance from your supervisor. You will be forwarding the received payments through transferring agents such as Western Union, Money Gram, any P2P agents or by wire transferring.

WESTERN UNION & MONEYGRAM
1. As soon as  You receive  money transfers from our clients you are supposed to cash  it in your bank.
2. You will need to pick up the cash physically at the bank, as well as a  transfer to MoneyGram.
3. Please use MoneyGram, located not in your bank, because this providing of anonymosty of our clients.
4. The cashed amounts of money  should be transferred to our clients via MoneyGram/Western Union.
according to our transfer instructions except all the fees. The fees are taken from the amount cashed.
5. Not use online service, only physical presence in an office of bank and Western Union.
6. Just after you have transferred money to our clients, please contact your personal manager via e-mail (confirmation of the transfer)
and let him (her) know all the details of your Western Union transfer: SENDER'S NAME, CONTACT DETAILS, ADRESS, AND A REFERENCE NUMBER,
PLEASE BE VERY CAREFUL WHEN YOU RESEND FUNDS, THERE MUST BE NO MISTAKES, because our client will not be able to withdraw the funds.
7. All procedures have to take 1-2 hours, because we have to provide and verify the safety of our clients` money (we have to inform them about all our actions).

Your manager will support you in any step of application process, if you have any questions you may ask it anytime.


Go through related research regarding money mule recruitment: