Inside a Botnet's Phishing Activities

The following incident response assessment will demonstrate how a botnet's infected hosts can not only be used as stepping stones, but also for the purpose of sending out phishing emails, and hosting the domains used in the scams themselves, thereby forwarding the responsibility for the scams to the infected parties, in between remaining relatively untraceable. 

The malware variants are still in the wild, and the ecosystem itself is currently active as well. 

Upon receiving and sandboxing the malware detected as BKDR_AGENT.AKJZ, Backdoor.Agent.AJU, Proxy-Agent.af.gen and Proxy-Agent.af.gen, BKDR_AGENT.AKJZ, both binaries attempt to connect to several IPs, one's that's resolving to the entire ecosystem's name servers, namely 72.46.130.154. This KISS strategy allows us to quickly expand the entire domain portfolio and the associated phishing campaigns already in the wild. 

Here are the domains serving the phishing pages that are actually hosted on the botnet's infected hosts :

_hxxp://asp29.com

_hxxp://asp63.net

_hxxp://aspx77.in

_hxxp://aspx83.in

_hxxp://aspx94.in

_hxxp://bank45.us

_hxxp://boa23.com

_hxxp://cfm83.net

_hxxp://com94.net

_hxxp://info23.in

_hxxp://net18.in

_hxxp://net73.net

_hxxp://net94.us

_hxxp://pid83.net

_hxxp://ref34.us

_hxxp://sec26.net

_hxxp://sec94.in

_hxxp://sid45.com

_hxxp://site17.in

_hxxp://site37.in

_hxxp://ssd47.com

_hxxp://ssl18.net

_hxxp://ssl19.com

_hxxp://ssl62.net

_hxxp://web42.in

_hxxp://web59.net

_hxxp://web636.com

_hxxp://www84.in

It's quite obvious that their descriptive nature, just like the ones I've discussed before, is to be used in phishing attacks in order to visually social engineer the receipts. And as you can see in the attached graphs, the IPs resolving to the domains are the typical home based infected end users, who would from a theoretical perspective be sending phishing emails to themselves at a later stage. And so once infected the hosts phone back home to receive instructions on participating in the malicius ecosystem by temporarily serving the phishing domains. Upon infection the hosts try to connect to 72.46.129.154; 72.46.130.154; 72.46.136.50 and ns.uk2.net, where for the time being there're twenty different variants that are known to have been using ns.uk2.net for DNS resolving purposes. All of these domains are using the same nameservers indicating their connection. Here are some of the subdomains in the already running, and spammed phishing campaigns :

_hxxp://direct-certs9.bankofamerica.com.ssl36.net

_hxxp://www1.update.microsoft.com.ssl36.net

_hxxp://www7.nationalcity.com.asp29.com/consultnc/form.asp

_hxxp://microsoft.com.sec94.in

_hxxp://direct-certs1.bankofamerica.com.asp63.net

_hxxp://update.microsoft.com.web72.us

_hxxp://bankofamerica.com.web42.in

_hxxp://direct-certs0.bankofamerica.com.web42.in

_hxxp://update.microsoft.com.web72.us

_hxxp://www5.update.microsoft.com.sec94.in

_hxxp://www7.update.microsoft.com.web72.us

Now that the botnet's phishing activities are exposed, it's also important to mention the fact that besides the phishing activities, this is the botnet that's been sending out the recent fake Microsoft Critical Live Update emails.