Friday, March 12, 2010

Scareware, Sinowal, Client-Side Exploits Serving Spam Campaign in the Wild


AS50215 Troyak-as customers are back, with an ugly mix of scareware, sinowal, and client-side exploits serving campaign using the "You don't have the latest version of Macromedia Flash Player" theme. Quality assurance is also in place this time, with the client-side exploit serving domains using a well known "function nerot" obfuscation technique in an attempt to bypass link scanners.

Let's dissect the campaign, list all the typosquatted and spamvertised domains, the client-side exploit serving iFrames and the actual scareware.

Sampled URLs archives .wesh.kr/archive0715/?id=test@test.com; anonymousfiles .wesh.or.kr/archive0715/?id=test@test.com.
Spamvertised and typosquatted currently active domains include:
enyg.ne.kr - Email: EneesC9563@hotmail.com
enyk.ne.kr - Email: EneesC9563@hotmail.com
enyz.ne.kr - Email: EneesC9563@hotmail.com
enyg.kr - Email: EneesC9563@hotmail.com
enyk.kr - Email: EneesC9563@hotmail.com
enyg.co.kr - Email: EneesC9563@hotmail.com
enyk.co.kr - Email: EneesC9563@hotmail.com
enyt.co.kr - Email: EneesC9563@hotmail.com
enyz.co.kr - Email: EneesC9563@hotmail.com
enyg.or.kr - Email: EneesC9563@hotmail.com
enyk.or.kr - Email: EneesC9563@hotmail.com
enyt.or.kr - Email: EneesC9563@hotmail.com
enyz.or.kr - Email: EneesC9563@hotmail.com
enyt.kr - Email: EneesC9563@hotmail.com
enyz.kr - Email: EneesC9563@hotmail.com
erase.co.kr - Email: PalacidoL6860@hotmail.com
erase.ne.kr - Email: PalacidoL6860@hotmail.com
erase.or.kr - Email: PalacidoL6860@hotmail.com
erasm.co.kr - Email: PalacidoL6860@hotmail.com
erasm.kr - Email: PalacidoL6860@hotmail.com
erasm.ne.kr - Email: PalacidoL6860@hotmail.com
erasm.or.kr - Email: PalacidoL6860@hotmail.com
erasv.co.kr - Email: PalacidoL6860@hotmail.com
erasv.kr - Email: PalacidoL6860@hotmail.com
erasv.ne.kr - Email: PalacidoL6860@hotmail.com
erasv.or.kr - Email: PalacidoL6860@hotmail.com
erasw.co.kr - Email: PalacidoL6860@hotmail.com
erasw.kr - Email: PalacidoL6860@hotmail.com
erasw.ne.kr - Email: PalacidoL6860@hotmail.com
erasw.or.kr - Email: PalacidoL6860@hotmail.com
wesc.ne.kr - Email: PalacidoL6860@hotmail.com
wese.co.kr - Email: PalacidoL6860@hotmail.com
wese.kr - Email: PalacidoL6860@hotmail.com
wese.or.kr - Email: PalacidoL6860@hotmail.com
wesh.co.kr - Email: PalacidoL6860@hotmail.com
wesh.kr - Email: PalacidoL6860@hotmail.com
wesh.or.kr - Email: PalacidoL6860@hotmail.com
wesi.co.kr - Email: PalacidoL6860@hotmail.com
wesi.kr - Email: PalacidoL6860@hotmail.com
wesi.or.kr - Email: PalacidoL6860@hotmail.com
wesw.co.kr - Email: PalacidoL6860@hotmail.com
wesw.kr - Email: PalacidoL6860@hotmail.com
wesw.ne.kr - Email: PalacidoL6860@hotmail.com
wesw.or.kr - Email: PalacidoL6860@hotmail.com

Name servers of notice:
ns1.hr-skc.com - 74.117.63.218 - Email: hr@skrealty.net
ns1.welcomhell.com - 74.117.63.218 - Email: klincz@aol.com
ns1.skcstaff.com - 87.117.245.9 - Email: staffing@skhomes.com
ns1.limeteablack.net - 87.117.245.9 - Email: doofi@usa.com

Upon visiting the spamvertised links, the cybercriminals are then enticing the user into manually downloading update.exe - Trojan:Win32/Alureon.DA; Mal/FakeAV-CS - Result: 10/42 (23.81%).

The sample phones back to the following location, downloading the actual scareware (setup.exe - Mal/FakeAV-CS; FakeAlert-FQ - Result: 9/41 (21.96%) ), and ensuring the the cybercriminals phone back with the affiliate ID to confirm a successful installation:
- gotsaved.cn/css/_void/crcmds/main - 91.212.132.7 - Email: georgelem@xhotmail.net
gotsaved.cn/css/_void/srcr.dat
gotsaved.cn/css/_void/crcmds/install
gotsaved.cn/css/_void/crfiles/serf
gotsaved.cn/css/_void/crcmds/builds/bbr
gotsaved.cn/css/_void/crfiles/bbr
gotsaved.cn/css/_void/knock.php

gotsaved.cn/css/_void/crcmds/extra

- automaticallyfind.org/?gd=KCo7MD8uPS4iPA==&affid=XF5W&subid=AQoY&prov=&mode=cr&v=6&newref=1 - 69.39.238.101 - Email: larrypenn@xhotmail.net
automaticallyfind.org/?gd=KCo7MD8uPS4iPA==&affid=Wg==&subid=GwocGwEEHQ==&prov=&mode=cr&v=6nkr
 - beinahet.com/readdatagateway.php?type=stats&affid=319&subid=new&version=3.0&adwareok - 193.169.234.30 - Email: Vrapus.Kamat@gmail.com

- mega-fast.org/page2/setup - 91.212.132.8 - Email: Vrapus.Kamat@gmail.com
mega-fast.org/page2/setup0

Parked on 91.212.132.5, 91.212.132.7, 91.212.132.8 (gotsaved.cn) are also:
airportweb.cn - Email: JoannaWilhelm@xhotmail.net
gotsaved.cn - Email: georgelem@xhotmail.net
gotsick.cn - Email: georgelem@xhotmail.net
gottired.cn - Email: georgelem@xhotmail.net
gotunderway.cn - Email: georgelem@xhotmail.net
gotupset.com - Email: DianaFister@xhotmail.net
methodsweb.com - Email: bryantlew@xhotmail.net
pickingweb.cn - Email: JoannaWilhelm@xhotmail.net
prima-fast.org - Email: Vrapus.Kamat@gmail.com
publishingweb.cn - Email: JoannaWilhelm@xhotmail.net
quickfreescan.org - Email: GrantPursell@xhotmail.net
scanerborn.cn - Email: KristinDunton@xhotmail.net
scanerexcuse.cn - Email: KristinDunton@xhotmail.net
scanernurse.cn - Email: KristinDunton@xhotmail.net
scanerwhatever.cn - Email: KristinDunton@xhotmail.net
senateweb.com - Email: bryantlew@xhotmail.net
webdocuments.cn - Email: JoannaWilhelm@xhotmail.net

Parked on 69.39.238.101 (automaticallyfind.org) are also:
guysfind.org - Email: larrypenn@xhotmail.net
automaticallyfind.org - Email: larrypenn@xhotmail.net
findalternate.org - Email: larrypenn@xhotmail.net

As we've already seen in previous campaigns, each and every domain is embedded with an iFrame, which this time behaves differently, much more covertly than the one used before. ylwgheakrozn.com /ld/nov1/ - 66.135.37.211 - Email: getilak11@yahoo.com would attempt to load the following:
- ylwgheakrozn.com /nte/nov1.php
- ylwgheakrozn.com /nte/avorp1nov1.py
- ylwgheakrozn.com /nte/NOV1.py
  • The folks at FireEye have covered the "function nerot" in depth in January, 2010, and have analyzed a campaign using a similar structure as the current one
But would also attempt to load the nonexistent:
- ylwgheakrozn.com /nte/AVORP1NOV1.exe
- ylwgheakrozn.com /nte/NOV1.exe
- ylwgheakrozn.com /nte/NOV1.asp
- ylwgheakrozn.com /nte/NOV1.html
The campaign ultimately serves Backdoor.Sinowal.DJ; Result: 15/42 (35.71%) through an obfuscated Exploit.PDF-JS.Gen - Result: 18/42 (42.86%).

Parked on same IP where the iFrame domains is, is the remaining portfolio of domains presumably prepared for rotation, in fact some of them are already involved in malicious activity.

At 69.174.245.148; 75.125.212.58; 66.135.37.211; 190.120.228.44 and 76.74.238.94 is the rest of the client-side exploits serving domains portfolio:
aabtiktadve.com - Email: adminhhhPolego@hotmail.com
acdcwpbathr.com - Email: vikolr5ty@yahoo.com
acdlsvladve.com - Email: ade45Meehan4@yahoo.com
aghgiqfathr.com - Email: eeeDalmanbei@yahoo.com
balhimana.com - Email: Malachowski@yahoo.com
dbcavsaddve.com - Email: Wilfredo-admin@yahoo.com
ddehkyhddve.com - Email: admnBowgrenfd@yahoo.com
ddewphwddve.com - Email: W-Leet1210@yahoo.com
dhjgjwgddve.com - Email: adminSeaborn09@yahoo.com
dhjvnvvddve.com - Email: adminSeaborn09@yahoo.com
diaiscjdthr.com - Email: Nelsondwer4@yahoo.com
ejsinlbyidid.com - Email: nerForbes09@yahoo.com
fgdchevuno.net - Email: 22232344sad22b1yj@msanz.com
fgnmgojuno.com - Email: 2223234422awbyj@msanz.com
fgxwuyyuno.com - Email: 2223234422asdbyj@msanz.com
ghedifauno.com - Email: 2223234422asd1byj@msanz.com
ghtsuumuno.com - Email: 222323442qw1e2byj@msanz.com
hdewptwhdve.com - Email: zekoAdmin@yahoo.com
hhjvnzvhdve.com - Email: qwMeier34ed@hotmail.com
jcdcwxbjthr.com - Email: kovin78213@yahoo.com
jefshosjdve.com - Email: Computer66Heads@yahoo.com
kbclyokkthr.com - Email: admHalliday666@yahoo.com
kdvarmgibtp.com - Email: aatrganz10@yahoo.com
lbckqbkldve.com - Email: W-Leet1210@yahoo.com
mcdcwjbmthr.com - Email: Lobertzqeq437@yahoo.com
mghvegumthr.com - Email: eeeDalmanbei@yahoo.com
mjisuvrmthr.com - Email: domainHodge2@hotmail.com
pdecaxcpdve.com - Email: Computer66Heads@yahoo.com
pfgeeeepdve.com - Email: admndomsale12@yahoo.com
pfgfgdepthr.com - Email: finsky777admin@gmail.com
pfgoykopdve.com - Email: Wildeysgh67@yahoo.com
pfgtihtpdve.com - Email: admnBowgrenfd@yahoo.com
pianwinpdve.com - Email: Wilfredo-admin@yahoo.com
qabaqbyqthr.com - Email: admHalliday666@yahoo.com
qabtihtqdve.com - Email: Lawrencee45sd@yahoo.com
qcdvnhvqdve.com - Email: Lawrencee45sd@yahoo.com
qefshvsqdve.com - Email: Wildeysgh67@yahoo.com
qghgixfqthr.com - Email: Nguyen10@gmail.com
qghkqfkqdve.com - Email: adminsales@yahoo.com
qghpbapqdve.com - Email: qwMeier34ed@hotmail.com
qghvexuqthr.com - Email: Richmondsw3d@yahoo.com
qhjcwfbqthr.com - Email: asVeles45@hotmail.com
qlpkoxmdzxsb.com - Email: QLPKOXMDZXSB.COM@domainservice.com
sjidamcsthr.com - Email: Gallippihu67@yahoo.com
sjinfcmsthr.com - Email: domainadmin@navigationcatalyst.com
tbcpbxptdve.com - Email: hoters12admin@yahoo.com
tfgoyqotdve.com - Email: Brodeursdfrtr@yahoo.com
thjgjcgtdve.com - Email: Harrisasasd@yahoo.com
tiashostdve.com - Email: aaLehmann34s@yahoo.com
ubcvesuuthr.com - Email: kovin78213@yahoo.com
uefxrwxudve.com - Email: admndomsale12@yahoo.com
wghgiwfwthr.com - Email: Richmondsw3d@yahoo.com
yvbbpgrixovr.com - Email: dioSingh12@yahoo.com

Monitoring of the campaign is ongoing, updates will be posted as soon as new developments emerge.

Related Troyak-as activity and previous campaigns maintained by their customers:
AS50215 Troyak-as Taken Offline, Zeus C&Cs Drop from 249 to 181
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams
PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild
Tax Report Themed Zeus/Client-Side Exploits Serving Campaign in the Wild
Keeping Money Mule Recruiters on a Short Leash - Part Two

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.