UPDATED: Friday, March 26, 2010: In a typical multi-tasking fashion like the one we've seen in previous campaigns, more typosquatted domains are being introduced, this time using the well known IRS Fraud Application theme. What's worth pointing out is that, just like the "Scareware, Sinowal, Client-Side Exploits Serving Spam Campaign in the Wild" campaign from last week, the current one is also launched on Friday.
The reason? A pointless attempt by the gang to increase the lifecycle of the campaign.
- Sample URL: irs.gov.faodqt.com.pl /fraud.applications/application/statement.php
- Client-side exploits serving iFrame URL: klgs.trfafsegh.com /index.php
- Sample detection rate: tax-statement.exe - Trojan-Spy.Win32.Zbot - Result: 29/42 (69.05%), phones back to shopinfmaster .com/cnf/shopinf.jpg
Spamvertised and currently active fast-fluxed domains include:
fercca.com.pl
fercci.com.pl
ferkci.com.pl
fercki.com.pl
foodat.com.pl
foocit.com.pl
forcit.com.pl
footit.com.pl
ferckt.com.pl
forckt.com.pl
foodot.com.pl
footot.com.pl
faodqt.com.pl
foodyt.com.pl
redee3e.com
redee3e.com.pl
redee3e.pl
redee3o.com.pl
eddpiii.com.pl
eddsiii.com.pl
eddsiip.com.pl
eddsiui.com.pl
eddsiuo.com.pl
eddsiuy.com.pl
edduiip.com.pl
edduiiz.com.pl
edduyiz.com.pl
edouyiz.com.pl
ekouyiz.com.pl
Name server of notice:
ns1.globalistory.net - 87.117.245.9 - Email: tompsongand@aol.com
One of TROYAK-AS's most aggressive customers (used to host their Zeus C&Cs there) for Q1, 2010, is once again (latest campaign is from March 12th 2010 - Scareware, Sinowal, Client-Side Exploits Serving Spam Campaign in the Wild) attempting to build a crimeware botnet, by spamvertising the well known PhotoArchive theme, in between serving client-side exploits using an embedded iFrame on the domains in question.
In terms of quality assurance, the campaign is continuing to use it's proven campaign structure. The actual pages are hosting a binary for manual download, in between the iFrame which would inevitably drop the Zeus crimeware.
Just like in previous campaigns, the gang continues to exclusively registering its domains using the ALANTRON BLTD. domain registrar. Let's dissect the ongoing campaign's structure, and expose the domains, and ASs participating in it.
Sample URL/subdomain structure:
archive.pasweq.co.kr /id1007zx/get.php?email=email@mail.com
photostock.pasweq.co.kr
archives.pasweq.co.kr
letitbit.pasweq.co.kr
photobank.pasweq.co.kr
photosbank.pasweq.co.kr
photostock.pasweq.co.kr
Sample message: "Photos Archives Hosting has a zero-tolerance policy against ILLEGAL content. All archives and links are provided by 3rd parties. We have no control over the content of these pages. We take no responsibility for the content on any website which we link to, please use your own discretion while surfing the links. © 2007-2009, Photos Archives Hosting Group, Inc.- ALL RIGHTS RESERVED."
Sample iFrames embedded on the pages include: cogs.trfafsegh.com /index.php - 59.53.91.192 - Email: maple@qx8.ru; klgs.trfafsegh.com /index.php
Sample iFrame campaign structure:
- cogs.trfafsegh.com /index.php
- cogs.trfafsegh.com /l.php
- cogs.trfafsegh.com /statistics.php
- klgs.trfafsegh.com /index.php
- klgs.trfafsegh.com /l.php
- klgs.trfafsegh.com /statistics.php
Parked on the same IP where the iFrame domain is are also the following Zeus C&Cs - dogfoog.net - Email: drier@qx8.ru; countrtds.ru - Email: thru@freenetbox.ru - AS4134 (CHINANET-BACKBONE No.31,Jin-rong Street)
Detection rates: zeus.js - Trojan.JS.Agent.bik - 1/41 (2.44%) serving update.exe - PWS:Win32/Zbot.gen!R - Result: 17/42 (40.48%), PhotoArchive.exe - Trojan.Zbot - Result: 18/41 (43.91%). The client-side exploitation is relying on the Phoenix Exploit's Kit.
Samples phone back to: shopinfmaster.com /cnf/shopinf.jpg - 78.2.153.153; 75.172.92.77; 78.84.78.179; 86.106.228.77; 184.56.245.136;68.49.19.6 - Email: Duran@example.com shopinfmaster.com /shopinf/gate.php
Relying on the ns1.starwarfan.net name server, which is also connected to other Zeus crimeware C&Cs which also respond the same IPs - smotri123.com - Email: smot-smot@yandex.ru domainsupp.net - Email: ErnestJBooth@example.com
Active and fast-fluxed subdomains+domains participating in the campaign:
pasweokz.com - Email: romavesela@yahoo.com
pasweq.co.kr - Email: romavesela@yahoo.com
archive.pasweokz.com
archive.pasweq.co.kr
archives.pasweokz.com
archives.pasweq.co.kr
letitbit.pasweokz.com
letitbit.pasweq.co.kr
photobank.pasweokz.com
photobank.pasweq.co.kr
photosbank.pasweokz.com
photosbank.pasweq.co.kr
photoshock.pasweokz.com
photoshock.pasweq.co.kr
photostock.pasweokz.com
photostock.pasweq.co.kr
Name servers currently in use were also seen in February, 2010 (IRS/PhotoArchive Themed Zeus/Client-Side Exploits Serving Campaign in the Wild)
ns1.addressway.net - 87.117.192.79 - Email: poolbill@hotmail.com
ns1.skc-realty.com - 87.117.192.79 - Email: skc@realty.net
Updates will be posted as soon as new developments emerge. Consider going through the related posts, to catch up with the gang's activities for Q1, 2010.
Related posts:
Scareware, Sinowal, Client-Side Exploits Serving Spam Campaign in the Wild
TROYAK-AS: the cybercrime-friendly ISP that just won’t go away
AS50215 Troyak-as Taken Offline, Zeus C&Cs Drop from 249 to 181
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams
PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild
Tax Report Themed Zeus/Client-Side Exploits Serving Campaign in the Wild
Keeping Money Mule Recruiters on a Short Leash - Part Two
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Independent Contractor. Bitcoin: 15Zvie1j8CjSR52doVSZSjctCDSx3pDjKZ Email: dancho.danchev@hush.com OMEMO: ddanchev@conversations.im | OTR: danchodanchev@xmpp.jp | TOX ID: 2E6FCA35A18AA76B2CCE33B55404A796F077CADA56F38922A1988AA381AE617A15D3D3E3E6F1
Wednesday, March 24, 2010
Zeus Crimeware/Client-Side Exploits Serving Campaign in the Wild
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment