Thursday, January 16, 2014

Facebook Spreading, Amazon AWS/Cloudflare/Google Docs Hosted Campaign, Serves P2P-Worm.Win32.Palevo


A currently circulating across Facebook, multi-layered monetization tactics utilizing, Turkish users targeting, malicious campaign, is attempting to trick users into thinking that they need to install a fake Adobe Flash Player, displayed on a fake YouTube Video page, ultimately serving P2P-Worm.Win32.Palevo on the hosts of the socially engineered (international) users.

Let's dissect the campaign, expose its infrastructure in terms of shortened URLs, redirectors, affiliate network IDs, landing pages, pseudo-random Facebook content generation phone back URLs, legitimate infrastructure hosted content, and provide MD5s for the served malicious content.

Sample redirection chain: hxxp://m3mi.com/10469 -> hxxp://facebookikiziniz.com/yon.html?MYtDmZp4xjbUP9A0OHLj -> hxxp://facebookikiziniz.com/yon.html?MYtDmZp4xjbUP9A0OHLj -> hxxp://facebookikiziniz.com/yon.html?MYtDmZp4xjbUP9A0OHLj


Internal campaign redirection structure+associated affiliate network IDs+landing URLs:
hxxp://mobiltrafik.s3.amazonaws.com/mobil.html
hxxp://mobiltrafik.s3.amazonaws.com/yurtdisi-anroid.html -> hxxp://ad.adrttt.com/aff_c?offer_id=1743&aff_id=3236&source=yurtdisi -> hxxp://ads.glispa.com/sw/49399/CD353/1023a788c68361b710b87b8ed4851a -> hxxps://play.google.com/store/apps/details?id=com.mobogenie.markets
hxxp://mobiltrafik.s3.amazonaws.com/yurtdisi-ios.html -> hxxp://ad.rdrttt.com/aff_c?offer_id=302&aff_id=1014 -> hxxp://www.freehardcorepassport.com/?t=116216,1,96,0&x=pornfr_tracker=9208KOm00B0193IbJl3yk01BNW00005m
hxxp://mobiltrafik.s3.amazonaws.com/yurtdisiweb.html -> hxxp://ad.rdrttt.com/aff_c?offer_id=302&aff_id=1014 -> hxxp://ads.polluxnetwork.com/hosted/w2m.php?tid=1023e4f08cae470c2f74aa3d1e2d17&oid=6200&aid=758 -> hxxp://m.pornfr.3013.idhad.com/xtrem/index.wiml
hxxp://mobiltrafik.s3.amazonaws.com/androidwifi.html -> hxxp://ad.adrttt.com/aff_c?offer_id=1743&aff_id=3236&source=yurtici -> hxxp://ads.glispa.com/sw/49399/CD353/1023a788c68361b710b87b8ed4851a
hxxp://mobiltrafik.s3.amazonaws.com/iphonewifi.html -> hxxp://ad.adrttt.com/aff_c?offer_id=1705&aff_id=3236 -> hxxps://itunes.apple.com/tr/app/id451786983?mt=8
hxxp://mobiltrafik.s3.amazonaws.com/turkcell.html -> hxxp://goo.gl/GBKArV
hxxp://mobiltrafik.s3.amazonaws.com/vodofone.html -> hxxp://ad.adrttt.com/aff_c?offer_id=1785&aff_id=3236 -> hxxp://c.mobpartner.mobi/?s=1007465&a=3578&tid1=102afc4360ecadbed491b5c08f7395
hxxp://mobiltrafik.s3.amazonaws.com/avea.html -> hxxp://ad.juksr.com/aff_c?offer_id=709&aff_id=3236 -> hxxp://wap.chatwalk.com/landings/?name=yilbasi2&affid=reklamaction&utm_campaign=3236&clk=1025fa187aca81ce57edf8adca7a9c
hxxp://mobiltrafik.s3.amazonaws.com/trweb.html -> hxxp://ad.adrttt.com/aff_c?offer_id=1689&aff_id=3236&source=yurticidefault -> hxxps://www.matchandtalk.com/splashmobile/10?sid=12&bid=663
hxxp://s3.amazonaws.com/Yonver/tarayici.html -> hxxp://ad.adrttt.com/aff_c?offer_id=1091&aff_id=3236&source=tarayicidan -> hxxps://www.matchandtalk.com/splash/12?sid=12&bid=651&cid=29
hxxp://izleyelim.s3.amazonaws.com/unlu.html -> hxxp://goo.gl/XpNHIL (21,512 clicks) -> hxxps://izleyelim.s3.amazonaws.com/indir.html
hxxps://s3.amazonaws.com/facebookAds/ortaryon.html -> hxxps://www.matchandtalk.com/splash/12?sid=12&bid=651&cid=29


Malicious/fraudulent domain name reconnaissance:
facebookikiziniz.com - 108.162.195.103; 108.162.194.103
ttcomcdn.com - 162.159.241.195; 162.159.242.195 - Email: masallahkilic@hotmail.com
amentosx.com - 141.101.116.113; 141.101.117.113
ad.adrttt.com - 54.236.194.194


The campaign is also mobile device/PC-aware, and is therefore automatically redirecting users to a variety of different locations/affiliate networks. Case in point, the redirection to Google Play's Mobogenie Market App (Windows application detected as Adware.NextLive.2 MD5: 9dd785436752a6126025b549be644e76), and the iOS compatible SK planet's TicToc app.

Now comes the malicious twist, in the form of Fake Adobe Flash Player, that socially engineered users would have to install, in order to view the non-existent YouTube video content.


Actual Fake Adobe Flash Player hosting locations within Google Docs:
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFcWZlRGY0V1IxNVU
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFQVBsdVVOekYyNGs
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFaEN2TnE4M0sxWHM
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFVXRnbkYtNG5wVDA
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFR2NnRXFRUmtNTTQ
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFOWFGZnlxMkZWcUE
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFcWZZbTljMkJWZ3c
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFYkpEdXI4ZGVaaUE
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFMUxzY0dQTTJMV00
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFNmROSXhMSGdCYUU
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFb0RoZVltMmsyRFU
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFb2k2MFN4QTY1ZUE
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFb1AzZXI4emlGR00
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFSDZBRDJ4QjVqdkU
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFUXgtZ1VQVU9OdVU
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFUll6c0Y0MWxLZW8
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFSW55S3R0SWcxdDQ
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFMWtxaGJTMnpMVDA
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFSk9yUW5ldDVKaUU
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFN3pTXzcxcDlObkU
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFQ0p3dV9qcC1uOFU
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFOFZRcDZwa0ZfcVk
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFNkoyNktzQ2dJVlE
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFS2xJdTE4Nk04QnM


Detection rate for the fake Adobe Flash Player:
MD5: 5bf26bd488503a4b2b74c7393d4136e3 - detected by 3 out of 47 antivirus scanners as P2P-Worm.Win32.Palevo.hexb; PE:Trojan.VBInject!1.6546

Once executed, the sample also drops:
MD5: a8234e13f9e3af4c768de6f2d6204b3c

Once executed, the sample phones back to: akillitelefonburada.com (108.162.196.162).


Sample pseudo-random bogus Facebook content generation takes place through: hxxp://www.amentosx.com/ext/r.php -> hxxps://s3.amazonaws.com/facebookAds/arkadaj.html -> hxxp://ttcomcdn.com/tw.php

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Facebook Spreading, Amazon AWS/Cloudflare/Google Docs Hosted Campaign, Serves P2P-Worm.Win32.Palevo

I've recently spotted a malicious, cybercrime-friendly SWF iframe/redirector injecting service, that also exposes a long-run Win32.Nixofro serving malicious infrastructure, currently utilized for the purpose of operating a rogue social media service provider, that's targeting Turkish Facebook users through the ubiquitous social engineering vector, for such type of campaigns, namely, the fake Adobe Flash player.

Let's profile the service, discuss its relevance in the broader context of the threat landscape, provide actionable/historical threat intelligene on the malicious infrastructure, the rogue domains involved in it, the malicious MD5s served by the cybercriminals behind it, and directly link it to a previously profiled Facebook spreading P2P-Worm.Win32.Palevo serving campaign.

The managed SWF iframe/redirector service, is a great example of a cybercrime-as-a-service type of underground market proposition, empowering, both, sophisticated and novice cybercriminals with the necessary (malvertising) 'know-how', in an efficient manner, directly intersecting with the commercial availability of sophisticated mass Web site/Web server malicious script embedding platforms.

The managed SWF iframe/redirector injecting service is currently responding to 108.162.197.62 and 108.162.196.62 Known to have responded to the same IPs (108.162.197.62; 108.162.196.62) is also a key part of the malicious infrastructure that I'll expose in this post, namely hizliservis.pw - Email: furkan@cod.com.

Known to have phoned back to the same IP (108.162.197.62) are also the following malicious MD5s:
MD5: 432efe0fa88d2a9e191cb95fa88e7b36
MD5: 720ecb1cf4f28663f4ab25eedf620341
MD5: 02691863e9dfb9e69b68f5fca932e729
MD5: 69ed70a82cb35a454c60c501025415aa
MD5: cc586a176668ceef14891b15e1b412ab
MD5: 74291941bddcec131c8c6d531fcb1886
MD5: 7c27d9ff25fc40119480e4fe2c7ca987
MD5: 72c030db7163a7a7bf2871a449d4ea3c
MD5: 432efe0fa88d2a9e191cb95fa88e7b36

Known to have phoned to the same IP (108.162.196.62) are also the following malicious MD5s:
MD5: eda3f015204e9565c779e0725915864f
MD5: effcfe91beaf7a3ed2f4ac79525c5fc5
MD5: 14acd831691173ced830f4b51a93e1ca
MD5: 7f93b0c611f7020d28f7a545847b51e0
MD5: bcfce3a9bf2c87dab806623154d49f10
MD5: 4c90a89396d4109d8e4e2491c5da4846
MD5: 289c4f925fdec861c7f765a65b7270af

Sample redirection chain leading to the fake Adobe Flash Player:
hxxp://hizliservis.pw/unlu.htm -> hxxp://hizliservis.pw/indir.php -> hxxp://unluvideolari.info -> hxxp://videotr.in/player.swf -> hxxp://izleyelim.s3.amazonaws.com/movie.mp4&skin=newtubedark/NewTubeDark.xml&streamer=lighttpd&image=hqdefault.jpg

Domain name reconnaissance:
hizliservis.pw - Email: furkan@cod.com
videotr.in - Email: tiiknet@yandex.com; snack@log-z.com
izleyelim.s3.amazonaws.com - 176.32.97.249

Within hizliservis.pw, we can easily spot yet another part of the same malicious/fraudulent infrastructure, namely, the rogue social media distribution platform's login interface.


Sample redirection chain leading to a currently active fake Adobe Flash Player (Win32.Nixofro):
hxxp://socialmediasystem.net/down.php ->  hxxps://profonixback31.googlecode.com/svn/FlashPlayer_Guncelle.exe




Detection rate for the fake Adobe Flash Player:
MD5: 28c3c503d398914bdd2c2b3fdc1f9ea4 - detected by 36 out of 50 antivirus scanners as Win32.Nixofro

Once executed, the sample phones back to profonixuser.net (141.101.117.218)

Known to have responded to the same IP (141.101.117.218) are also the following malicious MD5s:
MD5: 53360155012d8e5c648aca277cbde587
MD5: a66a1c42cc6fb775254cf32c8db7ad5b
MD5: a051fd83fc8577b00d8d925581af1a3b
MD5: f47784817a8a04284af4b602c7719cb7
MD5: 2e5c75318275844ce0ff7028908e8fb4
MD5: 90205a9740df5825ce80229ca105b9e8

Domain name reconnaissance for the rogue social media distibution platform:
socialmediasystem.Net (141.101.118.159; 141.101.118.158) - Email: furkan@cod.com

Sample redirection chain for the rogue social media distribution platform's core functions:
hxxp://profonixuser.net/new.php?nocache=1044379803 -> hxxp://sosyalmedyakusu.com/oauth.php (108.162.199.203; 108.162.198.203) Email: furkan@cod.com -> hxxp://hizliservis.pw/face.php -> hxxp://socialhaberler.com/manyak.php -> hxxp://profonixuser.net/new.php -> hxxp://profonixuser.net/amk.php (141.101.117.218) -> hxxp://me.cf/dhtcw (31.170.164.67) -> hxxps://video-players.herokuapp.com/?55517841177 (107.20.187.159) -> hxxp://kingprofonix.net/hxxp://kingprofonix.com (108.162.198.203) the same domain is also known to have responded to 108.162.197.62


Related MD5s known to have phoned back to the same IP (108.162.198.203) in the past:
MD5: 505f615f9e1c4fdc03964b36ec877d57

Sample internal redirectors structure:
hxxp://profonixuser.net/fb.php -> hxxp://profonixuser.net/manyak.php -> hxxp://molotofcu.com/google/hede.php (199.27.134.199) -> hxxp://profonixuser.net/pp.php -> hxxp://gdriv.es/awalbbmprtbpahpolcdt?jgxebgqjl -> hxxps://googledrive.com/host/0B08vFK4UtN5kdjV2NklHVTVjcTQ -> hxxp://sosyalmedyakusu.com/s3x.php?ref=google
hxxp://profonixuser.net/user.php -> hxxp://goo.gl/ber2EP -> hxxps://buexe-x.googlecode.com/svn/FlashPlayer%20Setup.exe -> MD5: 60137c1cb77bed9afcbbbc3ad910df3f -> phones back to wjetphp.com (46.105.56.61)

Secondary sample internal redirectors structure:
hxxp://profonixuser.net/yarak.txt -> hxxp://profonixuser.net/u.exe -> hxxp://profonixuser.net/yeni.txt -> hxxp://profonixuser.net/yeni.exe -> hxxp://profonixuser.net/recep.html -> hxxp://goo.gl/ber2EP -> hxxp://wjetphp.com/unlu/player.swf -> hxxp://profonixuser.net/kral.txt -> hxxp://likef.in/fate.exe - 108.162.194.123; 108.162.195.123; 108.162.199.107 - known to have phoned back to the same IP is also the following malicious MD5: effcfe91beaf7a3ed2f4ac79525c5fc5 - detected by 35 out of 50 antivirus scanners as Trojan-Ransom.Win32.Foreign.kcme


Once executed, the sample phones back to likef.biz (176.53.119.195). The same domain is also known to have responded to the following IPs 141.101.116.165; 141.101.117.165.

Here's comes the interesting part. The fine folks at ExposedBotnets, have already intercepted a malicious Facebook spreading campaign, that's using the already profiled in this post videotr.in.

Having directly connected the cybercrime-friendly SWF iframe/redirector injecting service, with hizliservis.pw as well as the SocialMediaSystem as being part of the same malicious infrastructure, it's time to profile the fraudulent/malicious adversaries behind the campaigns. The cybercriminals behind these campaigns, appear to be operating a rogue social media service, targeting Facebook Inc.

Sample screenshots of the social media distribution platform's Web based interface:



Sample advertisement of the rogue social media distribution platform:




Skype ID of the rogue company: ProFonixcod
Secondary company name: ProfMedya - hxxp://profmedya.com - 178.33.42.254; 188.138.9.39; 89.19.20.242 - Email: kayahoca@gmail.com. The same domain, profmedya.com used to respond to 188.138.9.39.

Domains known to have responded to the same IP (188.138.9.39) are also the following malicious domains:
hxxp://facebooook.biz
hxxp://worldmedya.net
fhxxp://astotoliked.net
hxxp://adsmedya.com
hxxp://facebookmedya.biz
hxxp://fastotolike.com
hxxp://fbmedyahizmetleri.com
hxxp://fiberbayim.com
hxxp://profonixcoder.com
hxxp://sansurmedya.biz
hxxp://sosyalpaket.com
hxxp://takipciniarttir.net
hxxp://videomedya.net
hxxp://videopackage.biz
hxxp://worldmedya.net
hxxp://www--facebook.net
hxxp://www.facebook-java.com
hxxp://www.facemlike.com
hxxp://www.fastcekim.com
hxxp://www.fastotolike.com
hxxp://www.fbmedyahizmetleri.com
hxxp://www.profmedya.com
hxxp://www.sansurmedya.com

Rogue social media distribution platform operator's name: Fatih Konar
Associated emails: fiberbayimdestek@hotmail.com.tr; nerdenezaman@hotmail.com.tr
Google+ Account: hxxps://plus.google.com/103847743683129439807/about
Twitter account: hxxps://twitter.com/ProfonixCodtr

Domain name reconnaissance:
profonixcod.com (profonix-cod.com) - 216.119.143.194 - Email: abazafamily_@hotmail.com (related domains known to have been registered with the same email - warningyoutube.com; likebayi.com)
profonixcod.net

Updated will be posted as soon as new developments take place.

Thursday, January 09, 2014

Dissecting the Ongoing Febipos/Carfekab Rogue Chrome/Firefox Extensions Dropping, Facebook Circulating Malicious Campaign


And, (not surprisingly) they're back! The cybercriminal(s) behind the 1 million+ clicks strong Febipos/Carfekab rogue Chrome/Firefox extensions dropping malicious campaign, continue utilizing the already infected 'population' for the purpose of disseminating the newly packed/modified extensions/samples across Facebook, with yet another campaign that I'll dissect in this post.

Catch up with previous research dissecting the previous campaigns:

Redirection chain: hxxp://GXOMZRC.tk/?74604844 (93.170.52.34) -> hxxp://wqeuijlks.igg.biz/?asdjas22222222222222 (88.198.132.3) -> hxxp://prostats.vf1.us/s.htm -> hxxp://vidsvines.com/d/ -> hxxp://vidsvines.com/d/firefox ->
hxxp://vidsvines.com/d/ch/ -> hxxp://vidsvines.com/d/ch/profile2.html (192.157.201.42)

First GA Account ID: UA-23441223-3
Second GA Account ID: UA-25941572-1


Actual malicious content hosting locations (legitimate infrastructure again):
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqVFgyZzFzR1o3YTQ&export=download
hxxps://dl.dropboxusercontent.com/s/tj9n05qhjvnkg4s/whoviewsfam.xpi


Detection rates for the served rogue Chrome/Firefox extensions:
MD5: 0ee44443c73bd9b072c7f1dbb6b7b591
MD5: c4953f63ab46c796e23388f9c1cfa273
MD5: 5bcec283594e863f5dd238e2d22446c7


Once executed, MD5: 5bcec283594e863f5dd238e2d22446c7 drops MD5: deb483270b9ed5da7fcf1d01a6fde8a7 and MD5: 90b77a477d815c771559d08ea80cc0c8 it then phones back to 212.117.32.20.


Related malicious MD5s known to have phoned back to the same IP:
MD5: 33408f35623dc5bb4a3bde09fa45f86b
MD5: 56a54a700ae5700c3cd3da9c2ad226cf
MD5: f86812305039156b1da8fc29bdddebb7
MD5: ede8f20d78a81c7da76ad7def37ebbdd

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dissecting the Ongoing Febipos/Carfekab Rogue Chrome/Firefox Extensions Dropping, Facebook Circulating Malicious Campaign


And, (not surprisingly) they're back! The cybercriminal(s) behind the 1 million+ clicks strong Febipos/Carfekab rogue Chrome/Firefox extensions dropping malicious campaign, continue utilizing the already infected 'population' for the purpose of disseminating the newly packed/modified extensions/samples across Facebook, with yet another campaign that I'll dissect in this post.

Catch up with previous research dissecting the previous campaigns:

Redirection chain: hxxp://GXOMZRC.tk/?74604844 (93.170.52.34) -> hxxp://wqeuijlks.igg.biz/?asdjas22222222222222 (88.198.132.3) -> hxxp://prostats.vf1.us/s.htm -> hxxp://vidsvines.com/d/ -> hxxp://vidsvines.com/d/firefox ->
hxxp://vidsvines.com/d/ch/ -> hxxp://vidsvines.com/d/ch/profile2.html (192.157.201.42)

First GA Account ID: UA-23441223-3
Second GA Account ID: UA-25941572-1


Actual malicious content hosting locations (legitimate infrastructure again):
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqVFgyZzFzR1o3YTQ&export=download
hxxps://dl.dropboxusercontent.com/s/tj9n05qhjvnkg4s/whoviewsfam.xpi


Detection rates for the served rogue Chrome/Firefox extensions:
MD5: 0ee44443c73bd9b072c7f1dbb6b7b591
MD5: c4953f63ab46c796e23388f9c1cfa273
MD5: 5bcec283594e863f5dd238e2d22446c7


Once executed, MD5: 5bcec283594e863f5dd238e2d22446c7 drops MD5: deb483270b9ed5da7fcf1d01a6fde8a7 and MD5: 90b77a477d815c771559d08ea80cc0c8 it then phones back to 212.117.32.20.


Related malicious MD5s known to have phoned back to the same IP:
MD5: 33408f35623dc5bb4a3bde09fa45f86b
MD5: 56a54a700ae5700c3cd3da9c2ad226cf
MD5: f86812305039156b1da8fc29bdddebb7
MD5: ede8f20d78a81c7da76ad7def37ebbdd

Updates will be posted as soon as new developments take place.

Tuesday, January 07, 2014

Fake Adobe Flash Player Serving Campaign Utilizes Google Hosting/Redirection Infrastructure, Spreads Across Facebook

What "better" time to spread malicious "joy", then during the Holidays? Cybercriminals are still busy maintaining a fake Adobe Flash Player serving, Facebook spreading campaign, which I originally intercepted during the Holidays, utilizing Google redirectors/hosting services. Despite the modest -- naturally conservative estimate -- click-through rate (45,000 clicks) compared to that of the most recently profiled similar Febipos spreading campaign, which resulted in over 1 million clicks, the campaign remains active, and continues tricking users into installing the rogue Adobe Flash Player, resulting in the continued spread of the campaign, on the Facebook Walls of socially engineered users.


Let's dissect the campaign, expose its infrastructure/command and control servers, and provide MD5s of the served malware.

Spamvertised Facebook URL+redirection chain: hxxp://goo.gl/QeshtO; hxxp://goo.gl/vVbrHp; hxxp://goo.gl/0oSJ7z; hxxp://goo.gl/38qIq8; hxxp://goo.gl/QNQhc5 -> hxxps://9dvme0lk2r0osqg3qb3rlk95z.storage.googleapis.com/q1fwum32gld35iab9d2u4o35bjsvhjhu309.html?ref=12 -> hxxp://goo.gl/wKXme1 -> hxxp://www.i-justice.org/g-o-27312-gooenn.html
(94.23.166.27) -> hxxp://f3c47a0d01f3ec343f57-2ba5bba9317af81ae21c42000295a455.r9.cf4.rackcdn.com/24471bmbqv07595?ref=27312&aff_sub=27312&sub_id=27312 -> hxxp://www.eklentidunyasi.com/dl.php (176.31.2.155) or hxxp://www.agentofex.com/dl.php (176.227.218.99; www.puee.in) ->
hxxp://docs.google.com/uc?export=download&id=0B6DFdqpSFDAlSmpsTkZkT2hvN28 or hxxps://doc-0g-4o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/7fbm9gn67t8t18r8etd00juf0rvmrrmh/1387836000000/16300082901287672546/*/0BzU3dARQGry0TlMxN3F2STN0Z3M

GA Account ID: UA-36486228-1


Detection rate for the served malware: MD5: 30118bec581f80de46445aef79e6cf10 - detected by 33 out of 48 antivirus scanners as Trojan-Ransom.Win32.Blocker.dbud.

Once executed, the sample phones back to:
hxxp://176.31.2.155/extFiles/control8.txt
hxxp://176.31.2.155/extFiles/NewFile0008.exe
hxxp://176.31.2.155/extFiles/version.txt
hxxp://176.31.2.155/extFiles/list.txt
hxxp://176.31.2.155/extFiles/list.txt
hxxp://176.31.2.155/extFiles/buflash.xpi
hxxp://176.31.2.155/extFiles/bune10.zip
hxxp://176.31.2.155/extFiles/private/sandbox_status.php
hxxp://176.31.2.155/extFiles/extFiles/yok.txt


The files were offline in time of processing of the sample.

Related MD5s for the same served fake Adobe Flash Player:
MD5: 61f5af5d0067ea8d10f0764ff3c82066
MD5: 80b9ef43183abdd5b22482bc1cea7b36
MD5: 2da7cb838234eebbca3115fcafd6f513
MD5: 40ae8d901102ee3951c241b394eb94e9
MD5: 30118bec581f80de46445aef79e6cf10
MD5: 2de9865032e997d59c03bfd8435f1ada
MD5: fce013bec7b3651c100b6887c0a12eee


Once executed, MD5: fce013bec7b3651c100b6887c0a12eee phones back to:
hxxp://176.227.218.99/extFiles/control17.txt
hxxp://176.227.218.99/extFiles/NewFile00017.exe
hxxp://46.163.100.240/NewFile00017.exe
hxxp://176.227.218.99/NewFile00017.exe
hxxp://176.227.218.99/extFiles/extFiles/version.txt
hxxp://176.227.218.99/extFiles/extFiles/list.txt
hxxp://176.227.218.99/extFiles/extFiles/buflash.xpi
hxxp://176.227.218.99/extFiles/extFiles/bune10.zip

Files remain offline in the time of processing of the sample.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Fake Adobe Flash Player Serving Campaign Utilizes Google Hosting/Redirection Infrastructure, Spreads Across Facebook

What "better" time to spread malicious "joy", then during the Holidays? Cybercriminals are still busy maintaining a fake Adobe Flash Player serving, Facebook spreading campaign, which I originally intercepted during the Holidays, utilizing Google redirectors/hosting services. Despite the modest -- naturally conservative estimate -- click-through rate (45,000 clicks) compared to that of the most recently profiled similar Febipos spreading campaign, which resulted in over 1 million clicks, the campaign remains active, and continues tricking users into installing the rogue Adobe Flash Player, resulting in the continued spread of the campaign, on the Facebook Walls of socially engineered users.


Let's dissect the campaign, expose its infrastructure/command and control servers, and provide MD5s of the served malware.

Spamvertised Facebook URL+redirection chain: hxxp://goo.gl/QeshtO; hxxp://goo.gl/vVbrHp; hxxp://goo.gl/0oSJ7z; hxxp://goo.gl/38qIq8; hxxp://goo.gl/QNQhc5 -> hxxps://9dvme0lk2r0osqg3qb3rlk95z.storage.googleapis.com/q1fwum32gld35iab9d2u4o35bjsvhjhu309.html?ref=12 -> hxxp://goo.gl/wKXme1 -> hxxp://www.i-justice.org/g-o-27312-gooenn.html
(94.23.166.27) -> hxxp://f3c47a0d01f3ec343f57-2ba5bba9317af81ae21c42000295a455.r9.cf4.rackcdn.com/24471bmbqv07595?ref=27312&aff_sub=27312&sub_id=27312 -> hxxp://www.eklentidunyasi.com/dl.php (176.31.2.155) or hxxp://www.agentofex.com/dl.php (176.227.218.99; www.puee.in) ->
hxxp://docs.google.com/uc?export=download&id=0B6DFdqpSFDAlSmpsTkZkT2hvN28 or hxxps://doc-0g-4o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/7fbm9gn67t8t18r8etd00juf0rvmrrmh/1387836000000/16300082901287672546/*/0BzU3dARQGry0TlMxN3F2STN0Z3M

GA Account ID: UA-36486228-1


Detection rate for the served malware: MD5: 30118bec581f80de46445aef79e6cf10 - detected by 33 out of 48 antivirus scanners as Trojan-Ransom.Win32.Blocker.dbud.

Once executed, the sample phones back to:
hxxp://176.31.2.155/extFiles/control8.txt
hxxp://176.31.2.155/extFiles/NewFile0008.exe
hxxp://176.31.2.155/extFiles/version.txt
hxxp://176.31.2.155/extFiles/list.txt
hxxp://176.31.2.155/extFiles/list.txt
hxxp://176.31.2.155/extFiles/buflash.xpi
hxxp://176.31.2.155/extFiles/bune10.zip
hxxp://176.31.2.155/extFiles/private/sandbox_status.php
hxxp://176.31.2.155/extFiles/extFiles/yok.txt


The files were offline in time of processing of the sample.

Related MD5s for the same served fake Adobe Flash Player:
MD5: 61f5af5d0067ea8d10f0764ff3c82066
MD5: 80b9ef43183abdd5b22482bc1cea7b36
MD5: 2da7cb838234eebbca3115fcafd6f513
MD5: 40ae8d901102ee3951c241b394eb94e9
MD5: 30118bec581f80de46445aef79e6cf10
MD5: 2de9865032e997d59c03bfd8435f1ada
MD5: fce013bec7b3651c100b6887c0a12eee


Once executed, MD5: fce013bec7b3651c100b6887c0a12eee phones back to:
hxxp://176.227.218.99/extFiles/control17.txt
hxxp://176.227.218.99/extFiles/NewFile00017.exe
hxxp://46.163.100.240/NewFile00017.exe
hxxp://176.227.218.99/NewFile00017.exe
hxxp://176.227.218.99/extFiles/extFiles/version.txt
hxxp://176.227.218.99/extFiles/extFiles/list.txt
hxxp://176.227.218.99/extFiles/extFiles/buflash.xpi
hxxp://176.227.218.99/extFiles/extFiles/bune10.zip

Files remain offline in the time of processing of the sample.

Monday, January 06, 2014

Summarizing Webroot's Threat Blog Posts for December


The following is a brief summary of all of my posts at Webroot's Threat Blog for December, 2013. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:

 
01. Cybercrime-friendly VPN service provider pitches itself as being ‘recommended by Edward Snowden’
02. Commercial Windows-based compromised Web shells management application spotted in the wild
03. Compromised legitimate Web sites expose users to malicious Java/Symbian/Android “Browser Updates”
04. Malicious multi-hop iframe campaign affects thousands of Web sites, leads to a cocktail of client-side exploits – part two
05. How cybercriminals efficiently violate YouTube, Facebook, Twitter, Instagram, SoundCloud and Google+’s ToS
06. Tumblr under fire from DIY CAPTCHA-solving, proxies-supporting automatic account registration tools
07. Newly launched ‘HTTP-based botnet setup as a service’ empowers novice cybercriminals with bulletproof hosting capabilities – part three
08. Cybercriminals offer fellow cybercriminals training in Operational Security (OPSEC)
09. Fake ‘WhatsApp Missed Voicemail’ themed emails lead to pharmaceutical scams
10. A peek inside the booming underground market for stealth Bitcoin/Litecoin mining tools
11. Cybercrime Trends 2013 – Year in Review

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.