Saturday, December 24, 2016

Historical OSINT - Massive Black Hat SEO Campaing Serving Scareware Spotted in the Wild

In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercriminals, continue, actively, acquiring, and, hijacking, traffic, for, the, purpose, of, converting, it, to, malware-infected, hosts, while, earning, fraudulent, revenue, in, the, process, of, monetizing, the, hijacked, and, acquired, traffic, largely, relying, on, a, set, of, tactics, techniques, and, procedures, successfully, earning, fraudulent, revenue, in, the, process, of, monetizing, the, hijacked, and, acquired, traffic, largely, relying, on, an, affiliate-based, type, of, monetizing, scheme.

We've, recently, intercepted, a, currently, circulating, malicious, black, hat, SEO (search engine optimization), campaign, serving, fake, security, software, also, known, as, scareware, successfully, monetizing, the, hijacked, and, acquired, traffic, largely, relying, on, the, utilization, of, affiliate-network, based, type, of, monetizing, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Sample, portfolio, of, compromised, Web, sites:
hxxp://yushikai.co.uk
hxxp://www.heart-2-heart.nl
hxxp://www.stichtingkhw.nl
hxxp://burgessandsons.com
hxxp://marsmellow.info
hxxp://broolz.co.uk
hxxp://bodyscope.co.uk
hxxp://janschnoor.de
hxxp://goodluckflowers.com
hxxp://www.frank-carillo.com
hxxp://www.strijkvrij.com
hxxp://www.fotosiast.nl
hxxp://www.senbeauty.nl
hxxp://www.menno.info
hxxp://www.kul.fm

Sample, URL, redirection, chain:
hxxp://onotole.iblogger.org/2.html - 199.59.243.120; 205.164.14.79; 199.59.241.181 -> hxxp://mycommercialssecuritytool.com/index.php?affid=34100 - 89.248.171.48 - Email: Kathryn.D.Jennings@gmail.com

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://myatmoe.iblogger.org
hxxp://creditreport.iblogger.org
hxxp://movieddlheaven.iblogger.org
hxxp://cv-bruno-brocas.iblogger.org
hxxp://islife.iblogger.org
hxxp://iblogger.iblogger.org
hxxp://dressshirt.iblogger.org
hxxp://allians.iblogger.org
hxxp://rapid-weight-loss.iblogger.org
hxxp://breastaugm.iblogger.org
hxxp://uila.iblogger.org
hxxp://oh-tv.iblogger.org
hxxp://brudnopis.iblogger.org
hxxp://learnenglish.iblogger.org
hxxp://motivatedcats.iblogger.org
hxxp://robert.iblogger.org
hxxp://testforask.iblogger.org
hxxp://poormanguides.iblogger.org
hxxp://gelbegabeln.iblogger.org
hxxp://nuagerouge.iblogger.org
hxxp://chicos-on-line.iblogger.org
hxxp://hypnosisworld.iblogger.org
hxxp://tennis.iblogger.org
hxxp://ibu.iblogger.org
hxxp://turkifsa.iblogger.org
hxxp://amandacooper.iblogger.org
hxxp://tw.iblogger.org
hxxp://whedon.iblogger.org
hxxp://han.iblogger.org
hxxp://scclab.iblogger.org
hxxp://besftfoodblogger.iblogger.org
hxxp://premiummenderacunt.iblogger.org
hxxp://seobook.iblogger.org
hxxp://bestjackets.iblogger.org
hxxp://kidszone.iblogger.org
hxxp://liker2fb.iblogger.org
hxxp://vipin.iblogger.org
hxxp://infobaru.iblogger.org
hxxp://palermo.iblogger.org
hxxp://forum.bay.de.iblogger.org
hxxp://online-guard.iblogger.org
hxxp://juhjsd.iblogger.org
hxxp://asulli.iblogger.org
hxxp://youtubetranscription.iblogger.org
hxxp://praza.iblogger.org
hxxp://free-worlds.iblogger.org
hxxp://mlm.iblogger.org
hxxp://myleskadusale.iblogger.org
hxxp://ninjapearls.iblogger.org
hxxp://bassian.iblogger.org
hxxp://d3-f21-w-14.iblogger.org
hxxp://mlk.iblogger.org
hxxp://pe.iblogger.org
hxxp://connor54321.iblogger.org
hxxp://smx.iblogger.org
hxxp://17fire.iblogger.org
hxxp://greatestbattles.iblogger.org
hxxp://generalsurgery.iblogger.org
hxxp://megafon.iblogger.org
hxxp://dasefx.iblogger.org
hxxp://ysofii.iblogger.org
hxxp://priv8.iblogger.org
hxxp://kahramanmaras.iblogger.org
hxxp://kaoojcjl.iblogger.org
hxxp://infobaru.iblogger.org
hxxp://dla-kobiet.iblogger.org
hxxp://karinahart.iblogger.org
hxxp://mariucciaelasuaombra.iblogger.org
hxxp://signinbay.de.iblogger.org
hxxp://pitstop.iblogger.org
hxxp://colorless.iblogger.org
hxxp://directorio.iblogger.org
hxxp://odenaviva.iblogger.org
hxxp://e-money.iblogger.org
hxxp://digicron.iblogger.org
hxxp://slotomania-hackers.iblogger.org
hxxp://blazetech.iblogger.org
hxxp://blazetech.iblogger.org
hxxp://bestoksriy.iblogger.org
hxxp://teamsite.iblogger.org
hxxp://mateaplicada.iblogger.org
hxxp://tmgames.iblogger.org
hxxp://nativephp.iblogger.org
hxxp://priv8.iblogger.org
hxxp://sharepointdotnetwiki.iblogger.org
hxxp://nativephp.iblogger.org
hxxp://seobook.iblogger.org
hxxp://jawwal.iblogger.org
hxxp://tomsplace.iblogger.org
hxxp://shreyo.iblogger.org
hxxp://greatestbattles.iblogger.org
hxxp://beitypedia.iblogger.org
hxxp://dutcheastindies.iblogger.org
hxxp://cramat-satu.iblogger.org
hxxp://misc.iblogger.org
hxxp://espirito-de-aventura.iblogger.org
hxxp://tomksoft.iblogger.org
hxxp://mymovies.iblogger.org

Known, to, have, responded, to, the, same, malicious, IP (199.59.243.120) are, also, the, following, malicious, domains:
hxxp://brendsrnzwrn.cuccfree.com
hxxp://caraccidentlawyer19.us
hxxp://colombiavirtualtours.com
hxxp://dailydigest.cn
hxxp://drugaddiction569.us
hxxp://earnonline.cn
hxxp://epicor.in
hxxp://glhgk.com
hxxp://iroopay.com
hxxp://kajianislam.us

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (199.59.243.120):
MD5: c7bd669a416a8347aeba6117d0040217
MD5: ae89e09f52db7f9d69b9b9c40dbf35f9
MD5: b4399fc8f1de723d452b05ec474ca651
MD5: c779d9f4e9992ad5ffcd2353bb003a51
MD5: cc6efabb0a26c729f126b12be717de47

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://theworldnews.byethost5.com - 199.59.243.120

Known, to, have, responded, to, the, same, malicious IP (205.164.14.79), are, also, the, following, malicious, domains:
hxxp://fsdq.cn
hxxp://parked-domain.org
hxxp://fiverr.hk.tn
hxxp://hamzanori90.name-iq.com
hxxp://postgumtree.uk.tn
hxxp://caoliushequ.info
hxxp://housewives.byethost4.com
hxxp://nuichate.22web.org
hxxp://3rtz.byethost12.com

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (205.164.14.79):
MD5: dbca66955cac79008f9f1cd415d7e308
MD5: b452ca519f077307d68ff034567087c1
MD5: 70e8c79135b341eac51da0b5789744d3
MD5: a9f64c1404faf4a6fc81564c8dec22d9
MD5: b3737a1c34cb705f7d244c99afdc3a01

Once, executed, a, sample, malware (MD5:dbca66955cac79008f9f1cd415d7e308), phones, back, to, the, following, C&C, server, IPs:
hxxp://ibayme.eb2a.com - 205.164.14.79

Known, to, have, responded, to, the, same, malicious, IPs (199.59.241.181), are, also, the, following, malicious, domains:
hxxp://yn919.com
hxxp://wimp.it
hxxp://puqiji.com
hxxp://52style.com
hxxp://007guard.com
hxxp://10iski.10001mb.com
hxxp://11649.bodisparking.com
hxxp://13.get.themediafinder.com
hxxp://134205.aceboard.fr

Sample, detection, rate, for, a, malicious, executable:
MD5: f74a744d75c74ed997911d0e0b7e6f67

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://mycommercialssecuritytool.com/in.php?affid=34100

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://protectyoursystemnowonline.com
hxxp://createyoursecurityonline.com
hxxp://commercialssecuritytools.com
hxxp://freecreateyoursecurity.com

Sample, URL, redirection, chain:
hxxp://ulions.com/yxg.php?p= - 104.28.22.34
    - hxxp://ppbmv4.xorg.pl/in.php?t=cc&d=04-02-2010_span&h=
        - hxxp://www1.nat67go4it.net/?uid=195&pid=3&ttl=5184c614d4b - 89.248.160.161
            - hxxp://www1.systemsecure.in/?p=

Know, to, have, responded, to, same, malicious, C&C, server, IP (104.28.22.34), are, also, the, following, malicious, domains:
hxxp://portlandultimate.com
hxxp://portablemineapplicationsub.tech
hxxp://indirimkuponlarimiz.com
hxxp://walkinclosetguys.com
hxxp://bryantanaka.com
hxxp://swisschecklist.com
hxxp://census.mnfurs.org
hxxp://duluthbeth.xyz

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (104.28.22.34):
MD5: 11dda0bbd2aef7944f990fcefbc91034
MD5: d0be24df3078866a277874dad09c98d9
MD5: 9ba06da9370037fd2ffe525d6164b367
MD5: 537bd45df702f90585eebab2a8bb3584
MD5: a9f61e9696ff7ff4bfc34f70549ffdd0

Once, executed, a, sample, malware (MD5:11dda0bbd2aef7944f990fcefbc91034), phones, back, to, the, following, C&C, server, IPs:
hxxp://audio-direkt.net
hxxp://servico-ind.com
hxxp://saios.net
hxxp://coopsupermarkt.nl
hxxp://fruitspot.co.za
hxxp://vitalur.by
hxxp://trinity-works.com

Once, executed, a, sample, malware (MD5:d0be24df3078866a277874dad09c98d9), phones, back, to, the, following, C&C, server, IPs:
hxxp://3asfh.net - 104.28.22.34

Once, executed, a, sample, malware, (MD5:a9f61e9696ff7ff4bfc34f70549ffdd0), phones, back, to the, following, malicious, C&C, server, IPs:
hxxp://link-list-uk.com
hxxp://racknstackwarehouse.com.au
hxxp://zeronet.co.jp
hxxp://sun-ele.co.jp
hxxp://slcago.org
hxxp://frederickallergy.com

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.