Sunday, December 25, 2016

Historical OSINT - Massive Black Hat SEO Campaign, Spotted in the Wild, Serves Scareware

In, a, cybercrime, ecosystem, dominated, by, hundreds, of, malicious, software, releases, cybercriminals, continue, actively, populating, their, botnet's, infected, population, with, hundreds, of, newly, added, socially, engineered, users, potentially, exposing, the, confidentiality, integrity, and, availability, of, the, affected, hosts, to, a, multi-tude, of, malicious, software, further, spreading, malicious, software, potentially, exposing, the, confidentiality, integrity, and, availability, of, the, affected, hosts, to, a, multi-tude, of, malicious, software, further, earning, fraudulent, revenue, in, the, process, of, obtaining, access, to, a, malware-infected, hosts, largely, relying, on, the, utilization, of, an, affiliate-network, based, type, of, monetizing, scheme.

We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, utilizing, blackhat, seo (search engine optmization), for, traffic, acquisition, tactics, techniques, and procedures, potentially, exposing, hundreds, of, thousands, of, socially, engineered, users, to, a, multi-tude, of, malicious, software, including, fake, security, software, also, known, as, scareware, with, the, cybercriminals, behind, the, campaign, successfully, earning, fraudulent, revenue, in, the, process, of, monetizing, the, hijacked, traffic, largely, relying, on, the, utilization, of, an, affiliate-network, type, of, monetization, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://blank_fax_forms.jevjahys.zik.dj -> hxxp://radioheadicon.cn - 216.172.154.34; 205.164.24.44; 205.164.24.45 ->

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://aizvfnnd.cc - Email: janice@whiteplainsrealty.com
hxxp://blnrriwbd.cc - Email: janice@whiteplainsrealty.com
hxxp://crrhxzp.cc - Email: janice@whiteplainsrealty.com
hxxp://ihmedkgi.cc - Email: janice@whiteplainsrealty.com
hxxp://izdzhpdn.cc - Email: janice@whiteplainsrealty.com
hxxp://krnflff.cc - Email: janice@whiteplainsrealty.com
hxxp://lgixuql.cc - Email: janice@whiteplainsrealty.com
hxxp://lsxkfoxfn.cc - Email: janice@whiteplainsrealty.com
hxxp://mkzjuoz.cc - Email: janice@whiteplainsrealty.com
hxxp://mobqmizg.cc - Email: janice@whiteplainsrealty.com
hxxp://mqapagelq.cc - Email: janice@whiteplainsrealty.com
hxxp://mrvgusfdu.cc - Email: janice@whiteplainsrealty.com
hxxp://nurzcycxm.cc - Email: janice@whiteplainsrealty.com
hxxp://orhhcunye.cc - Email: janice@whiteplainsrealty.com
hxxp://pdbpczh.cc - Email: janice@whiteplainsrealty.com
hxxp://pkuidxdy.cc - Email: janice@whiteplainsrealty.com
hxxp://qicpfwrx.cc - Email: janice@whiteplainsrealty.com
hxxp://ruhilmec.cc - Email: janice@whiteplainsrealty.com
hxxp://sxkfoxfn.cc - Email: janice@whiteplainsrealty.com
hxxp://tcygfdmc.cc - Email: janice@whiteplainsrealty.com
hxxp://tlhaxfr.cc - Email: janice@whiteplainsrealty.com
hxxp://vcjggcbgj.cc - Email: janice@whiteplainsrealty.com
hxxp://xlnojaz.cc - Email: janice@whiteplainsrealty.com
hxxp://zdqvzdj.cc - Email: janice@whiteplainsrealty.com

Sample, malicious, redirector, used, in, the, campaign:
hxxp://bostofsten1.net

Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (216.172.154.34):
MD5: ad04fd31e9868b073222b3fd2aac93f7
MD5: 103ecb766e0deb06ccbcea0a8046b4cb
MD5: eb0fab963cd37660956a7ab0c66715c2
MD5: 00da0096bd91e89e4059c428259a6cbb
MD5: 9b7f0e0ebf1656227de9f8f97dfd9141

Once, executed, a, sample, malicious, executable, (MD5:ad04fd31e9868b073222b3fd2aac93f7) phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://down.down988.cn - 65.19.157.228

Once, executed, a, sample, malicious, executable, (MD5:00da0096bd91e89e4059c428259a6cbb) phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://cutalot.cn - 205.164.24.43

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (205.164.24.44):
hxxp://cycling20110829.usa.1204.net
hxxp://pepsizone.cn
hxxp://ysbr.cn
hxxp://interactsession-697593.regions.com.usersetup.cn
hxxp://ad.suoie.cn
hxxp://ycgezkpu.cn

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: cf7a53e66e397c29ea203e025c5d6465
MD5: 089886483353f93a36dd69f0776beace
MD5: 528ac8f94123aaa32058f0114b8e1fd2
MD5: 4e8405bb398509f17242c0b9f614d6e4
MD5: a364d4fe887e2e40bc1ec67ad6f9aa31

Once, executed, a, sample, malware (MD5:cf7a53e66e397c29ea203e025c5d6465), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://blenderartists.org - 141.101.125.180
hxxp://xibudific.cn - 50.117.122.92
hxxp://freemonitoringservers.com
hxxp://freemonitoringservers.com.ovh.net
hxxp://hardwareindexx.com
hxxp://hardwareindexx.com.ovh.net

Once, executed, a, sample, malware (MD5:089886483353f93a36dd69f0776beace), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://freeonlinedatingtips.net - 204.197.252.70
hxxp://xibudific.cn - 216.172.154.38
hxxp://freemonitoringservers.com
hxxp://freemonitoringservers.com.ovh.net
hxxp://searchfeedbook.com
hxxp://searchfeedbook.com.ovh.net

Once, executed, a, sample, malware (MD5:528ac8f94123aaa32058f0114b8e1fd2), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://historykillerpro.com - 192.254.233.158
hxxp://motherboardstest.com - 195.22.26.252
hxxp://dolbyaudiodevice.com
hxxp://dolbyaudiodevice.com.ovh.net
hxxp://xibudific.cn - 50.117.116.204

Once, executed, a, sample, malware (MD5:4e8405bb398509f17242c0b9f614d6e4), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://pcskynet.cn
hxxp://gamepknet.cn
hxxp://pcskynet.cn.ovh.net
hxxp://gamepknet.cn.ovh.net
hxxp://yes16800.cn
hxxp://yes16800.cn.ovh.net

Once, executed, a, sample, malware (MD5:a364d4fe887e2e40bc1ec67ad6f9aa31), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://136136.com - 61.129.70.87
hxxp://xibudific.cn - 50.117.122.92
hxxp://hothintspotonline.com
hxxp://hothintspotonline.com.ovh.net
hxxp://hardwareindexx.com

Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (205.164.24.45):
hxxp://17mv.com
hxxp://criding.com
hxxp://criding.com
hxxp://17mv.com
hxxp://baudu.com
hxxp://pwgo.cn
hxxp://suqiwyk.cn
hxxp://verringo.cn

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
MD5: 9905ba7c00761a792ad8a361b4de71ea
MD5: b83c68f7d09530181908d513eb30a002
MD5: 78941c2c4b05f8af9a31a9f3d4c94b57
MD5: 7a1b6153a3f00c430b09f1c7b9cf7a77
MD5: 2776c972fa934fd080f5189be7c98a77

Once, executed, a, sample, malware, phones, back, to, the, following, maliciuos, C&C, server, IPs:
hxxp://down.down988.cn - 50.117.122.91

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://imagehut4.cn - 50.117.122.91

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://yingzi.org.cn - 50.117.116.205

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://qmmmm.com.cn - 50.117.122.94

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://down.down988.cn - 50.117.122.94

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.