Historical OSINT - Malicious Malvertising Campaign, Spotted at FoxNews, Serves Scareware

In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercriminals, continue, actively, populating, their, botnet's, infected, population, with, hundreds, of, malicious, releases, successfully, generating, hundreds, of, thousands, of, fraudulent, revenue, while, populating, their, botnet's, infected, population, largely, relying, on, the, utilization, of, affiliate-network, based, type, of, monetizing, scheme.

We've, recently, intercepted, a, currently, active, malvertising, campaign, affecting, FoxNews, successfully, enticing, users, into, executing, malicious, software, on, the, the, affected, PCs, with, the, cybercriminals, behind, it, successfully, earning, fraudulent, revenue, largely, relying, on, the, utilization, of, an, affiliate-network, based, type, of, monetizing, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Sample, URL, redirection, chain:
hxxp://toppromooffer.com/vsm/index.html - 85.17.254.158; 69.43.161.174
    - hxxp://78.47.132.222/a12/index.php?url=http://truconv.com/?a=125&s=4a12 - (78.47.132.222)    
        - hxxp://redirectclicks.com/?accs=845&tid=338 - 69.172.201.153; 176.74.176.178; 64.95.64.194
            - hxxp://http://redirectclicks.com/?accs=845&tid=339

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://truconv.com - 78.46.88.202

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (78.46.88.202):
MD5: 473e3615795609a091a2f2d3d1be2d00
MD5: 9e51c29682a6059b9b636db8bf7dcc25
MD5: 08a50ebcaa471cd45b3561c33740136d
MD5: e7d5f7a90ddfa1fbe8dfce32d6e4a1f1
MD5: fcdd2790dd5b1898ef8ee29092dca757

Once, executed, a, sample, malware (MD5: 473e3615795609a091a2f2d3d1be2d00), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://yaskiya.cyberfight.de - 78.46.88.202

Once, executed, a, sample, malware (MD5: 9e51c29682a6059b9b636db8bf7dcc25), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://cfg111111.go.3322.org - 118.184.176.13
hxxp://newsoft.kilu.org - 78.46.88.202
hxxp://myweb111111.go.3322.org
hxxp://35free.net - 5.61.39.56
hxxp://newsoft1.go.3322.org
hxxp://newsoft11.go.3322.org

Once, executed, a, sample, malware (MD5: 08a50ebcaa471cd45b3561c33740136d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://darthvader.dyndns.tv
hxxp://www12.subdomain.com - 78.46.88.202

Once, executed, a, sample, malware (MD5: e7d5f7a90ddfa1fbe8dfce32d6e4a1f1), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://tundeghanawork.co.gp - 78.46.88.202

Once, executed, a, sample, malware (MD5: fcdd2790dd5b1898ef8ee29092dca757), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://newsoft.go.3322.org - 221.130.179.36
hxxp://cfg111111.go.3322.org - 118.184.176.13
hxxp://newsoft.kilu.org - 78.46.88.202
hxxp://users6.nofeehost.com - 67.208.91.110

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (69.172.201.153):
MD5: c9ca43032633584ff2ae4e4d7442f123
MD5: a099766f448acd6b032345dfd8c5491d
MD5: da39ccb40b1c80775e0aa3ab7cefb4b0
MD5: 85750b93319bd2cf57e445e1b4850b08
MD5: e521b31eb97d6d25e3d165f2fe9ca3ba

Once, executed, a, sample, malware (MD5: c9ca43032633584ff2ae4e4d7442f123), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://os.tokoholapisa.com - 54.229.133.176
hxxp://down2load.net - 69.172.201.153
hxxp://cdn.download2013.net - 185.152.65.38

Once, executed, a, sample, malware (MD5: a099766f448acd6b032345dfd8c5491d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://chicostara.com - 91.142.252.26
hxxp://suewyllie.com
hxxp://dewpoint-eg.com - 195.157.15.100

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (176.74.176.178):
MD5: 116d07294fb4b78190f44524145eb200
MD5: f9e71f66e3aae789b245638a00b951a8
MD5: 1d6d4a64a9901985b8a005ea166df584
MD5: acfa1a5f290c7dd4859b56b49be41038
MD5: b63fd04a8cdf69fb7215a70ccd0aef27

Once, executed, a, sample, malware (MD5: 116d07294fb4b78190f44524145eb200), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://www.on86.com - 69.172.201.153
hxxp://return.uk.uniregistry.com - 176.74.176.178

Once, executed, a, sample, malware (MD5: f9e71f66e3aae789b245638a00b951a8), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://www.linkbyte.com - 69.172.201.153
hxxp://return.uk.uniregistry.com - 176.74.176.178

Once, executed, a, sample, malware (MD5: 1d6d4a64a9901985b8a005ea166df584), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://www.pnmchgameserver.com - 69.172.201.153
hxxp://return.uk.uniregistry.com - 176.74.176.178

Once, executed, a, sample, malware (MD5: acfa1a5f290c7dd4859b56b49be41038), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://www.97dn.com - 45.125.35.85
hxxp://www.97wg.com - 69.172.201.153
hxxp://return.uk.uniregistry.com - 176.74.176.178

Once, executed, a, sample, malware (MD5: b63fd04a8cdf69fb7215a70ccd0aef27), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://pajak.yogya.com - 69.172.201.153
hxxp://www.yogya.com
hxxp://return.uk.uniregistry.com - 176.74.176.178

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (64.95.64.194):
MD5: 7ca6214e3b75bc1f7a41aef3267afc29

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://freshtravel.net - 184.168.221.36
hxxp://experiencetravel.net - 217.174.248.145
hxxp://freshyellow.net
hxxp://experienceyellow.net
hxxp://freshclose.net
hxxp://experienceclose.net

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (69.43.161.174):
MD5: 674fca39caf18320e5a0e5fc45527ba4
MD5: 7017a26b53bc0402475d6b900a6c98ae
MD5: 0b61f6dfaddd141a91c65c7f290b9358
MD5: 4d5bc6b69db093824aa905137850e883
MD5: 201dee0da7b7807808d681510317ab59

Once, executed, a, sample, malware (MD5: 674fca39caf18320e5a0e5fc45527ba4), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://aahydrogen.com - 208.73.210.214
hxxp://greatinstant.net
hxxp://ginsdirect.net
hxxp://autouploaders.net - 185.53.177.9

Once, executed, a, sample, malware (MD5: 7017a26b53bc0402475d6b900a6c98ae), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://w.wfetch.com - 69.43.161.174
hxxp://ww1.w.wfetch.com - 72.52.4.90

Once, executed, a, sample, malware (MD5: 4d5bc6b69db093824aa905137850e883), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://greattaby.com - 69.43.161.174
hxxp://ww41.greattaby.com - 141.8.224.79

Once, executed, a, sample, malware (MD5: 201dee0da7b7807808d681510317ab59), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://layer-ads.de - 69.43.161.174

Sample, URL, redirection, chain:
hxxp://bonuspromooffer.com - 208.91.197.46; 141.8.226.14; 204.11.56.45; 204.11.56.26; 208.73.210.215; 208.73.211.246; 82.98.86.178
    - hxxp://promotion-offer.com/vsm/adv/5?a=cspvm-sst-ozbc-sst&l=370&f=cs_3506417142&ex=1&ed=2&h=&sub=csp&prodabbr=3P_UVSM - 208.91.197.46; 204.11.56.48; 204.11.56.45; 204.11.56.26; 63.156.206.202; 63.149.176.12
        - hxxp://easywebchecklive.com/1/fileslist.js - 94.247.2.215
            - hxxp://78.47.132.222/a12/index2.php
                - hxxp://78.47.132.221/a12/pdf.php?u=i_7_0
                    - hxxp://78.47.132.221/a12/aff_12.exe?u=i_7_0&spl=4

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs (208.91.197.46):
MD5: b13f1af8fc426e350df11565dcf281e8
MD5: a189b3334fbd9cd357aedff22c672e9c
MD5: da53b068538ff03e2fc136c7d0816e39
MD5: ec08a877817c749597396e6b34b88e78
MD5: b9e7bf23de901280e62fd68090b5b8fa

Once, executed, a, sample, malware (MD5: b13f1af8fc426e350df11565dcf281e8), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://dtrack.sslsecure1.com - 193.166.255.171
hxxp://staticrr.paleokits.net - 205.251.219.192
hxxp://dtrack.secdls.com
hxxp://staticrr.sslsecure1.com

Once, executed, a, sample, malware (MD5: a189b3334fbd9cd357aedff22c672e9c), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://staticrr.paleokits.net - 54.230.11.231
hxxp://staticrr.sslsecure1.com - 193.166.255.171
hxxp://staticrr.sslsecure2.com
hxxp://staticrr.sslsecure3.com - 208.91.197.46

Once, executed, a, sample, malware (MD5: ec08a877817c749597396e6b34b88e78), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://skyworldent.com
hxxp://solitaireinfo.com
hxxp://speedholidays.com - 206.221.179.26

Once, executed, a, sample, malware (MD5: b9e7bf23de901280e62fd68090b5b8fa), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://api.v2.secdls.com
hxxp://api.v2.sslsecure1.com - 193.166.255.171
hxxp://api.v2.sslsecure2.com
hxxp://api.v2.sslsecure3.com - 208.91.197.46

Related, malicious MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: 969601cbf069a849197289e042792419

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.