Cybercriminals continue actively launching fraudulent and malicious blackhat SEO campaigns further acquiring legitimate traffic for the purpose of converting it into malware-infected hosts further spreading malicious software potentially compromising the confidentiality availability and integrity of the targeted host to a multi-tude of malicious software.
We've recently intercepted a currently active malicious blackhat SEO campaign serving scareware to socially engineered users with the cybercriminals behind it earning fraudulent revenue largely relying on the utilization of an affiliate-network based revenue-sharing scheme.
In this post we'll profile the campaign, provide actionable intelligence on the infrastructure behind it, and discuss in-depth the tactics techniques and procedures of the cybercriminals behind it.
Known malicious domains known to have participated in the campaign:
hxxp://doremisan7.net?uid=213&pid=3&ttl=319455a3f86 - 67.215.238.189
Known malicious redirector known to have participated in the campaign:
hxxp://marketcoms.cn/?pid=123&sid=8ec7ca&uid=213&isRedirected=1 - 91.205.40.5 - Email: JeremyLRademacher@live.com
Related malicious domains known to have been parked within the same malicious IP (91.205.40.5):
hxxp://browsersafeon.com
hxxp://online-income2.cn
hxxp://applestore2.cn
hxxp://media-news2.cn
hxxp://clint-eastwood.cn
hxxp://stone-sour.cn
hxxp://marketcoms.cn
hxxp://fashion-news.cn
Known malicious domains known to have participated in the campaign:
hxxp://guard-syszone.net/?p=WKmimHVmaWyHjsbIo22EeXZe0KCfZlbVoKDb2YmHWJjOxaCbkX1%2Bal6orKWeYJWfZW
VilWWenGOIo6THodjXoGJdpqmikpVuaGVvZG1kbV%2FEkKE%3D - 206.53.61.73
hxxp://yourspywarescan15.com/scan1/?pid=123&engine=pXT3wjTuNjYzLjE3Ny4xNTMmdGltZT0xMjUxMYkNPAFO - 85.12.24.12
Sample detection rate for sample malware:
MD5: 3d448b584d52c6a6a45ff369d839eb06
MD5: 54f671bb9283bf4dfdf3c891fd9cd700
We'll continue monitoring the campaign and post updates as soon as new developments take place.