Monday, October 22, 2018

Historical OSINT - Massive Blackhat SEO Campaign Spotted in the Wild Serves Scareware

It's 2010 and I've recently stumbled upon a currently active and circulating malicious and fraudulent blackhat SEO campaign successfully enticing hundreds of thousands globally into interacting with a multi-tude of rogue and malicious software also known as scareware.

In this post I'll profile the campaign discuss in-depth the tactics techniques and procedures of the cybercriminals behind it and provide actionable intelligence on the infrastructure behind it.

Related malicious domains known to have participated in the campaign:
hxxp://ozeqiod.cn?uid=213 - redirector - 64.86.25.201 - hxxp://bexwuq.cn

Sample URL redirection chain:
hxxp://ymarketcoms.cn/?pid=123

Related malicious domains known to have responded to the same malicious C&C server IPs (64.86.25.201):
hxxp://bombas101.com
hxxp://trhtrtrbtrtbtb.com
hxxp://opensearch-zone.com
hxxp://imaera.cn
hxxp://ariexa.cn
hxxp://ozeqiod.cn
hxxp://ariysle.cn
hxxp://ajegif.cn
hxxp://adiyki.cn
hxxp://acaisek.cn
hxxp://yvamuer.cn
hxxp://protectinstructor.cn
hxxp://blanshinblansh.net
hxxp://kostinporest.net

Related malicious domains known to have participated in the campaign:
hxxp://azikyxa.cn
hxxp://befaqki.cn
hxxp://ataini.cn
hxxp://atoycri.cn
hxxp://bimpuj.cn
hxxp://bekajop.cn
hxxp://bexwuq.cn
hxxp://azywoax.cn
hxxp://azaijy.cn

We'll continue monitoring the campaign and post updates as soon as new developments take place.