Historical OSINT - Rogue Scareware Dropping Campaign Spotted in the Wild Courtesy of the Koobface Gang
It's 2010 and I've recently came across to a diverse portfolio of fake security software also known as scareware courtesy of the Koobface gang in what appears to be a direct connection between the gang's activities and the Russian Business Network.
In this post I'll provide actionable intelligence on the infrastructure behind it and discuss in-depth the tactics techniques and procedures of the cybercriminals behind including the direction establishment of a direct connection between the gang's activities and a well-known Russian Business Network customer.
Related malicious domains known to have participated in the campaign:
hxxp://piremover.eu/hitin.php?affid=02979 - 212.117.161.142; 95.211.27.154; 95.211.27.166
Once executed a sample malware (MD5: eedac4719229a499b3118f87f32fae35) phones back to the following malicious C&C server IPs:
hxxp://xmiueftbmemblatlwsrj.cn/get.php?id=02979 - 91.207.116.44 - Email: robertsimonkroon@gmail.com
Known domains known to have responded to the same malicious C&C server IPs:
hxxp://aahsdvsynrrmwnbmpklb.cn
hxxp://dlukhonqzidfpphkbjpb.cn
hxxp://barykcpveiwsgexkitsg.cn
hxxp://bfichgfqjqrtkwrsegoj.cn
hxxp://dhbomnljzgiardzlzvkp.cn
Once executed a sample malware phones back to the following malicious C&C service IPs:
hxxp://xmiueftbmemblatlwsrj.cn
hxxp://urodinam.net - which is a well known Koobface 1.0 C&C server domain IP also seen in the "Mass DreamHost Sites Compromise" exclusively profiled in this post.
hxxp://xmiueftbmemblatlwsrj.cn
Once executed a sample malware MD5: 66dc85ad06e4595588395b2300762660; MD5: 91944c3ae4a64c478bfba94e9e05b4c5 phones back to the following malicious C&C server IPs:
hxxp://proxim.ntkrnlpa.info - 83.68.16.30 - seen and observed in related analysis regarding the mass Embassy Web site compromise throughout 2007 and 2009.
Successfully dropping the following malicious Koobface MD5 hxxp://harmonyhudospa.se/.sys/?getexe=fb.70.exe
Related malicious MD5s (MD known to have participated in the campaign:
MD5: 66dc85ad06e4595588395b2300762660
MD5: 8282ea8e92f40ee13ab716daf2430145
Once executed a sample malware phones back to the following malicious C&C server IPs:
hxxp://tehnocentr.chita.ru/.sys
hxxp://gvpschekschov.iv-edu.ru/.sys/?action=fbgen
We'll continue monitoring the campaign and post updates as soon as new developments take place.
In this post I'll provide actionable intelligence on the infrastructure behind it and discuss in-depth the tactics techniques and procedures of the cybercriminals behind including the direction establishment of a direct connection between the gang's activities and a well-known Russian Business Network customer.
Related malicious domains known to have participated in the campaign:
hxxp://piremover.eu/hitin.php?affid=02979 - 212.117.161.142; 95.211.27.154; 95.211.27.166
Once executed a sample malware (MD5: eedac4719229a499b3118f87f32fae35) phones back to the following malicious C&C server IPs:
hxxp://xmiueftbmemblatlwsrj.cn/get.php?id=02979 - 91.207.116.44 - Email: robertsimonkroon@gmail.com
Known domains known to have responded to the same malicious C&C server IPs:
hxxp://aahsdvsynrrmwnbmpklb.cn
hxxp://dlukhonqzidfpphkbjpb.cn
hxxp://barykcpveiwsgexkitsg.cn
hxxp://bfichgfqjqrtkwrsegoj.cn
hxxp://dhbomnljzgiardzlzvkp.cn
Once executed a sample malware phones back to the following malicious C&C service IPs:
hxxp://xmiueftbmemblatlwsrj.cn
hxxp://urodinam.net - which is a well known Koobface 1.0 C&C server domain IP also seen in the "Mass DreamHost Sites Compromise" exclusively profiled in this post.
hxxp://xmiueftbmemblatlwsrj.cn
Once executed a sample malware MD5: 66dc85ad06e4595588395b2300762660; MD5: 91944c3ae4a64c478bfba94e9e05b4c5 phones back to the following malicious C&C server IPs:
hxxp://proxim.ntkrnlpa.info - 83.68.16.30 - seen and observed in related analysis regarding the mass Embassy Web site compromise throughout 2007 and 2009.
Successfully dropping the following malicious Koobface MD5 hxxp://harmonyhudospa.se/.sys/?getexe=fb.70.exe
Related malicious MD5s (MD known to have participated in the campaign:
MD5: 66dc85ad06e4595588395b2300762660
MD5: 8282ea8e92f40ee13ab716daf2430145
Once executed a sample malware phones back to the following malicious C&C server IPs:
hxxp://tehnocentr.chita.ru/.sys
hxxp://gvpschekschov.iv-edu.ru/.sys/?action=fbgen
We'll continue monitoring the campaign and post updates as soon as new developments take place.
About the author
Donec non enim in turpis pulvinar facilisis. Ut felis. Praesent dapibus, neque id cursus faucibus. Aenean fermentum, eget tincidunt.
