Sunday, October 21, 2018

Historical OSINT - Rogue Scareware Dropping Campaign Spotted in the Wild Courtesy of the Koobface Gang

It's 2010 and I've recently came across to a diverse portfolio of fake security software also known as scareware courtesy of the Koobface gang in what appears to be a direct connection between the gang's activities and the Russian Business Network.

In this post I'll provide actionable intelligence on the infrastructure behind it and discuss in-depth the tactics techniques and procedures of the cybercriminals behind including the direction establishment of a direct connection between the gang's activities and a well-known Russian Business Network customer.

Related malicious domains known to have participated in the campaign:
hxxp://piremover.eu/hitin.php?affid=02979 - 212.117.161.142; 95.211.27.154; 95.211.27.166

Once executed a sample malware (MD5: eedac4719229a499b3118f87f32fae35) phones back to the following malicious C&C server IPs:
hxxp://xmiueftbmemblatlwsrj.cn/get.php?id=02979 - 91.207.116.44 - Email: robertsimonkroon@gmail.com

Known domains known to have responded to the same malicious C&C server IPs:
hxxp://aahsdvsynrrmwnbmpklb.cn
hxxp://dlukhonqzidfpphkbjpb.cn
hxxp://barykcpveiwsgexkitsg.cn
hxxp://bfichgfqjqrtkwrsegoj.cn
hxxp://dhbomnljzgiardzlzvkp.cn

Once executed a sample malware phones back to the following malicious C&C service IPs:
hxxp://xmiueftbmemblatlwsrj.cn
hxxp://urodinam.net - which is a well known Koobface 1.0 C&C server domain IP also seen in the "Mass DreamHost Sites Compromise" exclusively profiled in this post.
hxxp://xmiueftbmemblatlwsrj.cn

Once executed a sample malware MD5: 66dc85ad06e4595588395b2300762660; MD5: 91944c3ae4a64c478bfba94e9e05b4c5 phones back to the following malicious C&C server IPs:
hxxp://proxim.ntkrnlpa.info - 83.68.16.30 - seen and observed in related analysis regarding the mass Embassy Web site compromise throughout 2007 and 2009.

Successfully dropping the following malicious Koobface MD5 hxxp://harmonyhudospa.se/.sys/?getexe=fb.70.exe

Related malicious MD5s (MD known to have participated in the campaign:
MD5: 66dc85ad06e4595588395b2300762660
MD5: 8282ea8e92f40ee13ab716daf2430145

Once executed a sample malware phones back to the following malicious C&C server IPs:
hxxp://tehnocentr.chita.ru/.sys
hxxp://gvpschekschov.iv-edu.ru/.sys/?action=fbgen

We'll continue monitoring the campaign and post updates as soon as new developments take place.