Saturday, May 04, 2019

Historical OSINT - Massive Scareware Serving Campaign Spotted in the Wild

With scareware continuing to proliferate I've recently intercepted a currently active malicious and fraudulent blackhat SEO campaign successfully enticing thousands of users into interacting with the rogue and malicious software with the scareware behind the campaign successfully modifying the HOSTS on the affected host potentially exposing the user to a variety of fake search engines type of rogue and fraudulent and malicious activity.

In this post I'll provide actionable intelligence on the infrastructure behind the campaign.

Sample malicious URL known to have participated in the campaign:
hxxp://guardsys-zone.com/?p=WKmimHVmaWyHjsbIo22EeXZe0KCfZlbVoKDb2YmHWJjOxaCbkX1%2Bal6orKWekJXIZWhimmVummWIo6THodjXoGJdpqmikpVuZ21uaHFtb1%2FEkKE%3D

Sample malicious MD5 known to have participated in the campaign:
MD5: 665480a64d4f72a33120251c968e9c28

Once executed the sample modifies the HOSTS and redirects them to the following domains:
hxxp://google-reseach.com/gfeed/click.php?q=&p=1 - 66.36.243.201
hxxp://google-reseach.com/search.php?&aff=32210&saff=0&q=

Related malicious rogue and fraudulent URL known to have participated in the campaign:
hxxp://88.85.73.139/landing/

Sample rogue and fraudulent payment processed used in the campaign:
hxxp://safetyself.com/safereports/ - 88.85.73.139