With scareware continuing to proliferate I've recently intercepted a currently active malicious and fraudulent blackhat SEO campaign successfully enticing thousands of users into interacting with the rogue and malicious software with the scareware behind the campaign successfully modifying the HOSTS on the affected host potentially exposing the user to a variety of fake search engines type of rogue and fraudulent and malicious activity.
In this post I'll provide actionable intelligence on the infrastructure behind the campaign.
Sample malicious URL known to have participated in the campaign:
hxxp://guardsys-zone.com/?p=WKmimHVmaWyHjsbIo22EeXZe0KCfZlbVoKDb2YmHWJjOxaCbkX1%2Bal6orKWekJXIZWhimmVummWIo6THodjXoGJdpqmikpVuZ21uaHFtb1%2FEkKE%3D
Sample malicious MD5 known to have participated in the campaign:
MD5: 665480a64d4f72a33120251c968e9c28
Once executed the sample modifies the HOSTS and redirects them to the following domains:
hxxp://google-reseach.com/gfeed/click.php?q=&p=1 - 66.36.243.201
hxxp://google-reseach.com/search.php?&aff=32210&saff=0&q=
Related malicious rogue and fraudulent URL known to have participated in the campaign:
hxxp://88.85.73.139/landing/
Sample rogue and fraudulent payment processed used in the campaign:
hxxp://safetyself.com/safereports/ - 88.85.73.139