Friday, October 28, 2022

Exposing a Portfolio of YaBucks Pay Per Install Affiliate Network Scareware Serving Domains - An Analysis

NOTE:

I took these screenshots in 2009.

It used to be a moment in time when scareware and pay per install affiliate-based revenue sharing fraudulent and malicious networks used to dominate the threat landscape as the primary monetization vector courtesy of the bad guys where they've managed to successfully steal basically tens of thousands in fraudulent revenue by enticing users into installing and interacting with rogue and fake security software.

In this post I'll take a deeper look inside the YaBucks rogue and affiliate-network based scareware serving network that managed to affect thousands of users globally largely based on the number of affiliates that participated in it including to also provide technical details on its Internet-connected infrastructure with the idea to assist everyone in their cyber attack and cyber campaign attribution efforts.
 
Sample screenshots include:






Sample domains known to have been involved in the campaign include:

hxxp://pontesmedia.com - 74.54.241.100
hxxp://matelab.com
hxxp://legochild.com
hxxp://imzee.com
hxxp://mustmake.com
hxxp://ovobundle.com
hxxp://emulehome.com
hxxp://skyaffiliate.com
hxxp://vivosearch.com
hxxp://ovocash.com
hxxp://p2passion.com
hxxp://datingnoon.com
hxxp://profilissimo.com
hxxp://flipero.com
hxxp://adware-help.com
hxxp://spacextender.com
hxxp://mybuckler.com
hxxp://iframr.com
hxxp://glintgames.com
hxxp://justares.com
hxxp://ppitalks.com
hxxp://theinstalls.com
hxxp://adwaredollars.com
hxxp://funtarget.com
hxxp://theimageoutlet.com
hxxp://petduet.com
hxxp://tivisoft.com
hxxp://softpont.com
hxxp://blogency.com
hxxp://wiiactivity.com
hxxp://bnetworks.us
hxxp://gorasoft.us
hxxp://camerabid.net
hxxp://freemediashare.net
hxxp://germek.net
hxxp://imupdates.net
hxxp://allworldstars.net
hxxp://gorasoft.net

Sample responding IPs known to have been involved in the campaign include:
hxxp://54.208.174.161
hxxp://154.72.193.28
hxxp://54.165.156.210
hxxp://54.200.75.96
hxxp://52.72.89.116
hxxp://199.184.144.27
hxxp://74.208.236.241
hxxp://74.208.21.90
hxxp://207.148.248.143
hxxp://50.63.202.104
hxxp://184.168.221.39
hxxp://52.202.22.6
hxxp://54.209.32.212
hxxp://54.208.74.215
hxxp://45.40.140.6
hxxp://68.178.213.203
hxxp://213.186.33.18
hxxp://3.223.115.185
hxxp://52.71.210.200
hxxp://23.20.239.12
hxxp://54.80.72.81
hxxp://34.102.136.180
hxxp://146.112.61.107
hxxp://204.11.56.48
hxxp://23.202.231.167
hxxp://23.217.138.108
hxxp://107.23.198.240
hxxp://35.171.109.224
hxxp://52.7.6.73
hxxp://52.71.185.125
hxxp://54.174.212.152
hxxp://52.6.224.208
hxxp://54.209.58.131
hxxp://3.224.108.191
hxxp://34.206.145.143
hxxp://18.119.154.66
hxxp://217.160.0.202
hxxp://72.32.183.55
hxxp://13.70.194.134
hxxp://52.50.218.98
hxxp://52.19.184.19
hxxp://156.245.122.96
hxxp://154.38.221.164
hxxp://180.215.252.181
hxxp://52.16.207.139
hxxp://192.163.249.115
hxxp://54.183.99.63
hxxp://46.249.46.67
hxxp://146.112.61.106
hxxp://23.202.231.168
hxxp://23.195.69.108
hxxp://185.230.63.171
hxxp://185.230.63.186
hxxp://109.234.109.84
hxxp://192.232.231.38
hxxp://50.63.202.47
hxxp://50.63.202.49
hxxp://50.63.202.59
hxxp://198.105.244.11
hxxp://184.168.221.57
hxxp://185.230.61.173
hxxp://184.168.221.36
hxxp://104.239.213.7
hxxp://34.117.168.233
hxxp://85.13.164.142
hxxp://185.230.60.173
hxxp://199.34.228.59
hxxp://103.224.182.244
hxxp://36.86.63.182
hxxp://184.168.221.65
hxxp://185.205.210.23
hxxp://204.16.144.135
hxxp://172.93.51.245
hxxp://76.223.65.111
hxxp://184.168.221.53
hxxp://218.93.250.18
hxxp://184.168.221.40
hxxp://93.89.226.17
hxxp://54.72.11.253
hxxp://198.105.254.11
hxxp://18.211.9.206
hxxp://185.53.179.7
hxxp://91.237.88.232
hxxp://52.15.160.167
hxxp://3.140.179.210
hxxp://3.141.79.17
hxxp://198.61.166.153
hxxp://69.56.252.44
hxxp://143.95.87.47
hxxp://104.24.126.199
hxxp://50.63.202.43
hxxp://23.246.252.106
hxxp://141.8.226.19
hxxp://3.143.123.90
hxxp://3.138.54.87

Sample malicious MD5s known to have been involved in the campaign include:
MD5: d3081abe4e1c1808e5e8a83a3bc1eaa2
MD5: 1aadbc70670bc05875c04c9e86c0356e
MD5: f18c7a4fed30371a0eba7eef3051234f
MD5: b492493154482d9bb6e24340d8866dec
MD5: 72e5a2dadc0711f36e84f636b7267b1b
MD5: eab74844a9b34edc1b7b3d4e84aab5ec
MD5: 322367ea2f686916a44181bf72c49726
MD5: d9f6bf40003d44ecf7b2fa697a9e73dd

Sample malicious and fraudulent C&C server domains known to have been involved in the campaign include:
hxxp://skyaffiliate.com/count.php
hxxp://funtarget.com/?m&id=61fbd50a-ef75-11e8-bc2f-00c0a8850c2a&ver=9

Stay tuned!

No comments:

Post a Comment