Who's Pushing All The "Fake Updates" Malicious Software Using Redirectors and Traffic Distribution and Redirection Systems and Tools Domains?

Thursday, December 28, 2023

Who's Pushing All The "Fake Updates" Malicious Software Using Redirectors and Traffic Distribution and Redirection Systems and Tools Domains?

I've recently observed an increase in compromised or exploited to be precise in the context of abusing unfixed web application flaws such as for instance redirection notifications on high-traffic and high-profile Web sites where the ultimate goal would be to push traffic distribution and traffic management rogue domains part of a URL redirection chain where the ultimate goal would be to utilize both legitimate high-traffic and high-profile Web sites including purely malicious Web sites for the purpose of dropping malicious software on the targeted hosts.

The surprising part? The primary and entire portfolio of these traffic redirection and traffic management domain are parked on 193.106.175.18 - AS50465 - IQHost Ltd where one of the bigger domain farms is parked at hxxp://biggerfun.org.

Sample misconfigured high-traffic and high-profile Web sites that allow redirections potentially bypassing reputation filters include:

hxxp://afmonline.org/?URL=hxxp://khTrnB0WV8.biggerfun.org/khTrnB0WV8/

hxxp://whiskyparts.co/?URL=m88Z2iiER.biggerfun.org/m88Z2iiER/

hxxp://hardemancounty.org/?URL=http%3A%2F%2F1FXddDHkYN.biggerfun.org/1FXddDHkYN/

hxxp://bukkit.org/proxy.php?link=hxxp://uToqSuwC.biggerfun.org/uToqSuwC/

hxxp://www.centralsynagogue.org/?URL=hxxp://NjNr8Mkm.biggerfun.org/NjNr8Mkm/

hxxp://board-en.piratestorm.com/proxy.php?link=http%3A%2F%2Fnpn8KwBr.biggerfun.org/npn8KwBr/

hxxp://boards.theforce.net/proxy.php?link=hxxp://WihYqBBuvj.biggerfun.org/WihYqBBuvj/

hxxp://www.cutrite.com.au/?URL=hxxp://9mVRlHjF.biggerfun.org/9mVRlHjF/

Sample traffic redirection and traffic management domains involved in the campaign include:

hxxp://surelytheme.org

hxxp://bluegaslamp.org

hxxp://throatpills.org

hxxp://draggedline.org

hxxp://machinetext.org

hxxp://throatpills.org

hxxp://climedballon.org

Sample related domains known to have been involved in the campaign and are currently parked at 193.106.175.18 - AS50465 - IQHost Ltd include:

hxxp://jsqur.com

hxxp://libertader.org

hxxp://mrbotn.jsqur.com

hxxp://www.catsndogz.org

hxxp://user179.jsqur.com

hxxp://marcusdesigninc.jsqur.com

hxxp://nuvoleparlanti.jsqur.com

hxxp://fserver.jsqur.com

hxxp://download.www.windowlight.org

hxxp://mtf-misawa.jsqur.com

hxxp://cdn.jsqur.com

hxxp://dashtiha.jsqur.com

hxxp://vitkutin.jsqur.com

hxxp://permisdeconduire.jsqur.com

hxxp://olympics.jsqur.com

hxxp://emv1.vibedroom.org

hxxp://melpar-emh1.jsqur.com

hxxp://u.admin.backendjs.org

hxxp://billtieleman.jsqur.com

hxxp://descarte.jsqur.com

hxxp://4m.jsqur.com

hxxp://sn007.jsqur.com

hxxp://win24.jsqur.com

hxxp://web3449.jsqur.com

hxxp://cgxdave.jsqur.com

hxxp://cassandre.jsqur.com

hxxp://deeptrickday.org

hxxp://xxxl80.jsqur.com

hxxp://91.jsqur.com

hxxp://castlerea.jsqur.com

hxxp://dkline.jsqur.com

hxxp://daws-512.jsqur.com

hxxp://ufl.jsqur.com

hxxp://eggert.jsqur.com

hxxp://apps.jqueryj.com

hxxp://frightysever.org

hxxp://beal.jsqur.com

hxxp://survey.backendjs.org

hxxp://best-funny-quotes.jsqur.com

hxxp://jeanm.jsqur.com

hxxp://forms.admin.backendjs.org

hxxp://comtenc.jsqur.com

hxxp://dannyfilm.jsqur.com

hxxp://office.backendjs.org

hxxp://jqueryj.com

hxxp://longtail.jsqur.com

hxxp://web6201.jsqur.com

hxxp://hoytek-gw4.jsqur.com

hxxp://gazeta.jsqur.com

hxxp://www.treegreeny.org

hxxp://cpfm.jsqur.com

hxxp://asims-rdck1.jsqur.com

hxxp://indiajobscircle.jsqur.com

hxxp://babbar.jsqur.com

hxxp://gorki.jsqur.com

hxxp://gmailblog.jsqur.com

hxxp://dvan.jsqur.com

hxxp://carpinteros-aluminio.jsqur.com

hxxp://web18332.jsqur.com

hxxp://wallah.jsqur.com

hxxp://si.jsqur.com

hxxp://shems.jsqur.com

hxxp://vigen.jsqur.com

hxxp://sws.jsqur.com

hxxp://routetest.jsqur.com

hxxp://account.admin.backendjs.org

hxxp://secure-ite2-origin.jsqur.com

hxxp://mdm.backendjs.org

hxxp://_dmarc.jqueryns.com

hxxp://mdm.backendjs.org

hxxp://mntc.jsqur.com

hxxp://powerful.jsqur.com

hxxp://whitney.jsqur.com

hxxp://stream.jsqur.com

hxxp://uhost.jsqur.com

hxxp://unix3.jsqur.com

hxxp://www.florida.jsqur.com

hxxp://jkelley.jsqur.com

hxxp://derby.jsqur.com

hxxp://currier.jsqur.com

hxxp://wp.admin.backendjs.org

hxxp://frente-a-camaras.jsqur.com

hxxp://facman.jsqur.com

hxxp://b10.jsqur.com

hxxp://arehn.jsqur.com

hxxp://cprat.jsqur.com

hxxp://hpermsp.jsqur.com

hxxp://ksia.jsqur.com

hxxp://jhansen.jsqur.com

hxxp://biggerfun.org

hxxp://kodakr.jsqur.com

hxxp://samfox.jsqur.com

hxxp://apps.jsqur.com

hxxp://passe.jsqur.com

hxxp://walkman.jsqur.com

hxxp://stovallscx.jsqur.com

hxxp://antivir.jsqur.com

hxxp://link2-me.jsqur.com

hxxp://xx9.jsqur.com

hxxp://quine.jsqur.com

hxxp://v.circuspride.org

hxxp://cn.circuspride.org

hxxp://x.circuspride.org

hxxp://pay.circuspride.org

hxxp://ssl.circuspride.org

hxxp://physiology.jsqur.com

hxxp://mytabletpcuk.jsqur.com

hxxp://gdsz.jsqur.com

hxxp://daws-43-5.jsqur.com

hxxp://cfg.circuspride.org

hxxp://ip90.jsqur.com

hxxp://oily.jsqur.com

hxxp://jqueryh.org

hxxp://tamarack.jsqur.com

hxxp://macgo.jsqur.com

hxxp://interlock.jsqur.com

hxxp://cmu-cc-vma.jsqur.com

hxxp://daws91-3.jsqur.com

hxxp://norman.jsqur.com

hxxp://www.16.jsqur.com

hxxp://web3933.jsqur.com

hxxp://mta-sts.bluegaslamp.org

hxxp://212.jsqur.com

hxxp://dooly.jsqur.com

hxxp://www.bigbricks.org

hxxp://machinetext.org

hxxp://kb.windowlight.org

hxxp://catsndogz.org

hxxp://whitedrill.org

hxxp://www.neworderspath.org

hxxp://jqueryns.com

hxxp://sorteios-e-promocoes.jsqur.com

hxxp://web5422.jsqur.com

hxxp://ivtortypqfyi.greedyclowns.org

hxxp://ivtorlypqfyi.greedyclowns.org

hxxp://ivladimir.surelytheme.org

hxxp://ivbdimir.surelytheme.org

hxxp://liorida.surelytheme.org

hxxp://rota-sts.climedballon.org

hxxp://climedballon.org

hxxp://treegreeny.org

hxxp://daddygarages.org

hxxp://emperorplan.org

hxxp://bigbricks.org

hxxp://greedyclowns.org

hxxp://vibedroom.org

hxxp://backendjs.org

hxxp://dailytickyclock.org

hxxp://neworderspath.org

hxxp://devcodejs.org

hxxp://cancelledfirestarter.org

hxxp://greedyfines.org

hxxp://limeerror.org

hxxp://bluegaslamp.org

hxxp://throatpills.org

hxxp://drilledgas.org

hxxp://draggedline.org

hxxp://windowlight.org

hxxp://sevenpunches.org

hxxp://circuspride.org

hxxp://linedgreen.org

hxxp://surelytheme.org

hxxp://vivaldi-ed.group

hxxp://cashapp-renewal.com

hxxp://ing-update.info

hxxp://bankid-app.net

hxxp://commonwealth-renewal.com

hxxp://transfer-management.com

hxxp://banko-atnaujinimas.com

hxxp://s-identity-verwalten.com

hxxp://bigfat.shop

hxxp://fomzerapoze.shop

hxxp://aremonuza.shop

hxxp://hanmozapre.shop

hxxp://bamizorapa.shop

hxxp://yazevora.com

hxxp://ipko-aktualizacja.com

hxxp://halifax.signin-helpdesk.com

hxxp://signin-helpdesk.com

hxxp://hailfax.signin-helpdesk.com

hxxp://online-helpdesk-portal.com

hxxp://santander.online-helpdesk-portal.com

hxxp://jquerypure.com

hxxp://de-system-913580.xyz

hxxp://targo.de-system-913580.xyz

hxxp://be-systeem-8510598.xyz

hxxp://ns1.putinkremel.su

hxxp://notudhost.com.ru

hxxp://trsew.ru

hxxp://fashmodsite.uno

hxxp://nnnten.ru

hxxp://tenhost.com.ru

hxxp://au-08.top

hxxp://jutralalali.xyz

hxxp://gilirges.ru

hxxp://www.gilirges.ru

hxxp://ftp.gilirges.ru

hxxp://www.tanmhopisj.xyz

hxxp://tanmhopisj.xyz

hxxp://dev.urbangroup.ru

hxxp://equalizer.dev.urbangroup.ru

hxxp://vk.equalizer.dev.urbangroup.ru

hxxp://partners.urbangroup.ru

hxxp://realty-2.urbangroup.ru

hxxp://ivakino.urbangroup.ru

hxxp://gtry.ru

hxxp://serferio.ru

hxxp://forum-laikovo.urbangroup.ru

hxxp://urbangroup.ru

hxxp://myrussianland.ru

hxxp://gb2nevinsk.ru

hxxp://englishbiblioteka.ru

hxxp://aleana63.ru

hxxp://aptekaplus23.ru

hxxp://chulkovo.info

hxxp://mchedlidze.ru

hxxp://stroytransm.ru

hxxp://flystore.ru

hxxp://kino-pirat.net

hxxp://2sunss.com

hxxp://posadisvoederevo.ru

hxxp://testcosmetic.com

hxxp://vkino.me

hxxp://v1080hd.com

hxxp://r-style.com

hxxp://science-techno.ru

hxxp://kinotuz.ru

hxxp://901901.ru

hxxp://ludota.ru

hxxp://maindoor.ru

hxxp://kinoxaba.ru

hxxp://youcanexcel.ru

hxxp://gidonlinehd.ru

hxxp://kinoggo.ru

hxxp://100pdf.net

hxxp://kinoext.ru

hxxp://www.mreporter.ru

hxxp://magobr.ru

hxxp://lg-soft.ru

hxxp://anapa-new.ru

hxxp://fat-man.ru

hxxp://gracio.ru

hxxp://ikd.ru

hxxp://poseidonboat.ru

hxxp://vetla.ru

hxxp://74dom.ru

hxxp://kabrik-servis.ru

hxxp://tehnopanda.ru

hxxp://creativejournal.ru

hxxp://ufamenu.ru

hxxp://idf.ru

hxxp://sporthit.ru

hxxp://injgeo.ru

hxxp://asbank.ru

hxxp://wood-lux.ru

hxxp://lbf51b14.justinstalledpanel.com

I'll continue monitoring the campaign and will post updates as soon as new developments take place.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Thursday, December 28, 2023

Who's Pushing All The "Fake Updates" Malicious Software Using Redirectors and Traffic Distribution and Redirection Systems and Tools Domains?

No comments:

Post a Comment