Thursday, December 28, 2023

Who's Pushing All The "Fake Updates" Malicious Software Using Redirectors and Traffic Distribution and Redirection Systems and Tools Domains?

I've recently observed an increase in compromised or exploited to be precise in the context of abusing unfixed web application flaws such as for instance redirection notifications on high-traffic and high-profile Web sites where the ultimate goal would be to push traffic distribution and traffic management rogue domains part of a URL redirection chain where the ultimate goal would be to utilize both legitimate high-traffic and high-profile Web sites including purely malicious Web sites for the purpose of dropping malicious software on the targeted hosts.

The surprising part? The primary and entire portfolio of these traffic redirection and traffic management domain are parked on 193.106.175.18 - AS50465 - IQHost Ltd where one of the bigger domain farms is parked at hxxp://biggerfun.org.

Sample misconfigured high-traffic and high-profile Web sites that allow redirections potentially bypassing reputation filters include:

hxxp://afmonline.org/?URL=hxxp://khTrnB0WV8.biggerfun.org/khTrnB0WV8/
hxxp://whiskyparts.co/?URL=m88Z2iiER.biggerfun.org/m88Z2iiER/
hxxp://hardemancounty.org/?URL=http%3A%2F%2F1FXddDHkYN.biggerfun.org/1FXddDHkYN/
hxxp://bukkit.org/proxy.php?link=hxxp://uToqSuwC.biggerfun.org/uToqSuwC/
hxxp://www.centralsynagogue.org/?URL=hxxp://NjNr8Mkm.biggerfun.org/NjNr8Mkm/
hxxp://board-en.piratestorm.com/proxy.php?link=http%3A%2F%2Fnpn8KwBr.biggerfun.org/npn8KwBr/
hxxp://boards.theforce.net/proxy.php?link=hxxp://WihYqBBuvj.biggerfun.org/WihYqBBuvj/
hxxp://www.cutrite.com.au/?URL=hxxp://9mVRlHjF.biggerfun.org/9mVRlHjF/

Sample traffic redirection and traffic management domains involved in the campaign include:

hxxp://surelytheme.org
hxxp://bluegaslamp.org
hxxp://throatpills.org
hxxp://draggedline.org
hxxp://machinetext.org
hxxp://throatpills.org
hxxp://climedballon.org

Sample related domains known to have been involved in the campaign and are currently parked at 193.106.175.18 - AS50465 - IQHost Ltd include:

hxxp://jsqur.com
hxxp://libertader.org
hxxp://mrbotn.jsqur.com
hxxp://www.catsndogz.org
hxxp://user179.jsqur.com
hxxp://marcusdesigninc.jsqur.com
hxxp://nuvoleparlanti.jsqur.com
hxxp://fserver.jsqur.com
hxxp://download.www.windowlight.org
hxxp://mtf-misawa.jsqur.com
hxxp://cdn.jsqur.com
hxxp://dashtiha.jsqur.com
hxxp://vitkutin.jsqur.com
hxxp://permisdeconduire.jsqur.com
hxxp://olympics.jsqur.com
hxxp://emv1.vibedroom.org
hxxp://melpar-emh1.jsqur.com
hxxp://u.admin.backendjs.org
hxxp://billtieleman.jsqur.com
hxxp://descarte.jsqur.com
hxxp://4m.jsqur.com
hxxp://sn007.jsqur.com
hxxp://win24.jsqur.com
hxxp://web3449.jsqur.com
hxxp://cgxdave.jsqur.com
hxxp://cassandre.jsqur.com
hxxp://deeptrickday.org
hxxp://xxxl80.jsqur.com
hxxp://91.jsqur.com
hxxp://castlerea.jsqur.com
hxxp://dkline.jsqur.com
hxxp://daws-512.jsqur.com
hxxp://ufl.jsqur.com
hxxp://eggert.jsqur.com
hxxp://apps.jqueryj.com
hxxp://frightysever.org
hxxp://beal.jsqur.com
hxxp://survey.backendjs.org
hxxp://best-funny-quotes.jsqur.com
hxxp://jeanm.jsqur.com
hxxp://forms.admin.backendjs.org
hxxp://comtenc.jsqur.com
hxxp://dannyfilm.jsqur.com
hxxp://office.backendjs.org
hxxp://jqueryj.com
hxxp://longtail.jsqur.com
hxxp://web6201.jsqur.com
hxxp://hoytek-gw4.jsqur.com
hxxp://gazeta.jsqur.com
hxxp://www.treegreeny.org
hxxp://cpfm.jsqur.com
hxxp://asims-rdck1.jsqur.com
hxxp://indiajobscircle.jsqur.com
hxxp://babbar.jsqur.com
hxxp://gorki.jsqur.com
hxxp://gmailblog.jsqur.com
hxxp://dvan.jsqur.com
hxxp://carpinteros-aluminio.jsqur.com
hxxp://web18332.jsqur.com
hxxp://wallah.jsqur.com
hxxp://si.jsqur.com
hxxp://shems.jsqur.com
hxxp://vigen.jsqur.com
hxxp://sws.jsqur.com
hxxp://routetest.jsqur.com
hxxp://account.admin.backendjs.org
hxxp://secure-ite2-origin.jsqur.com
hxxp://mdm.backendjs.org
hxxp://_dmarc.jqueryns.com
hxxp://mdm.backendjs.org
hxxp://mntc.jsqur.com
hxxp://powerful.jsqur.com
hxxp://whitney.jsqur.com
hxxp://stream.jsqur.com
hxxp://uhost.jsqur.com
hxxp://unix3.jsqur.com
hxxp://www.florida.jsqur.com
hxxp://jkelley.jsqur.com
hxxp://derby.jsqur.com
hxxp://currier.jsqur.com
hxxp://wp.admin.backendjs.org
hxxp://frente-a-camaras.jsqur.com
hxxp://facman.jsqur.com
hxxp://b10.jsqur.com
hxxp://arehn.jsqur.com
hxxp://cprat.jsqur.com
hxxp://hpermsp.jsqur.com
hxxp://ksia.jsqur.com
hxxp://jhansen.jsqur.com
hxxp://biggerfun.org
hxxp://kodakr.jsqur.com
hxxp://samfox.jsqur.com
hxxp://apps.jsqur.com
hxxp://passe.jsqur.com
hxxp://walkman.jsqur.com
hxxp://stovallscx.jsqur.com
hxxp://antivir.jsqur.com
hxxp://link2-me.jsqur.com
hxxp://xx9.jsqur.com
hxxp://quine.jsqur.com
hxxp://v.circuspride.org
hxxp://cn.circuspride.org
hxxp://x.circuspride.org
hxxp://pay.circuspride.org
hxxp://ssl.circuspride.org
hxxp://physiology.jsqur.com
hxxp://mytabletpcuk.jsqur.com
hxxp://gdsz.jsqur.com
hxxp://daws-43-5.jsqur.com
hxxp://cfg.circuspride.org
hxxp://ip90.jsqur.com
hxxp://oily.jsqur.com
hxxp://jqueryh.org
hxxp://tamarack.jsqur.com
hxxp://macgo.jsqur.com
hxxp://interlock.jsqur.com
hxxp://cmu-cc-vma.jsqur.com
hxxp://daws91-3.jsqur.com
hxxp://norman.jsqur.com
hxxp://www.16.jsqur.com
hxxp://web3933.jsqur.com
hxxp://mta-sts.bluegaslamp.org
hxxp://212.jsqur.com
hxxp://dooly.jsqur.com
hxxp://www.bigbricks.org
hxxp://machinetext.org
hxxp://kb.windowlight.org
hxxp://catsndogz.org
hxxp://whitedrill.org
hxxp://www.neworderspath.org
hxxp://jqueryns.com
hxxp://sorteios-e-promocoes.jsqur.com
hxxp://web5422.jsqur.com
hxxp://ivtortypqfyi.greedyclowns.org
hxxp://ivtorlypqfyi.greedyclowns.org
hxxp://ivladimir.surelytheme.org
hxxp://ivbdimir.surelytheme.org
hxxp://liorida.surelytheme.org
hxxp://rota-sts.climedballon.org
hxxp://climedballon.org
hxxp://treegreeny.org
hxxp://daddygarages.org
hxxp://emperorplan.org
hxxp://bigbricks.org
hxxp://greedyclowns.org
hxxp://vibedroom.org
hxxp://backendjs.org
hxxp://dailytickyclock.org
hxxp://neworderspath.org
hxxp://devcodejs.org
hxxp://cancelledfirestarter.org
hxxp://greedyfines.org
hxxp://limeerror.org
hxxp://bluegaslamp.org
hxxp://throatpills.org
hxxp://drilledgas.org
hxxp://draggedline.org
hxxp://windowlight.org
hxxp://sevenpunches.org
hxxp://circuspride.org
hxxp://linedgreen.org
hxxp://surelytheme.org
hxxp://vivaldi-ed.group
hxxp://cashapp-renewal.com
hxxp://ing-update.info
hxxp://bankid-app.net
hxxp://commonwealth-renewal.com
hxxp://transfer-management.com
hxxp://banko-atnaujinimas.com
hxxp://s-identity-verwalten.com
hxxp://bigfat.shop
hxxp://fomzerapoze.shop
hxxp://aremonuza.shop
hxxp://hanmozapre.shop
hxxp://bamizorapa.shop
hxxp://yazevora.com
hxxp://ipko-aktualizacja.com
hxxp://halifax.signin-helpdesk.com
hxxp://signin-helpdesk.com
hxxp://hailfax.signin-helpdesk.com
hxxp://online-helpdesk-portal.com
hxxp://santander.online-helpdesk-portal.com
hxxp://jquerypure.com
hxxp://de-system-913580.xyz
hxxp://targo.de-system-913580.xyz
hxxp://be-systeem-8510598.xyz
hxxp://ns1.putinkremel.su
hxxp://notudhost.com.ru
hxxp://trsew.ru
hxxp://fashmodsite.uno
hxxp://nnnten.ru
hxxp://tenhost.com.ru
hxxp://au-08.top
hxxp://jutralalali.xyz
hxxp://gilirges.ru
hxxp://www.gilirges.ru
hxxp://ftp.gilirges.ru
hxxp://www.tanmhopisj.xyz
hxxp://tanmhopisj.xyz
hxxp://dev.urbangroup.ru
hxxp://equalizer.dev.urbangroup.ru
hxxp://vk.equalizer.dev.urbangroup.ru
hxxp://partners.urbangroup.ru
hxxp://realty-2.urbangroup.ru
hxxp://ivakino.urbangroup.ru
hxxp://gtry.ru
hxxp://serferio.ru
hxxp://forum-laikovo.urbangroup.ru
hxxp://urbangroup.ru
hxxp://myrussianland.ru
hxxp://gb2nevinsk.ru
hxxp://englishbiblioteka.ru
hxxp://aleana63.ru
hxxp://aptekaplus23.ru
hxxp://chulkovo.info
hxxp://mchedlidze.ru
hxxp://stroytransm.ru
hxxp://flystore.ru
hxxp://kino-pirat.net
hxxp://2sunss.com
hxxp://posadisvoederevo.ru
hxxp://testcosmetic.com
hxxp://vkino.me
hxxp://v1080hd.com
hxxp://r-style.com
hxxp://science-techno.ru
hxxp://kinotuz.ru
hxxp://901901.ru
hxxp://ludota.ru
hxxp://maindoor.ru
hxxp://kinoxaba.ru
hxxp://youcanexcel.ru
hxxp://gidonlinehd.ru
hxxp://kinoggo.ru
hxxp://100pdf.net
hxxp://kinoext.ru
hxxp://www.mreporter.ru
hxxp://magobr.ru
hxxp://lg-soft.ru
hxxp://anapa-new.ru
hxxp://fat-man.ru
hxxp://gracio.ru
hxxp://ikd.ru
hxxp://poseidonboat.ru
hxxp://vetla.ru
hxxp://74dom.ru
hxxp://kabrik-servis.ru
hxxp://tehnopanda.ru
hxxp://creativejournal.ru
hxxp://ufamenu.ru
hxxp://idf.ru
hxxp://sporthit.ru
hxxp://injgeo.ru
hxxp://asbank.ru
hxxp://wood-lux.ru
hxxp://lbf51b14.justinstalledpanel.com

I'll continue monitoring the campaign and will post updates as soon as new developments take place.

No comments:

Post a Comment