Showing posts with label Koobface. Show all posts

Dancho Danchev's Keynote on "Exposing Koobface - The World's Largest Botnet" at CyberCamp 2016 - Watch Online!

0
October 07, 2021

Dear blog readers,

I've decided to share with everyone my Keynote from CyberCamp 2016 - "Exposing Koobface - The World's Largest Botnet" with the idea to help everyone improve their situational awareness on current and emerging cyber threats. 

Here's the actual PPT.


Stay tuned!

Continue reading →

Watch Dancho Danchev's Keynote at CyberCamp 2016 - Exposing Koobface - The World's Largest Botnet!

0
March 30, 2021

Dear blog readers,

I've decided to share a copy of my YouTube Keynote presentation presented at CyberCamp 2016 discussing in-depth my research into the Koobface botnet including the actual details on how I eventually attempted to monitor and take it offline including the actual PPT. Enjoy!

Stay tuned!

Continue reading →

Dancho Danchev's Keynote at CyberCamp 2016 - "Exposing Koobface - The World's Largest Botnet" - Recommended Watching!

0
January 14, 2021

Dear blog readers,

I wanted to take the time and effort and let everyone know that you can now watch my keynote presentation from CyberCamp 2016 on the topic of "Exposing Koobface - The World's Largest Botnet" and actually get a bigger picture in terms of my research into the workings of the Koobface botnet where I was once the primary source of information on the way it used to work and eventually contributed to its demise by publishing personally identifiable information on one of its botnet masters potentially assisting U.S Law Enforcement on its way to track down and prosecute the cybercriminals behind the campaign.

Stay tuned!

Continue reading →

Historical OSINT - Yet Another Massive Scareware-Serving Campaign Courtesy of the Koobface Gang

May 05, 2019
It's 2010 and I've recently came across to yet another currently active scareware-serving campaign courtesy of the Koobface gang this time successfully introducing a CAPTCHA-breaking module potentially improving the propagation and distribution scale within major social networks.

In this post I'll discuss the campaign and provide actionable intelligence on the infrastructure behind it.

Related malicious domains known to have participated in the campaign:
hxxp://goscandir.com/?uid=13301 - 91.212.107.103 - hosting courtesy of AS29550 - EUROCONNEX-AS Blueconnex Networks Ltd Formally Euroconnex Networks
hxxp://ebeoxuw.cn/?uid=13301
hxxp://ebiezoj.cn/22/?uid=13301
hxxp://goscanhand.com/?uid=13301
hxxp://byxzeq.cn/22/?uid=13301

Sample malicious MD5 known to have participated in the campaign:
MD5: 16575a1d40f745c2e39348c1727b8552

Once executed a sample malware phones back to:
hxxp://in5it.com/download/Ipack.jpg - the actual executable

Related malicious MD5 known to have participated in the campaign:
MD5: 1d5e3d78dd7efd8878075e5dbaa5c4fd

Related malicious MD5 known to have participated in the campaign:
MD5: 6262c0cb1459adc8f278136f3cff2777

It's worth pointing out that prior to analyzing the campaign it appears that the Koobface gang has recently introduced a CAPTCHA-breaking module which basically relies on the active outsourcing of the CAPTCHA-breaking process potentially improving the Koobface spreading and propagation effectiveness.

Sample malicious URL known to have participated in the campaign:
http://peacockalleyantiques.com/.sys/?getexe=v2googlecheck.exe

Sample malicious MD5 known to have participated in the campaign:
MD5: cf9729bf3969df702767f3b9a131ec2c

Sample malicious URL known to have participated in the campaign:
http://peacockalleyantiques.com/.sys/?getexe=v2captcha.exe

Sample malicious MD5 known to have participated in the campaign:
MD5: f2d0dbf1b11c5c2ff7e5f4c655d5e43e

Once executed a sample phones back to the following C&C server IPs:
hxxp://capthcabreak.com/captcha/?a=get&i=0&v=14 - 67.212.69.230
hxxp://captchastop.com/captcha/?a=get&i=1&v=14 - 67.212.69.230 Continue reading →

Historical OSINT - Yet Another Massive Scareware Serving Campaign Courtesy of the Koobface Gang

May 05, 2019
It's 2010 and I've recently intercepted a currently circulating malicious and fraudulent scareware-serving campaign courtesy of the Koobface Gang this time successfully typosquatting my name within its command and control infrastructure.

In this post I'll provide actionable intelligence behind the campaign and will discuss in-depth the infrastructure behind it.

Sample malicious and fraudulent domains known to have participated in the campaign:
hxxp://qjcleaner.eu/hitin.php?affid=02979

Sample malicious MD5 known to have participated in the campaign:
MD5: 8df3e9c50bb4756f4434a9b7d6c23c8c

Once executed a sample malware phones back to:
hxxp://212.117.160.18/install.php?id=02979

which is basically our dear friends at AS44042 ROOT-AS root eSolutions

Parked at the same IP where Crusade Affiliates continue serving a diverse set of fake security software are also more scareware domains.

It's also worth pointing out that the Koobface gang has recently started typosquatting various domains using my name. Koobface gang is typosquatting my name for registering domains (for instance Rancho Ranchev; Pancho Panchev etc.) including hxxp://mayernews.com - which is registered to Danchev Danch (1andruh.a1@gmail.com). Continue reading →

Historical OSINT - Rogue Scareware Dropping Campaign Spotted in the Wild Courtesy of the Koobface Gang

October 21, 2018
It's 2010 and I've recently came across to a diverse portfolio of fake security software also known as scareware courtesy of the Koobface gang in what appears to be a direct connection between the gang's activities and the Russian Business Network.

In this post I'll provide actionable intelligence on the infrastructure behind it and discuss in-depth the tactics techniques and procedures of the cybercriminals behind including the direction establishment of a direct connection between the gang's activities and a well-known Russian Business Network customer.

Related malicious domains known to have participated in the campaign:
hxxp://piremover.eu/hitin.php?affid=02979 - 212.117.161.142; 95.211.27.154; 95.211.27.166

Once executed a sample malware (MD5: eedac4719229a499b3118f87f32fae35) phones back to the following malicious C&C server IPs:
hxxp://xmiueftbmemblatlwsrj.cn/get.php?id=02979 - 91.207.116.44 - Email: robertsimonkroon@gmail.com

Known domains known to have responded to the same malicious C&C server IPs:
hxxp://aahsdvsynrrmwnbmpklb.cn
hxxp://dlukhonqzidfpphkbjpb.cn
hxxp://barykcpveiwsgexkitsg.cn
hxxp://bfichgfqjqrtkwrsegoj.cn
hxxp://dhbomnljzgiardzlzvkp.cn

Once executed a sample malware phones back to the following malicious C&C service IPs:
hxxp://xmiueftbmemblatlwsrj.cn
hxxp://urodinam.net - which is a well known Koobface 1.0 C&C server domain IP also seen in the "Mass DreamHost Sites Compromise" exclusively profiled in this post.
hxxp://xmiueftbmemblatlwsrj.cn

Once executed a sample malware MD5: 66dc85ad06e4595588395b2300762660; MD5: 91944c3ae4a64c478bfba94e9e05b4c5 phones back to the following malicious C&C server IPs:
hxxp://proxim.ntkrnlpa.info - 83.68.16.30 - seen and observed in related analysis regarding the mass Embassy Web site compromise throughout 2007 and 2009.

Successfully dropping the following malicious Koobface MD5 hxxp://harmonyhudospa.se/.sys/?getexe=fb.70.exe

Related malicious MD5s (MD known to have participated in the campaign:
MD5: 66dc85ad06e4595588395b2300762660
MD5: 8282ea8e92f40ee13ab716daf2430145

Once executed a sample malware phones back to the following malicious C&C server IPs:
hxxp://tehnocentr.chita.ru/.sys
hxxp://gvpschekschov.iv-edu.ru/.sys/?action=fbgen

We'll continue monitoring the campaign and post updates as soon as new developments take place. Continue reading →

HIstorical OSINT - Latvian ISPs, Scareware, and the Koobface Gang Connection

October 20, 2018
It's 2010 and we've recently stumbled upon yet another malicious and fraudulent campaign courtesy of the Koobface gang actively serving fake security software also known as scareware to a variety of users with the majority of malicious software conveniently parked within 79.135.152.101 - AS2588, LatnetServiss-AS LATNET ISP successfully hosting a diverse portfolio of fake security software.

In this post, I'll provide actionable intelligence on the infrastructure behind the campaign and discuss in-depth the tactics techniques and procedures of the cybercriminals behind it.

Sample malware known to have participated in the campaign:
installer.1.exe - MD5: 4ab2cb0dd839df64ec8d682f904827ef - Trojan.Crypt.ZPACK.Gen; Mal/FakeAV-CQ - Result: 9/40 (22.50%)

Related malicious phone back C&C server IPs:
hxxp://av-plusonline.org/install/avplus.dll
hxxp://av-plusonline.org/cb/real.php?id=

Related malicious MD5s known to have participated in the campaign:
avplus.dll - MD5: 57c79fb723fcbf4d65f4cd44e00ff3ed - FakeAlert-LF; Mal/FakeAV-CL - Result: 6/39 (15.39%)

It's gets even more interesting as hxxp://fast-payments.com - 91.188.59.27 is parked within Koobface botnet's 1.0 phone back locations (hxxp://urodinam.net) and is also hosted within the same netblock at 91.188.59.10.

Sample related malicious URLs known to have participated in the campaign:
hxxp://urodinam.net/33t.php?stime=125558
- hxxp://91.188.59.10/opa.exe -MD5: d4aacc8d01487285be564cbd3a4abc76 - Downloader.VB.7.S; Mal/Koobface-B - Result: 10/40 (25%)

Once executed a sample malware phones back to the following malicious C&C server IPs:
hxxp://aburvalg.com/new1.php - 64.27.0.237
- hxxp://fucking-tube.net

The following domains use it as a name server:
hxxp://ns1.addedantivirus.com

Related malicius domains known to have responded to the same malicious name server:
hxxp://antiviralpluss.org
hxxp://antivirspluss.org
hxxp://avonlinescanerr.org
hxxp://online-scannerr.org
hxxp://onlinescanerr.org
hxxp://onlinescannerr.org
hxxp://pretection-page.org
hxxp://sys-mesage.org
hxxp://av-plus-online.org
hxxp://av-plusonline.org
hxxp://avplus-online.org
hxxp://avplusonline.org
hxxp://avplussonline.org
hxxp://protecmesages.org
hxxp://protect-mesagess.org
hxxp://protectmesages.org
hxxp://protectmesagess.org
hxxp://protectmessages.org
hxxp://avplus24support.com
hxxp://searchwebway4.com
hxxp://searchwebway5.com
hxxp://searchwebway10.com
hxxp://searchwebway9.com
hxxp://searchwebway6.com

Related malicious URLs known to have participated in the campaign:
hxxp://avplus-online.org/buy.php?id=
- hxxp://fast-payments.com/index.php?prodid=antivirplus_02_01&afid=

Related malicious domains known to have participated in the campaign:
hxxp://antiviruspluss.org
hxxp://avplusscanner.org
hxxp://protection-messag.org
hxxp://antivirs-pluss.org
hxxp://antiviru-pluss.org
hxxp://antivirus-p1uss.org
hxxp://protection-mesage.org
hxxp://sysstem-mesage.org
hxxp://system-message.org
hxxp://antiviral-pluss.org
hxxp://av-onlinescanner.org
hxxp://avonlinescanner.org
hxxp://avonlinescannerr.org
hxxp://avp-scanner.org
hxxp://avp-scannerr.org
hxxp://avp-sscaner.org
hxxp://avp-sscannerr.org
hxxp://avplscaner-online.org
hxxp://avplscanerr-online.org
hxxp://avplsscannerr.org
hxxp://avplus-scanerr.org
hxxp://online-protection.org
hxxp://antivirupluss.org
hxxp://syssmessage.org
hxxp://avonlinescanerr.org
hxxp://online-scannerr.org
hxxp://onlinescanerr.org
hxxp://onlinescannerr.org
hxxp://av-scanally.org
hxxp://av-scaner-online.org
hxxp://av-scaner-online3k.org
hxxp://av-scaner-onlineband.org
hxxp://av-scaner-onlinebody.org
hxxp://av-scaner-onlinebuzz.org
hxxp://av-scaner-onlinecabin.org
hxxp://av-scaner-onlinecrest.org
hxxp://av-scaner-onlinefolk.org
hxxp://av-scaner-onlineplan.org
hxxp://av-scaner-onlinesite.org
hxxp://iav-scaner-online.org
hxxp://netav-scaner-online.org
hxxp://techav-scaner-online.org
hxxp://antivirspluss.org
hxxp://sys-mesage.org
hxxp://antiviralpluss.org
hxxp://pretection-page.org
hxxp://av-scaner-onlinefairy.org
hxxp://av-scaner-onlinegrinder.org
hxxp://av-scaner-onlinehistory.org
hxxp://av-scaner-onlineicity.org
hxxp://av-scaner-onlinemachine.org
hxxp://av-scaner-onlinepeople.org
hxxp://av-scaner-onlineretort.org
hxxp://av-scaner-onlinereview.org
hxxp://av-scaner-onlinetopia.org
hxxp://directav-scaner-online.org
hxxp://expertav-scaner-online.org
hxxp://orderav-scaner-online.org
hxxp://speedyav-scaner-online.org
hxxp://thriftyav-scaner-online.org
hxxp://timesav-scaner-online.org
hxxp://411online-scanner-free.org
hxxp://dynaonline-scanner-free.org
hxxp://fastonline-scanner-free.org
hxxp://homeonline-scanner-free.org
hxxp://online-scanner-freebin.org
hxxp://online-scanner-freebuy.org
hxxp://online-scanner-freelook.org
hxxp://online-scanner-freemap.org
hxxp://online-scanner-freemeet.org
hxxp://online-scanner-freesite.org
hxxp://online-scanner-freetent.org
hxxp://online-scanner-freeu.org
hxxp://online-scanner-freevolt.org
hxxp://onlinescannerfree.org
hxxp://av-plus-online.org
hxxp://protecmesages.org
hxxp://av-onlicity.org
hxxp://av-online-scanner.org
hxxp://av-online-scannerbid.org
hxxp://av-online-scannercrest.org
hxxp://av-online-scannerfolk.org
hxxp://av-online-scannergate.org
hxxp://av-online-scannerland.org
hxxp://av-online-scannerpc.org
hxxp://av-online-scannersite.org
hxxp://av-online-scannerweek.org
hxxp://av-online-scannerwing.org
hxxp://infoav-online-scanner.org
hxxp://shopav-online-scanner.org
hxxp://theav-online-scanners.org
hxxp://avplus-online.org
hxxp://protectmesages.org
hxxp://av-scaner.org
hxxp://av-scaners.org
hxxp://av-scanner.org
hxxp://av-scanners.org
hxxp://avplussonline.org
hxxp://avscaner.org
hxxp://avscaners.org
hxxp://avscanner.org
hxxp://avscanners.org
hxxp://eav-scaner.org
hxxp://eav-scaners.org
hxxp://eav-scanner.org
hxxp://eav-scanners.org
hxxp://myav-scaner.org
hxxp://myav-scaners.org
hxxp://myav-scanner.org
hxxp://myav-scanners.org
hxxp://protectmessages.org
hxxp://avplusonline.org
hxxp://av-plusonline.org
hxxp://protect-mesagess.org

We'll continue monitoring the campaign and post updates as soon as new developments take place. Continue reading →

Historical OSINT - Massive Blackhat SEO Campaign Courtesy of the Koobface Gang Spotted in the Wild

October 20, 2018
It's 2010 and I've recently stumbled upon yet another massive blackhat SEO campaign courtesy of the Koobface gang successfully exposing hundreds of thousands of users to a multi-tude of malicious software.

In this post I'll provide actionable intelligence on the infrastructure behind it and discuss in the depth the tactics techniques and procedures of the cybercriminals behind it.

Sample domains known to have participated in the campaign:
hxxp://jhpegdueeunz.55fast.com
hxxp://vzhusyeeaubk.55fast.com
hxxp://cvzizliiustw.55fast.com
hxxp://zetaswuiouax.55fast.com
hxxp://shzopfioarpd.55fast.com
hxxp://nqpubruioeat.55fast.com
hxxp://krrepteievdr.55fast.com
hxxp://gtoancoiuyqv.55fast.com
hxxp://felopfooaydk.55fast.com
hxxp://dknejxaeozjb.55fast.com
hxxp://ljperwaaoxjs.55fast.com
hxxp://hxmagxaeulbn.55fast.com
hxxp://mueombooikgp.55fast.com
hxxp://gluezneoolhs.55fast.com
hxxp://ptpodseeanvk.55fast.com
hxxp://jgdeyraoojdr.55fast.com
hxxp://kjsetqaoojdr.55fast.com
hxxp://kvuelveuicmn.55fast.com
hxxp://ywoamnooikfp.55fast.com
hxxp://dnkopgioawss.55fast.com
hxxp://qjtepyaoigts.55fast.com
hxxp://fdsudpeeewam.55fast.com
hxxp://qumobxoiigst.55fast.com
hxxp://fkvahzaeibbz.55fast.com
hxxp://lxxikhiuutwm.55fast.com
hxxp://meboczoiikgy.55fast.com
hxxp://mevoxliiidyq.55fast.com
hxxp://hxvoysaoozhp.55fast.com
hxxp://wiaabcoookfs.55fast.com
hxxp://wlbatgeeiohc.55fast.com

Sample malicious domains known to have participated in the campaign:
hxxp://narezxaauggf.55fast.com
hxxp://gdsetqaoocks.55fast.com
hxxp://ptxihhiiihpq.55fast.com
hxxp://ramilhueamxg.55fast.com
hxxp://vvnoxliiigsp.55fast.com
hxxp://ywweypeaeemz.55fast.com
hxxp://rqqetweeupwn.55fast.com
hxxp://fprewmaoojpn.55fast.com
hxxp://kbmahjiiigpw.55fast.com
hxxp://romozjuuurov.55fast.com
hxxp://tmxufseaacks.55fast.com
hxxp://viaegjiooeun.55fast.com
hxxp://znmasdiiicbc.55fast.com
hxxp://gdbiczooaoaw.55fast.com
hxxp://boqegkooouom.55fast.com
hxxp://xncoxloiiwrm.55fast.com
hxxp://flxowreuuhkb.55fast.com
hxxp://zzkihgiuupwb.55fast.com
hxxp://gxcobmeeuvls.55fast.com
hxxp://wygimweuizxz.55fast.com
hxxp://winowmeaoxhy.55fast.com
hxxp://hhpewmaoidtm.55fast.com
hxxp://nemoxloiixlh.55fast.com
hxxp://bvbowvooigtq.55fast.com
hxxp://pgmassuiixvx.55fast.com
hxxp://vbxoxkiiijst.55fast.com
hxxp://clnobhaoobzf.55fast.com
hxxp://proawnaoozxf.55fast.com

Sample malicious domains known to have participated in the campaign:
hxxp://romwrpueerr.007gb.com
hxxp://rtperweaauux.5nxs.com
hxxp://prougpeeabzd.hostevo.com
hxxp://stwermoiigwc.10fast.net
hxxp://znmasdiiicbc.55fast.com
hxxp://gjxotyuuobmv.007sites.com

Sample malicious domains known to have participated in the campaign:
hxxp://dpfujhiuijhd.hostevo.com
hxxp://gfhizliiikjd.hostevo.com
hxxp://driozkuueqic.hostevo.com
hxxp://rrkihfuuuspr.hostevo.com
hxxp://xzkikhueeivf.hostevo.com
hxxp://trqawmaookgp.hostevo.com
hxxp://hggudseuerqn.hostevo.com
hxxp://phveflaeulmn.hostevo.com
hxxp://cvxiljiuuyrm.hostevo.com
hxxp://fdseffuueqiv.hostevo.com
hxxp://dsteyraaaxgr.hostevo.com
hxxp://pfjocbeuiznb.hostevo.com
hxxp://ccziljiuurab.hostevo.com

Sample malicious domains known to have participated in the campaign:
hxxp://jgfuspeeeauc.hostevo.com
hxxp://grioxhueoxlf.hostevo.com
hxxp://dpdilkiiihfy.hostevo.com
hxxp://miuonbaoifwv.hostevo.com
hxxp://fpteymoiuqmj.hostevo.com
hxxp://dyoovziuebvj.hostevo.com
hxxp://rpdojzaaesgg.hostevo.com
hxxp://zzkuhguuewib.hostevo.com
hxxp://bqyunruiaecw.hostevo.com
hxxp://sruoljiuurqb.hostevo.com
hxxp://stratreaaebk.hostevo.com
hxxp://kjsetwaookdt.hostevo.com
hxxp://prougpeeabzd.hostevo.com
hxxp://nrfitdioaoyd.hostevo.com
hxxp://cxligdueewoc.hostevo.com
hxxp://tqaawmaoamvj.hostevo.com
hxxp://qunoxliiifyw.hostevo.com
hxxp://zkfusteaanch.hostevo.com
hxxp://qumobcooozjf.hostevo.com
hxxp://sqqawmaaamvj.hostevo.com
hxxp://klguyraoojdr.hostevo.com
hxxp://fspespueeiez.hostevo.com
hxxp://sjcadjoaepfh.55fast.com

Sample malicious domains known to have participated in the campaign:
hxxp://sjcadjoaepfh.55fast.com
hxxp://pkbadlaeujcv.55fast.com
hxxp://vnvocziiifst.55fast.com
hxxp://wauanbooikfy.55fast.com
hxxp://yovikdeaanch.55fast.com
hxxp://jvuelvaeukcc.55fast.com
hxxp://lkgufpeeaunz.55fast.com
hxxp://kjfufseeeiml.55fast.com
hxxp://bmmoxliiifdt.55fast.com
hxxp://nqtuxneuixbb.55fast.com
hxxp://wioabnaoikfp.55fast.com
hxxp://ssdikzaaaiiq.55fast.com
hxxp://rwaammaaeowm.55fast.com
hxxp://ljifsueaumz.55fast.com

Sample malicious domains known to have participated in the campaign:
hxxp://lljifsueaumz.55fast.com
hxxp://nbzigpeaoksq.55fast.com
hxxp://mvjufraoidqb.55fast.com
hxxp://hgdupraoisqc.55fast.com
hxxp://khdudseeeauc.55fast.com
hxxp://fspetwaaabxh.55fast.com
hxxp://tqoavxoiidyq.55fast.com
hxxp://xeaubwuiardg.55fast.com
hxxp://nbvoncooolhp.55fast.com
hxxp://wexigpaoambl.55fast.com
hxxp://klhuggiuufdt.55fast.com
hxxp://dxwetteoigst.55fast.com
hxxp://glvashoaeygj.55fast.com
hxxp://xmoejcaeujxc.55fast.com

Sample malicious domains known to have participated in the campaign:
hxxp://jfsfkfuueqw.007gb.com
hxxp://bbxcimoiify.007gb.com
hxxp://ljgjxkueewi.007gb.com
hxxp:///xzkgkguueaa.007gb.com
hxxp://wmhjvkuaabj.007gb.com
hxxp://yqbzmciuupt.007gb.com
hxxp://lvxvieaoizj.007gb.com
hxxp://srnvuioookf.007gb.com
hxxp://melhlhueeqe.007gb.com
hxxp://lkhjclueuwa.007gb.com

Sample malicious domains known to have participated in the campaign:
hxxp://lkhjclueuwa.007gb.com
hxxp://bvgsfyaooxh.007gb.com
hxxp://xbkhceeuifd.007gb.com
hxxp://ywncmvoiojf.007gb.com
hxxp://kjptpwaaacl.007gb.com
hxxp://gpmcumooavx.007gb.com
hxxp://dpwnaioookf.007gb.com
hxxp://stqnaiaoihd.007gb.com
hxxp://fspygfuuerq.007gb.com
hxxp://wbgtsyeaamb.007gb.com
hxxp://fprmwoaaavl.007gb.com
hxxp://mmxlnvoiijd.007gb.com
hxxp://vvllnmooocl.007gb.com

Sample malicious domains known to have participated in the campaign:
hxxp://vvllnmooocl.007gb.com
hxxp://zlgsgpeaabz.007gb.com
hxxp://ccjfxleeewq.007gb.com
hxxp://cvhfjguueqi.007gb.com
hxxp://lhprsraaack.007gb.com
hxxp://razzbciiupt.007gb.com
hxxp://rancoeooozh.007gb.com
hxxp://muczimoooxh.007gb.com
hxxp://tphotdioetdf.hostevo.com
hxxp://vvxifpeaocks.hostevo.com
hxxp://jjhillooolhf.hostevo.com
hxxp://bzxixliiudpr.hostevo.com
hxxp://xmvovxooozhp.hostevo.com
hxxp://proocziuuprm.hostevo.com
hxxp://qebovziuuswb.hostevo.com
hxxp://xzhusteaabzs.hostevo.com
hxxp://bbbovxiuifyq.hostevo.com

Sample malicious domains known to have participated in the campaign:
hxxp://dpretqaoocjy.hostevo.com
hxxp://ywaaqbaoozjs.5nxs.com
hxxp://fsyepteaaenl.5nxs.com
hxxp://jhgufpeeeaic.5nxs.com
hxxp://dsterqaaoczg.5nxs.com
hxxp://rivilhueeiuc.5nxs.com
hxxp://znouxneuaayd.5nxs.com
hxxp://kkgijguueonh.5nxs.com
hxxp://khsamvooihdt.5nxs.com
hxxp://nncikgueaflg.5nxs.com
hxxp://fdpixnaaaoiv.5nxs.com
hxxp://zzzikhiiihfy.5nxs.com
hxxp://sqaayteaaimz.5nxs.com

Sample malicious domains known to have participated in the campaign:
hxxp://tquambooilhs.5nxs.com
hxxp://gdtaqboiojdt.5nxs.com
hxxp://queoxliuudtq.5nxs.com
hxxp://vbcokloiikhs.5nxs.com
hxxp://raoadpiuigst.5nxs.com
hxxp://qevijfueeibj.5nxs.com
hxxp://kjlicvoooncj.5nxs.com
hxxp://sroavlueeixd.5nxs.com
hxxp://xxlijkiuuyqm.5nxs.com
hxxp://vvcijreaaenl.5nxs.com
hxxp://zzkigdueurab.5nxs.com
hxxp://zxkigdueeoel.5nxs.com
hxxp://tqoanvooijfy.5nxs.com

Sample malicious domains known to have participated in the campaign:
hxxp://wnxufpeaaevj.5nxs.com
hxxp:///ptaamboiihsw.5nxs.com
hxxp://vbxijhueurix.5nxs.com
hxxp://fpkijxiiidox.5nxs.com
hxxp://streqwaooxcg.5nxs.com
hxxp://ptyewmaoolgy.5nxs.com
hxxp://hgyeqboiihpw.5nxs.com
hxxp://cxjijgueeaez.5nxs.com
hxxp://woeobvoiihdt.5nxs.com
hxxp://bcxixjueuqmj.5nxs.com
hxxp://mmvobxoiihdr.5nxs.com
hxxp://prqawnaoozgy.5nxs.com
hxxp://xzkugsueeunk.5nxs.com
hxxp://vvbovxiiidym.5nxs.com
hxxp://qinozkiuidyw.5nxs.com
hxxp://tpdumweuughh.5nxs.com

Sample malicious domains known to have participated in the campaign:
hxxp://tpdumweuughh.5nxs.com
hxxp://zkfudpeaaech.5nxs.com
hxxp://vvcijfueeamk.5nxs.com
hxxp://jkhihdiuuypw.5nxs.com
hxxp://womancoiuyav.5nxs.com
hxxp://sfkoyfooepgh.5nxs.com
hxxp://zzhetqaooxkd.5nxs.com
hxxp://czjudyeaacjp.5nxs.com
hxxp://gssudpeaaecg.5nxs.com
hxxp://wiuobvooozjp.5nxs.com
hxxp://twaamnaookhd.5nxs.com
hxxp://bbvocloiigsr.5nxs.com

Sample malicious domains known to have participated in the campaign:
hxxp://dspugduuuytm.5nxs.com
hxxp://kljigdueeqic.5nxs.com
hxxp://gpioxhuuutav.5nxs.com
hxxp://wouavcooiyil.5nxs.com
hxxp://mevoxliuuyrm.5nxs.com
hxxp://xvcocxoiojfy.5nxs.com
hxxp://zljudyeaaunl.5nxs.com
hxxp://woaabcoiusst.5nxs.com
hxxp://dppudpeeewmh.5nxs.com
hxxp://zzhustueequk.5nxs.com
hxxp://quboczoiolgd.5nxs.com

Sample malicious domains known to have participated in the campaign:
hxxp://kdwetmoiuics.5nxs.com
hxxp://jgfudseeerqb.5nxs.com
hxxp://qunolhueeonx.5nxs.com
hxxp://khdusyeaaeez.5nxs.com
hxxp://bvcikgueequx.5nxs.com
hxxp://xzjupteaovzg.5nxs.com
hxxp://rmludpueoebj.5nxs.com
hxxp://pfyupteeeauz.5nxs.com
hxxp://qqreqnoeewhs.5nxs.com
hxxp://ysfuyraaaczs.5nxs.com
hxxp://ljdudyeaamcj.5nxs.com
hxxp://vbvovziiustm.5nxs.com
hxxp://gffugdueeibz.5nxs.com

Sample malicious domains known to have participated in the campaign:
hxxp://bnjdzkiuuyw.007gb.com
hxxp://dpppdpeeeii.007gb.com
hxxp://zzfdhdeeeoe.007gb.com
hxxp://hhhhzciuusa.007gb.com
hxxp://dpmlbkiuuta.007gb.com
hxxp://ccgsgpeaaev.007gb.com
hxxp://vbzxecoiuso.007gb.com
hxxp://nbkfhdeaack.007gb.com
hxxp://bmvcaoeeaoe.007gb.com
hxxp://xchfggiuewq.007gb.com
hxxp://jgypgpeaoxh.007gb.com

Sample malicious domains known to have participated in the campaign:
hxxp://jgypgpeaoxh.007gb.com
hxxp://hdstpraoojd.007gb.com
hxxp://nnkkvziiigh.007gb.com
hxxp://qwyduquuoeo.007gb.com
hxxp://jhgdkzooobn.007gb.com
hxxp://ljyqweoiihf.007gb.com
hxxp://xzfdfsueaux.007gb.com
hxxp://kjfhzjueeae.007gb.com
hxxp://tanbuoeaanb.007gb.com
hxxp://rammooaaocx.007gb.com
hxxp://gsmxmlueoht.007gb.com
hxxp://xxjgkguueuu.007gb.com
hxxp://jgppfpeeaev.007gb.com
hxxp://xzfpfpeaozh.007gb.com

Sample malicious domains known to have participated in the campaign:
hxxp://khsphdueaev.007gb.com
hxxp://wabnieoiikg.007gb.com
hxxp://rojshgeoisw.007gb.com
hxxp://zlhffgueaec.007gb.com
hxxp://quxxmnoiokd.007gb.com
hxxp://rpsdkzoeeqq.007gb.com
hxxp://rozfksaoiht.007gb.com
hxxp://vvzkcviiuru.007gb.com
hxxp://ptgdghueedq.007gb.com
hxxp://xvjhcliuufi.007gb.com
hxxp://ywqntweaeqo.007gb.com
hxxp://mubwqaaaoxl.007gb.com

Sample malicious domains known to have participated in the campaign:
hxxp://quzjlgueeib.007gb.com
hxxp://fdyttteeaou.007gb.com
hxxp://xxjggseeeom.007gb.com
hxxp://robvimoiikg.007gb.com
hxxp://hgspsyeeanx.007gb.com
hxxp://nbzkckueein.007gb.com
hxxp://syfdgmoiipy.007gb.com
hxxp://nmkjzjueequ.007gb.com

Sample malicious domains known to have participated in the campaign:
hxxp://nmkjzjueequ.007gb.com
hxxp://ytwqyteaaen.007gb.com
hxxp://kgdfkhuuuyq.007gb.com
hxxp://zbcvieaoocc.007gb.com
hxxp://sywrdpeeeie.007gb.com
hxxp://prnmwaaaamm.007gb.com
hxxp://djddhfuuilc.007gb.com
hxxp://wibnuboiusw.007gb.com
hxxp://muclmboiigd.007gb.com
hxxp://vvlkevoiidy.007gb.com
hxxp://xhprrteaaun.007gb.com
hxxp://bncvoeaaauu.007gb.com

Sample malicious domains known to have participated in the campaign:
hxxp://ravhzluuewo.007gb.com
hxxp://gsywptaaabz.007gb.com
hxxp://xxkzbcoiijd.007gb.com
hxxp://mevirwaaovlf.hostevo.com
hxxp://roboxloiihdt.007sites.com
hxxp://rauonbooozkf.007sites.com
hxxp://ywiatreeewam.007sites.com
hxxp://nxfetmaoolfr.007sites.com
hxxp://gkmelbeuoear.007sites.com
hxxp://mmcigsueeexg.007sites.com
hxxp://vxxiljoioxxg.10fast.net
hxxp://jgsuspeeeaic.10fast.net
hxxp://qenocxiiihsr.10fast.net
hxxp://lklilliiigdt.10fast.net
hxxp://hgdepreaamzs.10fast.net

Sample malicious domains known to have participated in the campaign:
hxxp://gffupteaaebj.10fast.net
hxxp:///kljigfuuugfp.10fast.net
hxxp://raianvoiokgy.10fast.net
hxxp://rtqerqeaamcg.10fast.net
hxxp://gfdugdeaavls.10fast.net
hxxp://ddterboiugsr.10fast.net
hxxp://jgpewnoiihpq.10fast.net
hxxp://kjfpfseeeqo.007gb.com
hxxp://wubcmciuuya.007gb.com
hxxp://quzkxvooift.007gb.coml
hxxp://nblhlheaaum.007gb.com
hxxp://cclxnciuupq.007gb.com
hxxp://nbhkckueeib.007gb.com
hxxp://hgddxliuudp.007gb.com
hxxp://winilhueuwiz.10fast.net
hxxp://queocliuupqv.10fast.net
hxxp://gdtaqboiihhs.10fast.net
hxxp://bbvovbaaancg.10fast.net
hxxp://fpramvoiiftm.10fast.net
hxxp://fjliljiiizhp.10fast.net
hxxp://gspedpeeeiel.10fast.net

Sample malicious domains known to have participated in the campaign:
hxxp://fssukjaoanbx.5nxs.com
hxxp://ptaawviuuppw.5nxs.com
hxxp://llxozkoiikdq.5nxs.com
hxxp://kkkijguuuquz.5nxs.com
hxxp://womobciiiftn.5nxs.com
hxxp://vvcikgueequl.5nxs.com
hxxp://zzzoxcooozzl.5nxs.com
hxxp://wuuocziuupwn.5nxs.com
hxxp://hfyeqnoiiftm.5nxs.com
hxxp://sttewboookgy.5nxs.com
hxxp://ghhusteaozgt.5nxs.com
hxxp://fjzoqtuuukiw.5nxs.com
hxxp://muuaqciueomz.5nxs.com
hxxp://fsfugduuutav.5nxs.com
hxxp://jgdeywaoocks.5nxs.com
hxxp://raniljuuurix.5nxs.com
hxxp://pabikhueamcg.5nxs.com
hxxp://gsteqbooikdr.5nxs.com
hxxp://llhugfuuerab.5nxs.com
hxxp://dspeyyeeeauv.5nxs.com
hxxp://xzkixhuaoczg.5nxs.com
hxxp://rouawmaaammz.5nxs.com
hxxp://kxlijjiuuspt.5nxs.com
hxxp://xzliljiuifyw.5nxs.com
hxxp://vvvilhiueqac.5nxs.com
hxxp://tovikhiiufdt.5nxs.com
hxxp://ttretreeuhgs.5nxs.com

Sample malicious domains known to have participated in the campaign:
hxxp://ypserreeuytq.5nxs.com
hxxp://xxzijkiiikkf.5nxs.com
hxxp://bvzoknaoigpm.5nxs.com
hxxp://nnxihduuutqv.5nxs.com
hxxp://muzidyeeeevh.5nxs.com
hxxp://tpdufhiiidrn.5nxs.com
hxxp://ffpupteeeaqd.5nxs.com
hxxp://bbxigseeolpm.5nxs.com
hxxp://gsdugpeaeibj.5nxs.com
hxxp://pwteyyeaamcg.5nxs.com
hxxp://zxcoljiiigpw.5nxs.com
hxxp://bmacxoiixjs.5nxs.com
hxxp://twqawmaooczf.5nxs.com
hxxp://bbrartuauhjh.5nxs.com
hxxp://dtiolhueeexd.5nxs.com

Sample malicious domains known to have participated in the campaign:
hxxp://gdduhgiiikhd.5nxs.com
hxxp://ryquhfuuuypr.5nxs.com
hxxp://sfhijkiuusrn.5nxs.com
hxxp://staennaoolgy.5nxs.com
hxxp://vvvoczooolzg.5nxs.com
hxxp://bmnokgueequz.5nxs.com
hxxp://proocxoiigds.5nxs.com
hxxp://ptwepwaoozht.5nxs.com
hxxp://fsdufpeeeovg.5nxs.com
hxxp://dtlidwoiuyoz.5nxs.com
hxxp://kvyamboiuhsr.5nxs.com
hxxp://kvmardioetyp.5nxs.com
hxxp://taniljueuwul.5nxs.com
hxxp://jvnartuuixvx.5nxs.com
hxxp://qubijgiuutac.5nxs.com

Sample malicious domains known to have participated in the campaigns:
hxxp://qebocziuidfy.10fast.net
hxxp://gffudpeeeauc.10fast.net
hxxp://vbjustaiurox.10fast.net
hxxp://jgyuptaoutic.10fast.net
hxxp://lkhighueeevk.10fast.net
hxxp://ptpudreeeobz.10fast.net
hxxp://meeambaooxls.10fast.net
hxxp://yrreyraaovld.10fast.net
hxxp://kkdutwaoobzd.10fast.net
hxxp://czxitbouuquz.10fast.net
hxxp://lvbovnaoozjp.10fast.net
hxxp://wiiambaookdt.10fast.net
hxxp://zxkijgueaecg.10fast.net
hxxp://ywqawqaoovzh.10fast.net
hxxp://gzoukwuuizbv.10fast.net
hxxp://roiabcoiigpq.10fast.net
hxxp://vvlufseaavld.10fast.net
hxxp://hgpusyeaamxg.10fast.net
hxxp://kkkikziiifyq.10fast.net
hxxp://dtqaczoiuswb.10fast.net
hxxp://llzozxoiigpw.10fast.net
hxxp://nmcijkiuuobg.10fast.net
hxxp://mnxijliuusrm.10fast.net
hxxp://quuanbooikfy.10fast.net
hxxp://xxzijhuueuex.10fast.net
hxxp://gsyepyeaaubk.10fast.net
hxxp://tqoaqmaoigsr.10fast.net
hxxp://cvbocziiikgp.10fast.net
hxxp://gdyepteaancj.10fast.net

Sample malicious domains known to have participated in the campaign:
hxxp://qibocziuewuz.10fast.net
hxxp://qrkargoaatsf.10fast.net
hxxp://zzdeymaoifyq.10fast.net
hxxp://noeancoiutac.10fast.net
hxxp://qunovnaaammb.10fast.net
hxxp://gffugdeeeibk.10fast.net
hxxp://cmvijsueenls.10fast.net
hxxp://tqaeryeaanxj.10fast.net
hxxp://xmuambiiifyt.10fast.net
hxxp://cvnanneeesff.10fast.net
hxxp://muuaqbooolfy.10fast.net
hxxp://qimacvaaetyr.10fast.net
hxxp://vxfutqaoihsw.10fast.net
hxxp://ywreyruuuhhg.10fast.net
hxxp://fdteyteeeoel.10fast.net
hxxp://ywianvoiupwc.10fast.net
hxxp://zlgeyraoobls.10fast.net
hxxp://zkhujdeaojpm.10fast.net
hxxp://kjfufduuutqm.10fast.net
hxxp://xxjudpueewiz.10fast.net
hxxp://rooewmeaamcg.10fast.net
hxxp://hffugdueeink.10fast.net
hxxp://xmcoxzoiikkd.10fast.net
hxxp://lllizkuiifyq.10fast.net
hxxp://xmuapsuiovnb.10fast.net
hxxp://tquanvoiuyqv.10fast.net
hxxp://kvnartuuujlk.10fast.net
hxxp://lllikhioozjf.10fast.net
hxxp://yrreypeeamck.10fast.net
hxxp://glhihfueaeck.10fast.net

Sample malicious domains known to have participate in the campaign:
hxxp://goadult.info/go.php?sid=13 -> -> hxxp://goadult.info/go.php?sid=9 -&gt -> hxxp://r2606.com/go/?pid=30937 -> which is a well known Koobface 1.0 command and control server domain.

Related malicious redirectors known to have participated in the campaign:
hxxp://goadult.info - 78.109.28.16 - tech@goadult.info
hxxp://go1go.net - 174.36.214.32 - tech@go1go.net
hxxp://wpills.info - 174.36.214.3 - Email: tech@wpills.info Continue reading →

Historical OSINT - Koobface Gang Utilizes, Google Groups, Serves, Scareware and Malicious Software

December 25, 2016
In, a, cybercrime, ecosystem, dominated, by, malicious, software, releases, cybercriminals, continue, actively, populating, their, botnet's, infected, populating, successfully, affecting, hundreds, of, thousands, of, users, globally, potentially, exposing, the, confidentiality, integrity, and, availability, of, the, affected, hosts, to, a, multi-tude, of, malicious, software, further, spreading, malicious, software, further, earning, fraudulent, revenue, in, the, process, of, monetizing, access, to, malware-infected, hosts, largely, relying, on, the, utilization, of, an, affiliate-network, based, type, of, monetization, scheme.

We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, affecting, Google Groups, potentially, exposing, users, to, a, multi-tude, of, malicious, software, including, fake, security, software, also, known, as, scareware, further, enticing, users, into, interacting, with, the, bogus, links, potentially, exposing, their, devices, to, a, multi-tude, of, malicious, software.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it, and, establish, a, direct, connection, between, the, campaign, and, the, Koobface, gang.

Related, malicious, rogue, content, URLs, known, to, have, participated, in, the, campaign:
- anisimivachev17 - 1125 messages
- ilariongrishelev24 - 1099 messages
- yuvenaliyarzhannikov15 - 1108 messages
- burniemetheny52 - 1035 messages
- mengrug - 1090 messages
- silabobrov27 - 1116 messages

Related, malicious, URls, known, to, have, participated, in, the, campaign:
hxxp://wut.im/343535
hxxp://tpal.us/wedding2
hxxp://shrtb.us/New_year_video
hxxp://snipurl.com/tx2r6
hxxp://www.tcp3.com/helga-4315
hxxp://budurl.com/egph
hxxp://flipto.com/jokes/
hxxp://rejoicetv.info/newyear
hxxp://fauz.me/?livetv
hxxp://go2.vg/funnykids
hxxp://usav.us/anecdotes
hxxp://vaime.org/joke
hxxp://theflooracle.com/mistakes
hxxp://dashurl.com/video-jokes
hxxp://www.shortme.info/smileykids/
hxxp://starturl.com/clip32112
hxxp://starturl.com/rebeca
hxxp://starturl.com/video2231
hxxp://starturl.com/funclip
hxxp://starturl.com/sexchat
hxxp://snipurl.com/tx2r6
hxxp://www.41z.com/animals
hxxp://www.rehttp.com/?smileykids
hxxp://starturl.com/adamaura
hxxp://mytinyurls.com/wfj
hxxp://budurl.com/egph

Sample, detection, rate, for, a, malicious, executable:
MD5: 1e0d06095a32645c3f57f1b4dcbcfe5c

Sample, malicious, URL, involved, in, the, campaign:
hxxp://newsekuritylist.com/index.php?affid=92600 - 213.163.89.56 - Bobby.J.Hyatt@gmail.com

Parked there are also:
hxxp://networkstabilityinc .com - Email: juliacanderson@pookmail.com; marcusmhuffaker@mailinator.com; justinpnelson@dodgit.com
hxxp://indiansoftwareworld .com - Email: thelmamhandley@trashymail.com; leanngscofield@gmail.com; ernestygresham@trashymail.com
hxxp://antyvirusdevice .com - Email: latonyawmiller@pookmail.com; royawiley@pookmail.com; gracegoshea@pookmail.com; latonyawmiller@pookmail.com
hxxp://digitalprotectionservice .com - Email: clarencepfetter@trashymail.com; jamesdrobinson@pookmail.com; jamesdrobinson@pookmail.com; clarencepfetter@trashymail .com
hxxp://bestantyvirusservice .com - Email: kathrynrsmith@gmail.com; richardbhughey@gmail.com; joshuamwest@trashymail.com; kathrynrsmith@gmail.com
hxxp://antivirussoftrock .com - Email: michaelaturner@trashymail.com; gracemparker@trashymail.com; cliffordsfernandez@pookmail.com; michaelaturner@trashymail.com
hxxp://antywiramericasell .com - Email: Shannon.J.Ferguson@gmail.com
hxxp://antydetectivewaemergencyroom .com - Email: brettdpetro@gmail.com; valeriejweaver@dodgit.com; williekharris@mailinator.com; brettdpetro@gmail.com
hxxp://freeinternetvacation .com - Email: edwardmyoung@trashymail.com; aileenasaylor@gmail.com; williamjoverby@trashymail.com; edwardmyoung@trashymail.com
hxxp://aolbillinghq .com - Email: haroldamccarthy@trashymail.com; teodoromkeller@trashymail.com; joanswhite@dodgit.com; haroldamccarthy@trashymail.com
hxxp://scanserviceprovider .com - Email: rogerdmurphy@gmail.com; charlescvalentino@mailinator.com; eliarmcdonald@trashymail.com; rogerdmurphy@gmail.com
hxxp://securitytoolsquotes .com - Email: thurmanepidgeon@dodgit.com; jessicapgrady@dodgit.com; jamesmcummings@trashymail.com; thurmanepidgeon@dodgit.com
hxxp://electionprogress .com - Email: clarenceafloyd@pookmail.com; junerwurth@pookmail.com; edjbaxter@gmail.com; clarenceafloyd@pookmail.com
hxxp://myantywiruslist .com - Email: Nathan.S.Dennis@gmail.com
hxxp://antyspywarelistnow .com - Email: James.M.Miller@gmail.com
hxxp://securitylabtoday .com - Email: Marc.N.Torres@gmail.com
hxxp://yournecessary .com - Email: debrahbettis@gmail.com; myracbryant@dodgit.com; marycwilliams@dodgit.com; debrahbettis@gmail.com
hxxp://securityutilitysite .net - Email: michellemwelch@mailinator.com; charlesdfrazier@trashymail.com; rosaliejhumphrey@pookmail.com; michellemwelch@mailinator.com
hxxp://securitytoolsshop .net - Email: sarajgunter@gmail.com; kerstinrbray@gmail.com; keithrdejesus@mailinator.com; sarajgunter@gmail.com
hxxp://securitytooledit .net - Email: byronlross@pookmail.com; jamesslewis@mailinator.com; leighschancey@trashymail.com; byronlross@pookmail.com
hxxp://portsecurityutility .net - Email: marquettacpettit@trashymail.com; melindakbolin@pookmail.com; rhondaehipp@mailinator.com; marquettacpettit@trashymail.com

Sample, detection, rate, for, a, malicious, executable:
MD5: 4a3e8b6b7f42df0f26e22faafaa0327f
MD5: 64a111acdc77762f261b9f4202e98d29

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://newsekuritylist.com/in.php?affid=92600
hxxp://newsekuritylist.com/in.php?affid=92600

Sample, URL, redirection, chain:
hxxp://rejoicetv.info/newyear
    - hxxp://91.207.4.19/tds/go.php?sid=3
        - hxxp://liveeditionpc.net?uid=297&pid=3&ttl=11845621a62 - 95.169.187.216 - korn989.net; liveeditionpc.net; createpc-pcscan-korn.net
            - hxxp://www1.hotcleanofyour-pc.net/p=== - 98.142.243.174 - live-guard-forpc.net is also parked there:

Sample, detection, rate, for, a, malicious, executable:
MD5: 4912961c36306d156e4e2b335c51151b

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://update2.pcliveguard.com/index.php?controller=hash - 124.217.251.99
hxxp://update2.pcliveguard.com/index.php?controller=microinstaller&abbr=PCLG&setupType=xp&ttl=210475833d3&pid=
hxxp://update2.pcliveguard.com/index.php?controller=microinstaller&abbr=PCLG&setupType=xp&ttl=210475833d3&pid=
hxxp://securityearth.cn/Reports/MicroinstallServiceReport.php - 210.56.53.125

Sample, URL, redirection, chain:
hxxp://garlandvenit.150m.com
    - hxxp://online-style2.com
        - hxxp://scanner-malware15.com/scn3/?engine=
            - hxxp://scanner-malware15.com/download.php?id=328s3

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://eclipserisa.150m.com
hxxp://adamaura.150m.com
hxxp://hugodinah.150m.com
hxxp://roycesylvia.150m.com
hxxp://lindaagora.150m.com
hxxp://sharolynpam.150m.com
hxxp://letarebeca.150m.com
hxxp://letarebeca.150m.com

Sample, URL, redirection, chain:
hxxp://egoldenglove.com/Images/bin/movie/
    - hxxp://egoldenglove.com/Images/bin/movie/Flash_Update_1260873156.exe

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://2-weather.com/?pid=328s03&sid=3593b2&d=3&name=Loading%20video - 66.197.160.104 -mail@tatrum-verde.com
hxxp://scanner-spya8.com/scn3/?engine= - info@gainweight.com -

Sample, detection, rate, for, a, malicious, executable:
MD5: bfaba92c3c0eaec61679f03ff0eb0911

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://91.212.226.185/download/winlogo.bmp (windowsaltserver.com)

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://2-coat.com - 193.104.22.202 - Email: mail@tatrum-verde.com
hxxp://2-weather.com - 193.104.22.202 - - Email: mail@tatrum-verde.com - currently embedded on Koobface-infected hosts pushing scareware

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://online-style2.com - 66.197.160.104 - Email: mail@tatrum-verde.com
hxxp://scanner-malware15.com - Email: info@natural-health.org

Related, malicious, IPs, known, to, have, participated, in, the, campaign:
hxxp://68.168.212.142
hxxp://91.212.226.97
hxxp://66.197.160.105

Parked on 68.168.212.142:
hxxp://antispywareguide20 .com - Email: contacts@vertigo.us
hxxp://antispywareguide22 .com - Email: contacts@vertigo.us
hxxp://antispywareguide23 .com - Email: contacts@vertigo.us
hxxp://antispywareguide25 .com - Email: contacts@vertigo.us
hxxp://antispywareguide27 .com - Email: contacts@vertigo.us
hxxp://antispywaretools10 .com - Email: contacts@vertigo.us
hxxp://antispywaretools11 .com - Email: contacts@vertigo.us
hxxp://antispywaretools12 .com - Email: contacts@vertigo.us
hxxp://antispywaretools17 .com - Email: contacts@vertigo.us
hxxp://antispywaretools18 .com - Email: contacts@vertigo.us
hxxp://best-scan-911 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-921 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-931 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-951 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-961 .com - Email: TheodoreWTurner@live.com
hxxp://birthday-gifts2 .com - Email: TheodoreWTurner@live.com
hxxp://christmasdecoration2 .com - Email: contact@trythreewish.us
hxxp://computerscanm0 .com - Email: JamesNTurner@yahoo.com
hxxp://computerscanm2 .com - Email: JamesNTurner@yahoo.com
hxxp://computerscanm4 .com - Email: JamesNTurner@yahoo.com
hxxp://computerscanm6 .com - Email: JamesNTurner@yahoo.com
hxxp://computerscanm8 .com - Email: JamesNTurner@yahoo.com
hxxp://go-scan021 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan061 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan081 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan091 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan121 .com - Email: TheodoreWTurner@live.com

hxxp://microscanner1 .com - Email: info@enigmazero.com
hxxp://micro-scanner1 .com - Email: info@enigmazero.com
hxxp://microscanner2 .com - Email: info@enigmazero.com
hxxp://micro-scanner2 .com - Email: info@enigmazero.com
hxxp://microscanner3 .com - Email: info@enigmazero.com
hxxp://micro-scanner3 .com - Email: info@enigmazero.com
hxxp://microscanner4 .com - Email: info@enigmazero.com
hxxp://micro-scanner4 .com - Email: info@enigmazero.com
hxxp://microscanner5 .com - Email: info@enigmazero.com
hxxp://micro-scanner5 .com - Email: info@enigmazero.com
hxxp://micro-scannera1 .com - Email: info@enigmazero.com
hxxp://micro-scannerb1 .com - Email: info@enigmazero.com
hxxp://micro-scannerc1 .com - Email: info@enigmazero.com
hxxp://micro-scannerd1 .com - Email: info@enigmazero.com
hxxp://pc-antispyo3 .com
hxxp://pc-antispyo5 .com
hxxp://pc-antispyo6 .com
hxxp://pc-antispyo9 .com
hxxp://pc-securityv8 .com - Email: info@billBlog.com
hxxp://protect-pca1 .com
hxxp://protect-pcr1 .com
hxxp://protect-pct1 .com
hxxp://protect-pcu1 .com

hxxp://quick-antispy91 .com - Email: williams.trio@yahoo.com
hxxp://quick-antispy92 .com - Email: williams.trio@yahoo.com
hxxp://quick-antispy93 .com - Email: williams.trio@yahoo.com
hxxp://quick-antispy95 .com - Email: williams.trio@yahoo.com
hxxp://quick-antispy99 .com - Email: williams.trio@yahoo.com
hxxp://quick-scanner2 .com - Email: williams.trio@yahoo.com
hxxp://quick-scanner4 .com - Email: williams.trio@yahoo.com
hxxp://quick-scanner6 .com - Email: williams.trio@yahoo.com
hxxp://quick-scanner77 .com - Email: williams.trio@yahoo.com
hxxp://quick-scanner78 .com - Email: williams.trio@yahoo.com
hxxp://run-scanner023 .com - Email: TheodoreWTurner@live.com
hxxp://run-scanner056 .com - Email: TheodoreWTurner@live.com
hxxp://run-scanner067 .com - Email: TheodoreWTurner@live.com
hxxp://safe-pc01 .com - Email: JamesNTurner@yahoo.com
hxxp://safe-pc02 .com - Email: JamesNTurner@yahoo.com
hxxp://safe-pc03 .com - Email: JamesNTurner@yahoo.com
hxxp://safe-pc07 .com - Email: JamesNTurner@yahoo.com
hxxp://safe-pc09 .com - Email: JamesNTurner@yahoo.com
hxxp://safe-your-pc002 .com - Email: JamesNTurner@yahoo.com
hxxp://safe-your-pc004.com - Email: JamesNTurner@yahoo.com
hxxp://safe-your-pc009 .com - Email: JamesNTurner@yahoo.com
hxxp://scan-and-secure01 .com
hxxp://scan-and-secure04 .com
hxxp://scan-and-secure06 .com
hxxp://scan-and-secure07 .com
hxxp://scan-and-secure09 .com
hxxp://scan-computerab .com
hxxp://scan-computere0 .com

hxxp://scanner-malware01 .com - Email: info@natural-health.org
hxxp://scanner-malware02 .com - Email: info@natural-health.org
hxxp://scanner-malware04 .com - Email: info@natural-health.org
hxxp://scanner-malware05 .com - Email: info@natural-health.org
hxxp://scanner-malware06 .com - Email: info@natural-health.org
hxxp://scanner-malware11 .com - Email: info@natural-health.org
hxxp://scanner-malware12 .com - Email: info@natural-health.org
hxxp://scanner-malware13 .com - Email: info@natural-health.org
hxxp://scanner-malware14 .com - Email: info@natural-health.org
hxxp://scanner-malware15 .com - Email: info@natural-health.org
hxxp://securitysoftware1 .com
hxxp://securitysoftware3 .com
hxxp://securitysoftware5 .com
hxxp://securitysoftwaree .com
hxxp://securitysoftwaree7 .com
hxxp://security-softwareo1 .com
hxxp://security-softwareo5 .com
hxxp://security-softwareo7 .com
hxxp://unique-gifts2 .com - Email: contact@trythreewish.us
hxxp://unusual-gifts2 .com - Email: contact@trythreewish.us
hxxp://xmas-song .com - Email: contact@trythreewish.us

Parked on 91.212.226.97; 66.197.160.105:
hxxp://best-scan-911 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-921 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-931 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-951 .com - Email: TheodoreWTurner@live.com
hxxp://best-scan-961 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan021 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan061 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan081 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan091 .com - Email: TheodoreWTurner@live.com
hxxp://go-scan121 .com - Email: TheodoreWTurner@live.com
hxxp://microscanner1 .com - Email: info@enigmazero.com
hxxp://micro-scanner1 .com - Email: info@enigmazero.com
hxxp://microscanner2 .com - Email: info@enigmazero.com
hxxp://micro-scanner2 .com - Email: info@enigmazero.com
hxxp://microscanner3 .com - Email: info@enigmazero.com
hxxp://micro-scanner3 .com - Email: info@enigmazero.com
hxxp://microscanner4 .com - Email: info@enigmazero.com
hxxp://micro-scanner4 .com - Email: info@enigmazero.com
hxxp://microscanner5 .com - Email: info@enigmazero.com

hxxp://micro-scanner5 .com - Email: info@enigmazero.com
hxxp://micro-scannera1 .com - Email: info@enigmazero.com
hxxp://micro-scannerb1 .com - Email: info@enigmazero.com
hxxp://micro-scannerc1 .com - Email: info@enigmazero.com
hxxp://micro-scannerd1 .com - Email: info@enigmazero.com
hxxp://run-scanner023 .com - Email: TheodoreWTurner@live.com
hxxp://run-scanner056 .com - Email: TheodoreWTurner@live.com
hxxp://run-scanner067 .com - Email: TheodoreWTurner@live.com
hxxp://scanner-malware01 .com - Email: info@natural-health.org
hxxp://scanner-malware02 .com - Email: info@natural-health.org
hxxp://scanner-malware04 .com - Email: info@natural-health.org
hxxp://scanner-malware05 .com - Email: info@natural-health.org
hxxp://scanner-malware06 .com - Email: info@natural-health.org
hxxp://scanner-malware11 .com - Email: info@natural-health.org
hxxp://scanner-malware12 .com - Email: info@natural-health.org
hxxp://scanner-malware13 .com - Email: info@natural-health.org
hxxp://scanner-malware14 .com - Email: info@natural-health.org
hxxp://scanner-malware15 .com - Email: info@natural-health.org

Parked on 66.197.160.104:
hxxp://2activities.com - Email: mail@tatrum-verde.com
hxxp://2-scenes.com - Email: mail@tatrum-verde.com
hxxp://2-weather.com - Email: mail@tatrum-verde.com
hxxp://online-fun2 .com - Email: mail@tatrum-verde.com
hxxp://online-news2.com - Email: mail@tatrum-verde.com
hxxp://online-style2 .com - Email: mail@tatrum-verde.com
hxxp://online-tv2.com - Email: mail@tatrum-verde.com
hxxp://snow-and-fun2 .com - Email: mail@tatrum-verde.com
hxxp://winterart2 .com - Email: info@territoryplace.us
hxxp://winterchristmas2 .com - Email: info@territoryplace.us
hxxp://wintercrafts2 .com - Email: info@territoryplace.us
hxxp://winterkids2 .com - Email: info@territoryplace.us
hxxp://winterphotos2 .com - Email: info@territoryplace.us
hxxp://winterpicture2 .com - Email: info@territoryplace.us
hxxp://winterscene2 .com - Email: info@territoryplace.us
hxxp://winterwallpaper2 .com - Email: info@territoryplace.us

What's particularly, interesting, about, this, particular, campaign, is, the, direct, connection, with, the, Koobface, gang, taking, into, consideration, the, fact, that, hxxp://redirector online-style2.com/?pid=312s03&sid=4db12f has, also, been, used, by, Koobface-infected hosts, and, most, importantly, the, fact, that, a, sampled, scareware, campaign from December 2009, were serving scareware parked on 193.104.22.200, where the Koobface scareware portfolio is parked, as, previously, profiled, and, analyzed.

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.

Related posts:
Historical OSINT - Celebrity-Themed Blackhat SEO Campaign Serving Scareware and the Koobface Botnet Connection
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface Gang Responds to the "10 Things You Didn't Know About the Koobface Gang Post"
How the Koobface Gang Monetizes Mac OS X Traffic
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model
From the Koobface Gang with Scareware Serving Compromised Site
Koobface Botnet Starts Serving Client-Side Exploits
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Dissecting Koobface Gang's Latest Facebook Spreading Campaign
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Koobface Botnet Redirects Facebook's IP Space to my Blog
Koobface Botnet Dissected in a TrendMicro Report
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Dissecting the Koobface Worm's December Campaign
The Koobface Gang Mixing Social Engineering Vectors
Dissecting the Latest Koobface Facebook Campaign Continue reading →

Historical OSINT - Celebrity-Themed Blackhat SEO Campaign Serving Scareware and the Koobface Botnet Connection

December 23, 2016
In, a, cybercrime, dominated, by, fraudulent, propositions, historical, OSINT, remains, a, crucial, part, in, the, process, of, obtaining, actionable. intelligence, further, expanding, a, fraudulent, infrastructure, for, the, purpose, of, establishing, a, direct, connection, with, the, individuals, behind, it. Largely, relying, on, a, set, of, tactics, techniques, and, procedures, cybercriminals, continue, further, expanding, their, fraudulent, infrastructure, successfully, affecting, hunreds, of, thousands, of, users, globally, further, earning, fraudulent, revenue, in, the, process, of, committing, fraudulent, activity, for, the, purpose, of, earning, fraudulent, revenue, in, the, process.

In, this, post, we'll, discuss, a, black, hat, SEO (search engine optimization), campaign, intercepted, in, 2009, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it, successfully, establishing, a, direct, connection, with, the, Koobface, gang.


The, Koobface, gang, having, successfully, suffered, a, major, take, down, efforts, thanks, to, active, community, and, ISP (Internet Service Provider), cooperation, has, managed, to, successfully, affect, a, major, proportion, of, major, social, media, Web, sites, including, Facebook, and, Twitter, for, the, purpose, of, further, spreading, the, malicious, software, served, by, the, Koobface, gang, while, earning, fraudulent, revenue, in, the, process, of, monetizing, the, hijacked, and, acquired, traffic, largely, relying, on, the, use, of, fake, security, software, and, the, reliance, on, a, fraudulent, affiliate-network, based, type, of, monetizing, scheme.


Largely, relying, on, a, diverse, set, of, traffic, acquisition, tactics, including, social, media, propagation, black, hat, SEO (search engine optimization), and, client-side, exploits, the, Koobface, gang, has, managed, to, successfully, affect, hundreds, of, thousands, of, users, globally, successfully, populating, social, media, networks, such, as, Facebook, and, Twitter, with, rogue, and, bogus, content, for, the, purpose, of, spreading, malicious, software, and, earning, fraudulent, revenue, in, the, process, largely, relying, on, a, diverse, set, of, traffic, acquisition, tactics, successfully, monetizing, the, hijacked, and, acquired, traffic, largely, relying, on, the, use, of, affiliate-network, based, traffic, monetizing, scheme.

Let's, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it, and, establish, a, direct, connection, with, the, Koobface, gang, and, the, Koobface, botnet's, infrastructure.

Sample URL, redirection, chain:
hxxp://flash.grywebowe.com/elin5885/?x=entry:entry091109-071901; -> http://alicia-witt.com/elin1619/?x=entry:entry091112-185912 -> hxxp://indiansoftwareworld.com/index.php?affid=31700 - 213.163.89.56


Sample, detection, rate, for, a, malicious, executable:MD5: bd7419a376f9526719d4251a5dab9465


Sample, URL, redirection, chain, leading, to, client-side, exploits:
hxxp://loomoom.in/counter.js - 64.20.53.84 - the front page says "We are under DDOS attack. Try later".
hxxp://firefoxfowner.cn/?pid=101s06&sid=977111 -> hxxp://royalsecurescana.com/scan1/?pid=101s6&engine=p3T41jTuOTYzLjE3Ny4xNTMmdGltZT0xMjUxNMkNPAhN

Sample, detection, rate, for, a, malicious, executable:
MD5: a91a1bb995e999f27ffc5d9aa0ac2ba2

 Once, executed, a, sample, malware, phones, back, to:
hxxp://systemcoreupdate.com/download/timesroman.tif - 213.136.83.234


Sample, URL, redirection, chain:
hxxp://oppp.in/counter.js - 64.20.53.83 - the same message is also left "We are under DDOS attack. Try later"
hxxp://johnsmith.in/counter.js - 64.20.53.86
hxxp://gamotoe.in/counter.js
hxxp://polofogoma.in/counter.js
hxxp://jajabin.in/counter.js
hxxp://dahaloho.in/counter.js
hxxp://gokreman.in/counter.js
hxxp://freeblogcounter2.com/counter.js
hxxp://lahhangar.in/counter.js
hxxp://galorobap.in/counter.js

 Sample, directory, structure, for, the, black, hat, SEO (search engine optimization), campaign:
hxxp://images/include/bmblog
hxxp://bmblog/category/art/
hxxp://images/style/bmblog
hxxp://photos/archive/bmblog/
hxxp://templates/img/bmblog
hxxp://phpsessions/bmblog
hxxp://Index_archivos/img/bmblog/
hxxp://bmblog/category/hahahahahah/
hxxp://gallery/include/bmblog

Sample, malicious, domains, participating, in, the, campaign:
pcmedicalbilling.com - Email: sophiawrobertson@pookmail.com
securitytoolnow.com - Email: ronaldmpappas@dodgit.com
securitytoolsclick.net - Email: ruthdtrafton@dodgit.com
security-utility.net - Email: richardrmccullough@trashymail.com

Historically on the same IP were parked the following, now responding to 91.212.107.37 domains:
online-spyware-remover.biz - Email: robertsimonkroon@gmail.com
online-spyware-remover.info - Email: robertsimonkroon@gmail.com
spyware-online-remover.biz  - Email: robertsimonkroon@gmail.com
spyware-online-remover.com - Email: robertsimonkroon@gmail.com
spyware-online-remover.info - Email: robertsimonkroon@gmail.com
spyware-online-remover.net - Email: robertsimonkroon@gmail.com
spyware-online-remover.org - Email: robertsimonkroon@gmail.com
tubepornonline.biz - Email: robertsimonkroon@gmail.com
tubepornonline.org - Email: robertsimonkroon@gmail.com


Sample, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://antyspywarestore.com/index.php?affid=90400
hxxp://newsecuritytools.net/index.php?affid=90400 - 78.129.166.11 - Email: joyomcdermott@gmail.com

Sample, detection, rate, for, a, malicious, executable:
MD5: 0feffd97ffe3ecc875cfe44b73f5653b
MD5: a0d9d3127509272369f05c94ab2acfc9

Naturally, it gets even more interesting, in particular the fact the very same robertsimonkroon@gmail.com used to register the domains historically parked at the IP that is currently hosting the scareware domains part of the massive blackhat SEO campaign -- the very same domains (hxxp://firefoxfowner.cn), were also in circulation on Koobface infected host, in a similar fashion when the domains used in the New York Times malvertising campaign were simultaneously used in blackhat SEO campaigns managed by the Koobface gang -- have not only been seen in July's scareware campaigns -- but also, has been used to register actual domains used as a download locations for the scareware campaigns part of the Koobface botnet's scareware business model.


Parked, at, the, same, malicious, IP (91.212.107.37), are, also, the, following, malicious, domains:
hxxp://free-web-download.com
hxxp://web-free-download.com
hxxp://iqmediamanager.com
hxxp://oesoft.eu
hxxp://unsoft.eu
hxxp://losoft.eu
hxxp://tosoft.eu
hxxp://kusoft.eu

Sample, detection, rate, for, a, malicious, executable:
MD5: 29ff816c7e11147bb74570c28c4e6103
MD5: e59b66eb1680c4f195018b85e6d8b32b
MD5: b34593d884a0bc7a5adb7ab9d3b19a2c

The overwhelming evidence of underground multi-tasking performed by the Koobface gang, it's connections to money mule recruitment scams, high profile malvertising attacks, and current market share leader in blackhat SEO campaigns, made, the, group, a, prominent, market, leader, within, the, cybercrime, ecosystem, having, successfully, affecting, hundreds, of, thousands, of, users, globally, potentially, earning, hundreds, of, thousands, in, fraudulent, revenue, in, the, process.

Related posts:
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface Gang Responds to the "10 Things You Didn't Know About the Koobface Gang Post"
How the Koobface Gang Monetizes Mac OS X Traffic
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model
From the Koobface Gang with Scareware Serving Compromised Site
Koobface Botnet Starts Serving Client-Side Exploits
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Dissecting Koobface Gang's Latest Facebook Spreading Campaign
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Koobface Botnet Redirects Facebook's IP Space to my Blog
Koobface Botnet Dissected in a TrendMicro Report
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Dissecting the Koobface Worm's December Campaign
The Koobface Gang Mixing Social Engineering Vectors
Dissecting the Latest Koobface Facebook Campaign Continue reading →

Koobface Botnet Master KrotReal Back in Business, Distributes Ransomware And Promotes BHSEO Service/Product

November 26, 2012
On January 09, 2012 I exposed Koobface botnet master KrotReal. On January 16, 2012, The New York Times went public with data from Facebook Inc. exposing the identities of the rest of the group. What happened? With the botnet masters still at large, and the Koobface botnet currently offline, a logical question emerges - what are these cybercriminals up to now that they're no longer involved in managing Koobface?

Cybercrime as usual!

Continuing to squeeze the cybercrime ecosystem, and keep known bad actors on a short leash, in this intelligence brief I'll expose Anton Nikolaevich Korotchenko a.k.a KrotReal's s latest activities, indicating that he's currently busy experimenting with two projects:
  • A Black Hat (SEO) Search Engine Optimization related service/product
  • Underground traffic exchange/pay-pay-install network currently distributing localized Ransomware
Just like the case when KrotReal's real life identity was revealed due to a single mistake he made over a period of several years, namely to register a Koobface command and control server using his personal GMail account, in this intelligence brief I'll once again expose his malicious and fraudulent activities by profiling two of the most recently domains he once again registered with his personal GMail account.

Let's start by profiling his Black Hat SEO service/product, currently hosted on one of the domains he registered in 2011.

trafficconverter.in - 176.9.146.78 - Email: krotreal@gmail.com
Created On:28-Jul-2011 12:37:45 UTC
Last Updated On:28-Jun-2012 08:11:43 UTC
Expiration Date:28-Jul-2013 12:37:45 UTC

The service/produce apparently allows the systematic abuse of legitimate blogging platforms such as Google's Blogger and Wordpress, next to Yoom CMS. KrotReal himself might be using the tool, or sell/offer access to it as a managed service. Does this mean he's not using it by himself to monetize the hijacked legitimate traffic that he's able to obtain through his Black Hat SEO campaigns? Not at all.

More domains presumably to be used for Black Hat SEO purposes registered with KrotReal's personal email account (krotreal@gmail.com):
superstarfind.com
celeb-search.com
myown-search.com
myfindstuff.com
network-find.com
coolfind200309.com
experimentsearch.com
fashion-overview.com
krotpong.com
adultpartypics.com
findhunt.com

How is he actually monetizing the hijacked traffic? Keep reading. Now it's time to expose his malicious activities in the form of spreading localized Ransomware variants. For the record, the Koobface gang distributed primarly scareware -- there's evidence that the group was also involved in other malicious campaigns -- and even bragged about the fact that they're not damaging infected user PCs.

What's particularly interesting about profiling this campaign, is that it's a great example of double-layer monetization, as KrotReal is earning revenue through the Traffic Holder Adult Affiliate Program, in between serving client-side exploits and ultimately dropping Ransomware on the affected host using the same redirection chain.


Sample malicious domain name reconnaissance:
traffictracker.in - 176.9.146.78 (AS24940) - Email: krotreal@gmail.com
Created On:22-Nov-2011 13:42:53 UTC
Last Updated On:22-Nov-2012 22:33:25 UTC
Expiration Date:22-Nov-2013 13:42:53 UTC

Responding to the same IP 176.9.146.78 (AS24940):
allcelebrity.ru
easypereezd.ru

Sample malicious activity redirection chain: hxxp://traffictracker.in/in.cgi?11&parameter=nude+girls&CS=1 -> hxxp://celeb-search.com/in.php?source=th&q=nude+girls -> hxxp://celeb-search.com/in3.php?source=th&q=nude+girls -> hxxp://www.trafficholder.com/in/in2.php?ppillow-pics_erotic -> hxxp://hit.trafficholder.com/cgi-bin/traffic/process.fcgi?a=ppillow&c=1&n=pics_erotic&r= ->  hxxp://gravityexp.com/go.php?sid=12 -> hxxp://nosnowfevere.com/ZqRqk (exploiting CVE-2008-5353) -> hxxp://nosnowfevere.com/oxsXAE?KpDzQ=61 -> hxxp://nosnowfevere.com/ZqRqk -> hxxp://nosnowfevere.com/EHSvFc -> hxxp://nosnowfevere.com/XMDrkH

KrotReal's Traffic Holder Adult Affiliate Network ID is ppillow-pics_erotic.


Malicious domain names reconnaissance:
gravityexp.com - returns "Digital River GmbH" on its home page - 46.163.117.144 - Email: francesca.muglia.130@istruzione.it
Updated Date: 30-aug-2012
Creation Date: 30-aug-2012
Expiration Date: 30-aug-2013

nosnowfevere.com - 91.211.119.32 - Email: djbroning@definefm.com
Updated Date: 25-nov-2012
Creation Date: 25-nov-2012
Expiration Date: 25-nov-2013

Upon successful client-side exploitation, the campaign drops MD5: d234a238eb8686d08cd4e0b8b705da14 - detected by 10 out of 43 antivirus scanners as Trojan.Winlock.7431

Sample screenshot displayed to users from geolocated countries:
Second screenshot of a sample page displayed to affected U.K users:
Additional malicious payload obtained from the campaign:
MD5: fd47fe3659d7604d93c3ce0c0581fed7 - detected by 4 out of 44 antivirus scanners as Exploit:Java/CVE-2012-5076.BBW
MD5: e47991d7f172e893317f44ee8afe3811 - detected by 5 out of 44 antivirus scanners as JS:Pdfka-gen [Expl]
MD5: 7e58703026c7ffba05ac0d2ae4d3c62f - detected by 5 out of 44 antivirus scanners as Exploit:Java/CVE-2012-1723!generic

Ransomware C&C malicious domain name reconnaissance:
sarscowoy.com - currently responds to 176.28.22.32 (AS20773); 176.28.14.42 (AS20773) - Email: rmasela@ymail.com

On 2012-06-21 the domain responded to 204.13.160.28 (AS33626), then on 2012-07-01 it changed IPs to 46.163.113.79 (AS20773), then again on 2012-11-14 it changed IP to 176.28.14.42 (AS20773), followed by one last change on 2012-11-24 to 176.28.22.32 (AS20773)

One more MD5 is known to have phoned back to the same Ransomware C&C URL - MD5: 1600577edece1efe11c75158f9dd24db - detected by 28 out of 38 antivirus scanners as Trojan:Win32/Tobfy.H

Interestingly, the cybercriminals behind the Ransomware left the administration panel open to anyone who wants to take a look at the way the whole process works. 

Sample screenshot of the administration panel:
Second screenshot of the administration panel, showing a directory listing, including unique and localized files for potential victims from multiple countries:

More domains are currently responding to the same IPs (176.28.22.32; 176.28.14.42):
bussinesmail.org - Email: belov28@gmail.com
elitesecuritynet.com - Email: pescifabio83@yahoo.fi
ideasdeunion.com - Email: esbornikk@aol.com
ineverworrynet.com - pescifabio83@yahoo.fi
testcitycheckers.com - pescifabio83@yahoo.fi
uneugroup.com - Email: anders_christensen@yahoo.com
winntegroups.eu - Email: robertobona69@yahoo.com
sexchatvideo.org - Email: daddario.maria@virgilio.it
quasarnet.co - Email: valter.bars@venezia.pecavvocati.it
bestconsultingoffice.com
apaineal.ru

What we've got here is a great example of the following - when you don't fear legal prosecution for your fraudulent activities over a period of several years, earning you potentially hundreds of thousands of dollars, you just launch new projects, continuing to cause more harm and fraudulently obtain funds from infected victims.
 
For those who are interested in more details on the technical side of this Ransomware, you should consider going through this research.

Hat tip to Steven Adair from Shadowserver for the additional input. Continue reading →

Who's Behind the Koobface Botnet? - An OSINT Analysis

January 09, 2012
In this post, I will perform an OSINT analysis, exposing one of the key botnet masters behind the infamous Koobface botnet, that I have been extensively profiling and infiltrating since day one. I will include photos of the botnet master, his telephone numbers, multiple email addresses, license plate for a BMW, and directly connect him with the infrastructure -- now offline or migrated to a different place -- of Koobface 1.0.

The analysis is based on a single mistake that the botnet master made - namely using his personal email for registering a domain parked within Koobface's command and control infrastructure, that at a particular moment in time was directly redirecting to the ubiquitous fake Youtube page pushed by the Koobface botnet.

Let's start from the basics. Here's an excerpt from a previous research conducted on the Koobface botnet:

However, what the Koobface gang did was to register a new domain and use it as Koobface C&C again parked at the same IP, which remains active - zaebalinax.com Email: krotreal@gmail.com - 78.110.175.15 - in particular zaebalinax.com/the/?pid=14010 which is redirecting to the Koobface botnet. Two more domains were also registered and parked there, u15jul .com and umidsummer .com - Email: 2009polevandrey@mail.ru which remain in stand by mode at least for the time being.

The Koobface botnet master's biggest mistake is using the Koobface infrastructure for hosting a domain that was registered with the botnet master's personal email address. In this case that zaebalinax.com and krotreal@gmail.com. zaebalinax.com is literally translated to "Gave up on Linux". UPDATED: Multiple readers have to contacted me to point out that zaebalinax is actually translated to "f*ck you all" or "you all are p*ssing me off".

The same email krotreal@gmail.com was used to advertise the sale of Egyptian Sphynx kittens on 05.09.2007:

The following telephone belonging to Anton was provided - +79219910190. The interesting part is that the same telephone was also used in another advertisement, this time for the sale of a BMW:


Photos of the BMW, offered for sale, by the same Anton that was using the Koobface infrastructure to host zaebalinax.com Email: krotreal@gmail.com:

Upon further analysis, it becomes evident that his real name is Anton Nikolaevich Korotchenko (Антон Николаевич Коротченко). Here are more details of this online activities:

Real name: Anton Nikolaevich Korotchenko (Антон Николаевич Коротченко)
City of origin: St. Petersburg
Primary address: Omskaya st. 26-61; St. Petersburg; Leningradskaya oblast,197343
Associated phone numbers obtained through OSINT analysis, not whois records:
+79219910190
+380505450601
050-545-06-01
ICQ - 444374
Emails: krotreal@yahoo.com
krotreal@gmail.com
krotreal@mail.ru
krotreal@livejournal.com
newfider@rambler.ru
WM identification (WEB MONEY) : 425099205053
Twitter account: @KrotReal; @Real_Koobface
Flickr account: KrotReal
Vkontakte.ru Account: KrotReal; tonystarx 
Foursquare Account: KrotReal

Also, a chat log from 2003, identifies KrotReal while he's using the following IP -  krotreal@ip-534.dialup.cl.spb.ru

How do you trigger a change that would ultimately affect the entire cybercrime ecosystem? By personalizing cybercrime.

Go through previous research conducted on the Koobface botnet:
Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova
The Koobface Gang Wishes the Industry "Happy Holidays"
Koobface Gang Responds to the "10 Things You Didn't Know About the Koobface Gang Post"
10 things you didn't know about the Koobface gang
How the Koobface Gang Monetizes Mac OS X Traffic
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model
From the Koobface Gang with Scareware Serving Compromised Site
Koobface Botnet Starts Serving Client-Side Exploits
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Dissecting Koobface Gang's Latest Facebook Spreading Campaign
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Koobface Botnet Redirects Facebook's IP Space to my Blog
Koobface Botnet Dissected in a TrendMicro Report
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Dissecting the Koobface Worm's December Campaign
The Koobface Gang Mixing Social Engineering Vectors
Dissecting the Latest Koobface Facebook Campaign Continue reading →
Subscribe to: Comments (Atom)