Showing posts with label Malvertising. Show all posts

Historical OSINT - Malicious Malvertising Campaign, Spotted at FoxNews, Serves Scareware

January 05, 2017
In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercriminals, continue, actively, populating, their, botnet's, infected, population, with, hundreds, of, malicious, releases, successfully, generating, hundreds, of, thousands, of, fraudulent, revenue, while, populating, their, botnet's, infected, population, largely, relying, on, the, utilization, of, affiliate-network, based, type, of, monetizing, scheme.

We've, recently, intercepted, a, currently, active, malvertising, campaign, affecting, FoxNews, successfully, enticing, users, into, executing, malicious, software, on, the, the, affected, PCs, with, the, cybercriminals, behind, it, successfully, earning, fraudulent, revenue, largely, relying, on, the, utilization, of, an, affiliate-network, based, type, of, monetizing, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Sample, URL, redirection, chain:
hxxp://toppromooffer.com/vsm/index.html - 85.17.254.158; 69.43.161.174
    - hxxp://78.47.132.222/a12/index.php?url=http://truconv.com/?a=125&s=4a12 - (78.47.132.222)    
        - hxxp://redirectclicks.com/?accs=845&tid=338 - 69.172.201.153; 176.74.176.178; 64.95.64.194
            - hxxp://http://redirectclicks.com/?accs=845&tid=339

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://truconv.com - 78.46.88.202

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (78.46.88.202):
MD5: 473e3615795609a091a2f2d3d1be2d00
MD5: 9e51c29682a6059b9b636db8bf7dcc25
MD5: 08a50ebcaa471cd45b3561c33740136d
MD5: e7d5f7a90ddfa1fbe8dfce32d6e4a1f1
MD5: fcdd2790dd5b1898ef8ee29092dca757

Once, executed, a, sample, malware (MD5: 473e3615795609a091a2f2d3d1be2d00), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://yaskiya.cyberfight.de - 78.46.88.202

Once, executed, a, sample, malware (MD5: 9e51c29682a6059b9b636db8bf7dcc25), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://cfg111111.go.3322.org - 118.184.176.13
hxxp://newsoft.kilu.org - 78.46.88.202
hxxp://myweb111111.go.3322.org
hxxp://35free.net - 5.61.39.56
hxxp://newsoft1.go.3322.org
hxxp://newsoft11.go.3322.org

Once, executed, a, sample, malware (MD5: 08a50ebcaa471cd45b3561c33740136d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://darthvader.dyndns.tv
hxxp://www12.subdomain.com - 78.46.88.202

Once, executed, a, sample, malware (MD5: e7d5f7a90ddfa1fbe8dfce32d6e4a1f1), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://tundeghanawork.co.gp - 78.46.88.202

Once, executed, a, sample, malware (MD5: fcdd2790dd5b1898ef8ee29092dca757), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://newsoft.go.3322.org - 221.130.179.36
hxxp://cfg111111.go.3322.org - 118.184.176.13
hxxp://newsoft.kilu.org - 78.46.88.202
hxxp://users6.nofeehost.com - 67.208.91.110

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (69.172.201.153):
MD5: c9ca43032633584ff2ae4e4d7442f123
MD5: a099766f448acd6b032345dfd8c5491d
MD5: da39ccb40b1c80775e0aa3ab7cefb4b0
MD5: 85750b93319bd2cf57e445e1b4850b08
MD5: e521b31eb97d6d25e3d165f2fe9ca3ba

Once, executed, a, sample, malware (MD5: c9ca43032633584ff2ae4e4d7442f123), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://os.tokoholapisa.com - 54.229.133.176
hxxp://down2load.net - 69.172.201.153
hxxp://cdn.download2013.net - 185.152.65.38

Once, executed, a, sample, malware (MD5: a099766f448acd6b032345dfd8c5491d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://chicostara.com - 91.142.252.26
hxxp://suewyllie.com
hxxp://dewpoint-eg.com - 195.157.15.100

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (176.74.176.178):
MD5: 116d07294fb4b78190f44524145eb200
MD5: f9e71f66e3aae789b245638a00b951a8
MD5: 1d6d4a64a9901985b8a005ea166df584
MD5: acfa1a5f290c7dd4859b56b49be41038
MD5: b63fd04a8cdf69fb7215a70ccd0aef27

Once, executed, a, sample, malware (MD5: 116d07294fb4b78190f44524145eb200), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://www.on86.com - 69.172.201.153
hxxp://return.uk.uniregistry.com - 176.74.176.178

Once, executed, a, sample, malware (MD5: f9e71f66e3aae789b245638a00b951a8), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://www.linkbyte.com - 69.172.201.153
hxxp://return.uk.uniregistry.com - 176.74.176.178

Once, executed, a, sample, malware (MD5: 1d6d4a64a9901985b8a005ea166df584), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://www.pnmchgameserver.com - 69.172.201.153
hxxp://return.uk.uniregistry.com - 176.74.176.178

Once, executed, a, sample, malware (MD5: acfa1a5f290c7dd4859b56b49be41038), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://www.97dn.com - 45.125.35.85
hxxp://www.97wg.com - 69.172.201.153
hxxp://return.uk.uniregistry.com - 176.74.176.178

Once, executed, a, sample, malware (MD5: b63fd04a8cdf69fb7215a70ccd0aef27), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://pajak.yogya.com - 69.172.201.153
hxxp://www.yogya.com
hxxp://return.uk.uniregistry.com - 176.74.176.178

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (64.95.64.194):
MD5: 7ca6214e3b75bc1f7a41aef3267afc29

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://freshtravel.net - 184.168.221.36
hxxp://experiencetravel.net - 217.174.248.145
hxxp://freshyellow.net
hxxp://experienceyellow.net
hxxp://freshclose.net
hxxp://experienceclose.net

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (69.43.161.174):
MD5: 674fca39caf18320e5a0e5fc45527ba4
MD5: 7017a26b53bc0402475d6b900a6c98ae
MD5: 0b61f6dfaddd141a91c65c7f290b9358
MD5: 4d5bc6b69db093824aa905137850e883
MD5: 201dee0da7b7807808d681510317ab59

Once, executed, a, sample, malware (MD5: 674fca39caf18320e5a0e5fc45527ba4), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://aahydrogen.com - 208.73.210.214
hxxp://greatinstant.net
hxxp://ginsdirect.net
hxxp://autouploaders.net - 185.53.177.9

Once, executed, a, sample, malware (MD5: 7017a26b53bc0402475d6b900a6c98ae), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://w.wfetch.com - 69.43.161.174
hxxp://ww1.w.wfetch.com - 72.52.4.90

Once, executed, a, sample, malware (MD5: 4d5bc6b69db093824aa905137850e883), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://greattaby.com - 69.43.161.174
hxxp://ww41.greattaby.com - 141.8.224.79

Once, executed, a, sample, malware (MD5: 201dee0da7b7807808d681510317ab59), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://layer-ads.de - 69.43.161.174

Sample, URL, redirection, chain:
hxxp://bonuspromooffer.com - 208.91.197.46; 141.8.226.14; 204.11.56.45; 204.11.56.26; 208.73.210.215; 208.73.211.246; 82.98.86.178
    - hxxp://promotion-offer.com/vsm/adv/5?a=cspvm-sst-ozbc-sst&l=370&f=cs_3506417142&ex=1&ed=2&h=&sub=csp&prodabbr=3P_UVSM - 208.91.197.46; 204.11.56.48; 204.11.56.45; 204.11.56.26; 63.156.206.202; 63.149.176.12
        - hxxp://easywebchecklive.com/1/fileslist.js - 94.247.2.215
            - hxxp://78.47.132.222/a12/index2.php
                - hxxp://78.47.132.221/a12/pdf.php?u=i_7_0
                    - hxxp://78.47.132.221/a12/aff_12.exe?u=i_7_0&spl=4

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs (208.91.197.46):
MD5: b13f1af8fc426e350df11565dcf281e8
MD5: a189b3334fbd9cd357aedff22c672e9c
MD5: da53b068538ff03e2fc136c7d0816e39
MD5: ec08a877817c749597396e6b34b88e78
MD5: b9e7bf23de901280e62fd68090b5b8fa

Once, executed, a, sample, malware (MD5: b13f1af8fc426e350df11565dcf281e8), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://dtrack.sslsecure1.com - 193.166.255.171
hxxp://staticrr.paleokits.net - 205.251.219.192
hxxp://dtrack.secdls.com
hxxp://staticrr.sslsecure1.com

Once, executed, a, sample, malware (MD5: a189b3334fbd9cd357aedff22c672e9c), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://staticrr.paleokits.net - 54.230.11.231
hxxp://staticrr.sslsecure1.com - 193.166.255.171
hxxp://staticrr.sslsecure2.com
hxxp://staticrr.sslsecure3.com - 208.91.197.46

Once, executed, a, sample, malware (MD5: ec08a877817c749597396e6b34b88e78), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://skyworldent.com
hxxp://solitaireinfo.com
hxxp://speedholidays.com - 206.221.179.26

Once, executed, a, sample, malware (MD5: b9e7bf23de901280e62fd68090b5b8fa), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://api.v2.secdls.com
hxxp://api.v2.sslsecure1.com - 193.166.255.171
hxxp://api.v2.sslsecure2.com
hxxp://api.v2.sslsecure3.com - 208.91.197.46

Related, malicious MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: 969601cbf069a849197289e042792419

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place. Continue reading →

Managed SWF Injection Cybercrime-friendly Service Fuels Growth Within the Malvertising Market Segment

August 29, 2016
Cybercriminals, continue, launching, new, cybercrime-friendly, services, aiming, to, diversify, their, portfolio, of, fraudulent, services, while, earning, tens, of, thousands of fraudulent revenue in the process. Thanks, to, a vibrant, cybercrime ecosystem, and, the, overall, availability, of, DIY (do-it-yourself) type of, malicious, software, generating, tools, cybercriminals, continue, diversifying, their, portfolio, of, fraudulent, services, while, earning, tens, of, thousands, of, fraudulent, revenue, in, the, process.

Largely, relying, on, a diversified, set, of, tactics, techniques, and, procedures, cybercriminals, often, rely, on, automated, and, systematic, compromise, of, vulnerable, Web sites, for, the, purpose, of, active, traffic, acquisition, tactics, to hijack, intercept, and, monetize, the, acquired, traffic, for, the, purpose, of, earning, fraudulent, revenue, in, the, process. Thanks, to, a, vibrant, cybercrime-friendly, ecosystem, cybercriminals, continue, actively, hijacking, intercepting, and, monetizing, the, acquired, traffic, for, the, purpose, of, earning, fraudulent, revenue, in, the, process.



In, this, post, we'll discuss, a, newly, launched, managed SWF injecting, type, of, cybercrime-friendly, service (108.162.197.62), provide actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind it.

Malicious MD5s known to have been downloaded from the same C&C server IP (108.162.197.62):
MD5: 738ef8e826b5f9070f555dc8d5e3320f
MD5: 8dddf1d1786ff72adc60057305f4f2c9
MD5: 0042ef6b151d68824999ed27e320ab7b
MD5: ea0f806840a8f1765994d2941d24a18a
MD5: 9d0e32a4f1d4fb348f70f235e9731363

Related malicious MD5s known to have phoned back to the same C&C server IP (108.162.197.62):
MD5: 4e108296f11d99e56be375dcab2e03d4
MD5: 8f696a2995aa56be5a7fe6ac8639e94a
MD5: 2aa4fedd2626f4a210d13a356cf721a1
MD5: 822606bb2f5a86bd20e4d111705c9e99
MD5: 6267650eb343bc1fb063233aaf398c9a

The, service, is, currently, offering, basic, type, of, account, registration, process, priced, at $100, and, premium, type, of, account, registration, process, priced, at, $1,000.

We'll continue, monitoring, the, market, segment, for, malvertising, type, of, managed, cybercrime-friendly, services, and, post, updates, as, soon, as, new, developments, take, place.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Cybercriminals Launch Malicious Malvertising Campaign, Thousands of Users Affected

April 24, 2016
We've recently intercepted, a currently ongoing malicious malvertising attack, affecting thousands of users globally, potentially exposing their PCs, to, a multitude of malicious software, compromising, the, integrity, confidentiality, and, availability, of, their, PCs.

The campaign relies on the Angler Web malware exploitation kit, for, the, purpose of serving malicious software, on the, PCs, of, affected users exposing, their, PCs, to, a multitude, of, malicious software, potentially leading, to, a compromise, of, their, PCs. Once, users, visit, a legitimate Web site, part, of the, campaign, their, PCs, automatically become, part, of the botnet, operated, by, the, cybercriminals, behind it, with, the, campaign, relying, on, the, use, of, the, exploitation, of, a well known, client-side, vulnerability.

Cybercriminals, often, rely, on, the, use, of, compromised, accounting, data, obtained, through, active data mining, of, a botnet's infected population, for, the purpose, of, embedding, malicious, client-side exploits, on well known, and highly popular, Web sites, next, to, the, active, client-side, exploitation, of, known, vulnerabilities, found, on public, and well, known, Web sites. Yet, another highly popular attack vector, remains, the use, of compromised, advertiser network publisher's account, for, the, purpose, of taking advantage, of, the publisher's, already established, clean, network, reputation.

In this post, we'll profile, the, malicious campaign, provide, actionable, intelligence, for, the, infrastructure, behind it, provide, malicious MD5s, as, well, as, discuss, in depth, the, tactics, techniques, and procedures, utilized, by, the, cybercriminals, behind it.

Sample detection rate for the Trojan.Win32.Waldek.gip malware:
MD5: f2b92d07bb35f1649b015a5ac10d6f05

Once executed the sample phones back to:
hxxp://datanet.cc/extra/status.html - 146.185.251.154

Malicious URLs, used, in the, campaign:
hxxp://gamergrad.top/track/k.track?wd=48&fid=2 - 104.24.112.169
hxxp://talk915.pw/track/k.track?wd=48&fid=2 - 104.27.190.84

Known to have responded to the same IP (146.185.251.154) are also the following malicious domains:
hxxp://crenwat.cc
hxxp://oldbog.cc
hxxp://datanet.cc
hxxp://glomwork.cc
hxxp://speedport.cc
hxxp://myhostclub.cc
hxxp://terminreg.cc
hxxp://currentnow.cc
hxxp://copyinv.cc
hxxp://lableok.cc
hxxp://agentad.cc
hxxp://appclone.cc
hxxp://tune4.cc
hxxp://objects.cc

Once executed, the, sample, phones, back, to the, following, C&C server:
hxxp://188.138.70.19

Known to have responded to the same IP (188.138.70.19) are also the following malicious domains:
hxxp://alfatrade.cxaff.com
hxxp://affiliates.alfatrade.com

Known to have phoned back to the same malicious C&C server, are, also, the following malicious MD5s:
MD5: aaa6559738f74bd7a2ff1b025a287043
MD5: b919a06e79318c0d50b8961b0e32eb0a
MD5: a384337cad9335b34d877dd4c59c73ce
MD5: e7b7b7664e89be18bcf2b79cc116731f
MD5: d712ddbc9b4fb27d950be93c1e144cce

Related malicious MD5s known to have phoned back to the same C&C server:
MD5: aaa6559738f74bd7a2ff1b025a287043
MD5: b919a06e79318c0d50b8961b0e32eb0a
MD5: a2bd512e438801a2aa1871a2ac28e5bd
MD5: f01f9ded34cfe21098a2275563cf0d9d
MD5: e7b7b7664e89be18bcf2b79cc116731f

This post has been reproduced from Dancho Danchev's blog. Continue reading →

TorrentReactor.net Serving Crimeware, Client-Side Exploits Through a Malicious Ad

May 11, 2010
Deja vu!

Jerome Segura at the Malware Diaries is reporting that TorrentReactor.net, a high-trafficked torrents tracker, is currently serving live-exploits through a malicious ad served by "Fulldls.com  - Your source for daily torrent downloads".

Why deja vu? It's because the TorrentReactor.net malware campaign takes me back to 2008, among the very first extensive profiling of Russian Business Network activity, with their mass "input validation abuse" campaign back then, successfully appearing on numerous high-trafficked web sites, serving guess what? Scareware.

Moreover, despite the surprisingly large number of people still getting impressed by the use of http referrers as an evasive practice applied by the cybercriminals, these particular campaigns (ZDNet Asia and TorrentReactor IFRAME-ed; Wired.com and History.com Getting RBN-ed; Massive IFRAME SEO Poisoning Attack Continuing) are a great example of this practice in use back then:
  • So the malicious parties are implementing simple referrer techniques to verify that the end users coming to their IP, are the ones they expect to come from the campaign, and not client-side honeypots or even security researchers. And if you're not coming from you're supposed to come, you get a 404 error message, deceptive to the very end of it.
The most recent compromise of TorrentReactor.net appears to be taking place through a malicioud ad serving exploits using the NeoSploit kit, which ultimately drops a ZeuS crimeware sample hosted within a fast-flux botnet.


The campaign structure, including detection rates, phone back locations and ZeuS crimeware fast-flux related data is as follows:
- ads.fulldls.com /phpadsnew/www/delivery/afr.php?zoneid=1&cb=291476
    - ad.leet.la /stats?ref=~.*ads\.fulldls\.com$ - 208.111.34.38 - Email: bertrand.crevin@brutele.com (leet.la - 212.68.193.197 - AS12392, ASBRUTELE AS Object for Brutele SC)
    - lo.dep.lt /info/us1.html - 91.212.127.110 - lo.dep.lt - 91.212.127.110 - AS49087, Telos-Solutions-AS Telos Solutions LTD
        - 91.216.3.108 /de1/index.php; 91.216.3.108 /ca1/main.php - AS50896, PROXIEZ-AS PE Nikolaev Alexey Valerievich
            - 91.216.3.108 responding to gaihooxaefap.com - Nikolay Vukolov, Email: woven@qx8.ru

Upon successful exploitation, the following malicious pdf is served:
- eac27d.pdf - Exploit.PDF-JS.Gen (v); JS:Pdfka-AET; - Result: 6/40 (15%) which when executed phones back to 91.216.3.108 /ca1/banner.php/1fda161dab1edd2f385d43c705a541d3?spl=pdf_30apr and drops:
- myexebr.exe - TSPY_QAKBOT.SMG - Result: 17/41 (41.47%) which then phones back to the ZeuS crimeware C&C: saiwoofeutie.com /bin/ahwohn.bin - 78.9.77.158 - Email: spasm@maillife.ru


Fast-fluxed domains sharing the same infrastructure:
demiliawes.com - Email: bust@qx8.ru
jademason.com - 213.156.118.221; 217.201.4.95; 24.139.152.4; 83.10.238.182; 85.176.73.211; 112.201.223.129; 119.228.44.124; 170.51.231.93 - Email: blare@bigmailbox.ru
laxahngeezoh.com - 190.135.224.89; 213.156.118.221; 217.201.4.95; 24.139.152.4; 83.10.238.182; 85.176.73.211; 112.201.223.129; 119.228.44.124 - Email: zig@fastermail.ru
line-ace.com - Email: greysy@gmx.com
xareemudeixa.com - 112.201.223.129; 119.228.44.124; 170.51.231.93; 190.135.224.89; 213.156.118.221; 217.201.4.95; 24.139.152.4; 85.176.73.211 - Email: writhe@fastermail.ru
zeferesds.com - 190.135.224.89; 213.156.118.221; 217.201.4.95; 24.139.152.4; 83.10.238.182; 85.176.73.211; 112.201.223.129; 119.228.44.124 - Email: mated@freemailbox.ru

Name servers of notice:
ns1.rexonna.net - 202.60.74.39 - Email: aquvafrog@animail.net
ns2.rexonna.net - 25.120.19.23
ns1.line-ace.com - 202.60.74.39 - Email: greysy@gmx.com
ns2.line-ace.com - 67.15.223.219
ns1.growthproperties.net - 62.19.3.2 - Email: growth@support.net
ns2.growthproperties.net - 15.94.34.196
ns1.tropic-nolk.com - 62.19.3.2 - Email: greysy@gmx.com
ns2.tropic-nolk.com - 171.103.51.158

These particular iFrame injection Russian Business Network's campaigns from 2008, used to rely on the following URL for their malicious purposes - a-n-d-the.com/wtr/router.php (216.255.185.82 - INTERCAGE-NETWORK-GROUP2). Why am I highlighting it? Excerpts from previous profiled campaigns, including one that is directly linked to the Koobface gang's blackhat SEO operations.

U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding:
  • The compromised/mis-configured web sites participating in this latest blackhat SEO campaign are surprisingly redirecting to a-n-d-the.com /wtr/router.php - 95.168.177.35 - Email: bulk@spam.lv - AS28753 NETDIRECT AS NETDIRECT Frankfurt, DE if the http referrer condition isn't met. This very same domain -- back then parked at INTERCAGE-NETWORK-GROUP2 -- was also used in the same fashion in March, 2008's massive blackhat SEO campaigns serving scareware.
Not only is a-n-d-the.com /wtr/router.php (95.168.177.35) (Web sessions of the URL acting as a redirector), the exact same URL that was in circulating in 2008, residing on the Russian Business Network's netblock back then, still active, but also, it's currently redirecting to -- if the campaign's evasive conditions are met -- to www4.zaikob8.xorg.pl/?uid=213&pid=3&ttl=31345701120 - 217.149.251.12.

What this proves is fairly simple - with or without the Russian Business Network the way we used to know it, it's customers simply moved on to the competition, whereas the original Russian Business Network simply diversified its netblocks ownership.

Related posts:
ZDNet Asia and TorrentReactor IFRAME-ed
Wired.com and History.com Getting RBN-ed
Massive IFRAME SEO Poisoning Attack Continuing

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →
Subscribe to: Comments (Atom)