Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Showing posts with label Potentially Unwanted Application. Show all posts

Sunday, December 25, 2016

Historical OSINT - Rogue MyWebFace Application Serving Adware Spotted in the Wild

In, a, cybercrime, ecosystem, dominated, by, malicious, software, releases, cybercriminals, continue, actively, populating, their, botnet's, infected, population, further, spreading, malicious, software, potentially, exposing, the, confidentiality, integrity, and, availability, of, the, affected, hosts, further, spreading, malicious, software, while, monetizing, access, to, malware-infected, hosts, largely, relying, on, the, utilization, of, affiliate-based, type, of, monetizing, scheme.

We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, enticing, users, into, executing, a, malicious, software, largely, relying, on, basic, visual, social, engineering, enticing, users, into, executing, a, rogue, application, potentially, exposing, the, confidentiality, integrity, and, availability, of, the, affected, host.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Related, malicious, domain, reconnaissance:
hxxp://mywebsearch.com - 74.113.233.48; 74.113.237.48; 66.235.119.48
hxxp://mywebface.mywebsearch.com - 74.113.233.64; 74.113.233.180

Sample, detection, rate, for, a, malicious, executable:
MD5: b32acfece8089e52fa2288cb421fa9de

Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (74.113.233.48; 74.113.237.48; 66.235.119.48):
hxxp://myinfo.mywebsearch.com
hxxp://dl.mywebsearch.com
hxxp://tbedits.mywebsearch.com
hxxp://celebsauce.dl.mywebsearch.com
hxxp://bfc.mywebsearch.com
hxxp://bar.mywebsearch.com
hxxp://int.search.mywebsearch.com
hxxp://inboxace.dl.mywebsearch.com
hxxp://internetspeedtracker.dl.mywebsearch.com
hxxp://mywebface.dl.mywebsearch.com
hxxp://easypdfcombine.dl.mywebsearch.com
hxxp://onlinemapfinder.dl.mywebsearch.com
hxxp://eliteunzip.dl.mywebsearch.com
hxxp://mytransitguide.dl.mywebsearch.com
hxxp://packagetracer.dl.mywebsearch.com
hxxp://myway.mywebsearch.com
hxxp://helpint.mywebsearch.com
hxxp://zwinky.dl.mywebsearch.com
hxxp://weatherblink.dl.mywebsearch.com
hxxp://videoscavenger.dl.mywebsearch.com
hxxp://videodownloadconverter.dl.mywebsearch.com
hxxp://translationbuddy.dl.mywebsearch.com
hxxp://totalrecipesearch.dl.mywebsearch.com
hxxp://televisionfanatic.dl.mywebsearch.com
hxxp://retrogamer.dl.mywebsearch.com
hxxp://myscrapnook.dl.mywebsearch.com
hxxp://myfuncards.dl.mywebsearch.com
hxxp://gamingwonderland.dl.mywebsearch.com
hxxp://dictionaryboss.dl.mywebsearch.com
hxxp://astrology.dl.mywebsearch.com
hxxp://utmtrk2.mywebsearch.com
hxxp://utm2.mywebsearch.com
hxxp://utm.trk.mywebsearch.com
hxxp://utm.mywebsearch.com
hxxp://ak.ssl.toolbar.mywebsearch.com
hxxp://www122.mywebsearch.com
hxxp://couponalert.dl.mywebsearch.com
hxxp://help.mywebsearch.com
hxxp://srchsugg.mywebsearch.com
hxxp://utm.gr.mywebsearch.com
hxxp://utmtrk.gr.mywebsearch.com
hxxp://dp.mywebsearch.com
hxxp://download.mywebsearch.com
hxxp://www64.mywebsearch.com
hxxp://filmfanatic.mywebsearch.com
hxxp://mywebface.mywebsearch.com
hxxp://fromdoctopdf.dl.mywebsearch.com
hxxp://www173.mywebsearch.com
hxxp://www153.mywebsearch.com
hxxp://www170.mywebsearch.com
hxxp://www176.mywebsearch.com
hxxp://www155.mywebsearch.com
hxxp://www186.mywebsearch.com
hxxp://www156a.mywebsearch.com
hxxp://www187.mywebsearch.com
hxxp://www198.mywebsearch.com
hxxp://www154.mywebsearch.com
hxxp://cfg.mywebsearch.com
hxxp://mapsgalaxy.dl.mywebsearch.com
hxxp://edits.mywebsearch.com
hxxp://www.mywebsearch.com
hxxp://enable.mywebsearch.com
hxxp://live.mywebsearch.com
hxxp://config.mywebsearch.com
hxxp://anx.mywebsearch.com
hxxp://bstat.mywebsearch.com
hxxp://updates.mywebsearch.com
hxxp://home.mywebsearch.com
hxxp://search.mywebsearch.com
hxxp://stats.mywebsearch.com
hxxp://akd.search.mywebsearch.com
hxxp://ak2.home.mywebsearch.com
hxxp://ak.search.mywebsearch.com
hxxp://ak.toolbar.mywebsearch.com

Related, malicious, MD5s, known, to, have, participated, in, the, campaign:
MD5: 83cdb402fcd68947f7519eaad515fa5a
MD5: 6b31cc25e68d5d008e319c4a1c8c4098
MD5: f2392d18a266f554743b495b4e71b2be
MD5: 9bcaeb5b4bdd6b9e22852a98ca630914
MD5: 4fd260e17ca40a31a7baace9af1b7db9

Once, executed, a, sample, malware, (MD5: 83cdb402fcd68947f7519eaad515fa5a), phones, back, to, the, following, C&C, server, IPs:
hxxp://178.150.139.157/search.htm
hxxp://sev2012.com/page_click.php - 141.8.224.239; 54.72.9.51; 91.220.131.33; 91.236.116.20
hxxp://62.122.107.119/install.htm

Known, to, have, responded, to, the, same, malicious, C&C, server, IPs (178.150.139.157), are, also, the, following, malicious, domains:
hxxp://cejzesu.com
hxxp://hqyibul.wuwykym.net

Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C&C, server, IPs:
MD5: c92a9961e6096eb7af3a34e9e48114f1
MD5: 25789eec9e0d4b5cdf184bf41460808e
MD5: 1a72e482e6ec352ae4c9206b92776f01
MD5: e22a0fd64e5b6193be655cc29ed19755
MD5: fe8a027fd45ec9621b34a20bc907fb2c

Once, executed, a, sample, malware (MD5: c92a9961e6096eb7af3a34e9e48114f1), phones, back, to, the, following, C&C, server, IPs:
http://178.150.244.54/mod2/mentalc.exe
http://178.150.139.157/mod1/mentalc.exe

Once, executed, a, sample, malware (MD5: 25789eec9e0d4b5cdf184bf41460808e), phones, back, to, the, following, C&C, server, IPs:
http://95.180.66.40/mod2/b0ber01.exe
http://91.245.79.46/mod1/b0ber01.exe
http://178.150.139.157/mod1/b0ber01.exe

Once, executed, a, sample, malware (MD5: 1a72e482e6ec352ae4c9206b92776f01), phones, back, to, the, following, C&C, server, IPs:
http://77.123.73.34/keybex4.exe
http://178.150.139.157/keybex4.exe

Once, executed, a, sample, malware (MD5: e22a0fd64e5b6193be655cc29ed19755), phones, back, to, the, following, C&C, server, IPs:
http://176.194.18.198/mod2/ozersid.exe
http://176.110.28.238/mod1/ozersid.exe
http://46.73.67.61/mod2/ozersid.exe
http://178.150.209.116/mod2/ozersid.exe
http://178.150.139.157/mod2/ozersid.exe
http://193.32.14.186/mod1/ozersid.exe
http://46.211.9.37/mod1/ozersid.exe

Once, executed, a, sample, malware (MD5: fe8a027fd45ec9621b34a20bc907fb2c), phones, back, to, the, following, C&C, server, IPs:
http://178.150.139.157/welcome.htm
http://77.122.28.206/default.htm
http://77.122.28.206/online.htm
http://mydear.name/page_umax.php

Once, executed, a, sample, malware, (MD5: 6b31cc25e68d5d008e319c4a1c8c4098), phones, back, to, the, following, C&C, server, IPs:
hxxp://cytpaxiz.us/rasta01.exe
hxxp://60.36.47.71/file.htm
hxxp://219.204.4.3/search.htm

Once, executed, a, sample, malware, (MD5: f2392d18a266f554743b495b4e71b2be), phones, back, to, the, following, C&C, server, IPs:
hxxp://46.121.221.173/start.htm
hxxp://burhyyal.epfusgy.com/calc.exe
hxxp://178.150.138.2/install.htm

Once, executed, a, sample, malware, (MD5: 9bcaeb5b4bdd6b9e22852a98ca630914), phones, back, to, the, following, C&C, server, IPs:
hxxp://159.224.191.47/install.htm
hxxp://109.87.184.7/setup.htm

Once, executed, a, sample, malware, (MD5: 4fd260e17ca40a31a7baace9af1b7db9), phones, back, to, the, following, C&C, server, IPs:
hxxp://178.158.237.37/welcome.htm
hxxp://178.165.13.17/home.htm

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (74.113.233.48):
MD5: a3470a214ec34f7a0b9330e44af80714
MD5: 31593f94936e63152d35ca682fb9ef0b
MD5: eb003b7665b34f6ed3a7944e4254ad2d
MD5: ed1c465beca9596a9031580d1093cb13
MD5: cace61ddd8f8e30cf1f52f9ad6c66578

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://home.mywebsearch.com - 74.113.233.48
hxxp://akd.search.mywebsearch.com - 5.178.43.17
hxxp://ak.imgfarm.com - 90.84.60.81
hxxp://anx.mywebsearch.com - 74.113.233.187

Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C&C, server, IPs:
MD5: 11ddcf7bd806c9ef24cc84a440629e68
MD5: 8c1e63b34c678b48c63ba369239d5718
MD5: 10b4c54646567dcee605f5c36bfa8f17
MD5: 70dbce98f1d62c03317797a1dd3da151
MD5: ee00f47a51e91a1f70a5c7a0086b7220

Once, executed, a, sample, malware (MD5: 11ddcf7bd806c9ef24cc84a440629e68), phones, back, to, the, following, malicious, C&C, server, IPs:
http://78.62.197.14/online.htm
http://89.46.92.232/welcome.htm
http://89.46.92.232/login.htm

Once, executed, a, sample, malware (MD5: 8c1e63b34c678b48c63ba369239d5718), phones, back, to, the, following, malicious, C&C, server, IPs:
http://109.251.217.207/home.htm
http://109.251.217.207/login.htm

Once, executed, a, sample, malware, (MD5: 10b4c54646567dcee605f5c36bfa8f17), phones, back, to, the, following, malicious, C&C, server, IPs:
http://91.221.219.12/setup.htm

Once, executed, a, sample, malware, (MD5: 70dbce98f1d62c03317797a1dd3da151), phones, back, to, the, following, malicious, C&C, server, IPs:
http://89.229.4.22/install.htm
http://89.229.4.22/default.htm

Once, executed, a, sample, malware (MD5: ee00f47a51e91a1f70a5c7a0086b7220), phones, back, to, the, following, malicious, C&C, server, IPs:
http://89.229.4.22/install.htm
http://89.229.4.22/default.htm

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Wednesday, December 04, 2013

Facebook Circulating 'Who's Viewed Your Profile' Campaign Exposes 800k+ Users to CrossRider PUA/Rogue Firefox Add-ons/Android Adware AirPush

A massive privacy-violating, Facebook circulating "Who's Viewed Your Profile" campaign, has been operating beneath the radar, exposing over 800,000 users internationally, to a cocktail of PUAs (Potentially Unwanted Applications), rogue Firefox Add-ons impersonating Adobe's Flash Player, as well as the Android based adware AirPush.

Relying on a proven social engineering tactic of "offering what's not being offered in general", next to hosting the rogue files on legitimate service providers -- Google Docs and Dropbox in this particular case -- the campaign is a great example that the ubiquitous for the social network social engineering scheme, continues to trick gullible and uninformed users into installing privacy-violating applications on their hosts/mobile devices.

Let's dissect the campaign, expose its infrastructure, (conservatively) assess the damage, and provide fresh MD5s for the currently served privacy-violating PUAs, Firefox add-ons, and Android adware.

Primary spamvertised Facebook URL: FCOSYUC.tk/?15796422
Redirection chain: p2r0f3rviewer9890.co.nf -> bit.ly/1bZCeNv?vsdvc -> wh0prof.uni.me/?sdvsjka -> wh0prof.uni.me/ch/
Rogue Google Store Extension URL (currently offline): hxxps://chrome.google.com/webstore/detail/dllaajjfgpigkeblmlbamflggfjkgbej
Campaign's GA Account ID: UA-12798017-1

Domain name reconnaissance:
wh0prof.uni.me - 192.157.201.42

Known to have responded to the same IP are also the following domains:
cracks4free.info
pr0lotra.p9.org

Google Docs Hosted PUA URLs:
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqVFljUDBnTjFHdVE&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqRXBMLWZ4cVZJV2s&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqUjllLWc4MVFRQUk&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqOXlyNko0VFBOdnM&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqZm5yeUFudFhqclU&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqbWpfNW5FalJmRGM&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqS3V1ZkZBQjJGbjQ&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqX2xXbEJLbEY0Q3M&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqMU5RVkJSWURxME0&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqVFljUDBnTjFHdVE&export=download

Dropbox Firefox Add-on/Android APK Hosted URLs:
hxxps://dl.dropboxusercontent.com/s/so3vm50w298qkto/WhoViewsYourProfile.apk
hxxps://dl.dropboxusercontent.com/s/kor9c2mqv49esva/kkadobe-ff.xpi

Detection rate for the served PUAs, the Android adware and the rogue Firefox Add-on:
MD5: c7fcf7078597ea752b8d54e406c266a7 - detected by 5 out of 48 antivirus scanners as PUP.Optional.CrossRider
MD5: 30cf98d7dc97cae57f8d72487966d20b - detected by 6 out of 48 antivirus scanners as Trojan.Dropper.FB
MD5: f2459b6bde1d662399a3df725bf8891b - detected by 13 out of 48 antivirus scanners as Adware/AirPush!Android; Android Airpush; Adware/ANDR.Airpush.G.Gen
MD5: 3fb95e1ed77d1b545cf7385b4521b9ae - detected by 18 out of 48 antivirus scanners as JS/TrojanClicker.Agent.NDL

Once executed MD5: 30cf98d7dc97cae57f8d72487966d20b phones back to 195.167.11.4.

Time to (conservatively) assess the campaign's damage over the year(s):

The click-through rate should be considered conservative, and it remains unknown whether the URL shortening service was used by the cybercriminal(s) since day one of the campaign.

The campaign remains active, and is just the tip of the iceberg in terms of similar campaigns tricking Facebook's users into thinking that they can eventually see who's viewed their profile. Facebook users who stumble across such campaigns on their own, or their friends' Walls, are advised to consider reporting the campaign back to Facebook, immediately.

Dancho Danchev