We've, recently, intercepted, a high-profile, Linux-based, botnet-driven, type of, malicious, software, that's capable, of launching, a multitude of malicious attacks, on, compromised servers, potentially, exposing, the, integrity, confidentiality, and, availability, of, the compromised servers. Malicious attackers, often rely, on the use of compromised servers, for, the purpose, of, utilizing the access for malicious purposes, including, the capability, to launch malicious DDoS (Denial of Service Attack) attacks, and the ability, to spread additional malicious software, to potential users, including the capability to monetize access to the service, by, launching, DDoS for hire type of malicious and fraudulent services, including, the capability to launch high performance DDoS attacks.
In this post, we'll, profile, and analyze, the Bill Gates botnet, provide, actionable intelligence, on, the infrastructure, behind it, and, discuss, in depth, the tactics, techniques, and procedures, of the cybercriminals, behind it.
Malicious MD5s known to be part of the Bill Gates botnet:
MD5: 5d10bcb15bedb4b94092c4c2e4d245b6
MD5: 0d79802eeae43459ef0f6f809ef74ecc
MD5: 9a77f1ad125cf34858be5e438b3f0247
MD5: 9a77f1ad125cf34858be5e438b3f0247
MD5: a89c089b8d020034392536d66851b939
MD5: a5b9270a317c9ef0beda992183717b33
Known Bill Gates botnet C&C server:
hxxp://dgnfd564sdf.com - 122.224.34.42; 122.224.50.37
Malicious C&C servers known to be part of the Bill Gates botnet:
202.103.178.76
121.12.110.96
112.90.252.76
112.90.22.197
112.90.252.79
Known to have responded to the same malicious IP (122.224.50.37) are also the following malicious domains:
hxxp://lfs99.com
hxxp://chchong.com
hxxp://uc43.net
hxxp://59wgw.com
hxxp://frade8c.com
hxxp://96hb.com
hxxp://cq670.com
hxxp://776ka.com
Malicious MD5s known to have phoned back to the same C&C server IP (122.224.50.37):
MD5: 6739ca4a835c7976089e2f00150f252b
MD5: eb234cee4ff769f2b38129bc164809d2
MD5: dc893d16316489dffa4e8d86040189b2
MD5: 0c1cac2a019aa1cc2dcc0d3b17fc4477
MD5: b7765076af036583fc81a50bd0b2a663
Known to have responded to the same malicious IP (122.224.34.42) are also the following malicious domains:
hxxp://76.wawa11.com
hxxp://903.wawa11.com
hxxp://904.wawa11.com
hxxp://905.wawa11.com
hxxp://906.wawa11.com
hxxp://907.wawa11.com
hxxp://91ww.0574yu.com
hxxp://9911sf.com
hxxp://901.t772277.com
hxxp://aisf.jux114.com
hxxp://520.wawa11.com
hxxp://awooolsf.com
hxxp://2288game.com
hxxp://588bc.com
hxxp://488game.com
hxxp://588bc.com
Malicious MD5s known to have been downloaded from the same malicious C&C server IP (122.224.34.42):
MD5: 5d10bcb15bedb4b94092c4c2e4d245b6
MD5: 9a77f1ad125cf34858be5e438b3f0247
Malicious MD5s known to have been phoned back to the same malicious C&C server IP(122.224.34.42):
MD5: 815e453b6e268addf6a6763bfe013928
Once executed the sample phones back to the following malicious C&C server IPs:
hxxp://awooolsf.com/222.txt - 122.224.34.42
hxxp://xxx.com/download/xx.exe - 67.23.112.226
Known to have responded to the same malicious IP (67.23.112.226) are also the following malicious domains:
hxxp://falconglobalimpex.com
hxxp://deschatz-army.net
hxxp://m.xxx.com
hxxp://xxx.com
hxxp://xxxsites.com
hxxp://t.xxx.com
hxxp://m.xxx.org
hxxp://m.xxxsites.com
hxxp://xxx.org
Known to have been downloaded from the same malicious IP (67.23.112.226) are also the following malicious MD5s:
MD5: b4b483eb0d25fa3a9ec589eb11467ab8
Known to have phoned back to the same malicious C&C server (67.23.112.226) are also the following malicious MD5s:
MD5: 53a7fc24cb19463f8df3f4fe3ffd79b9
MD5: 268b8bcacec173eace3079db709b9c69
MD5: 0faf6988dfeaa98241c19fd834eca194
MD5: 87f8ffeb17a72fda7cf28745fa7a6be8
MD5: c973f818a5f9326c412ac9c4dfaeb0bd
This post has been reproduced from Dancho Danchev's blog.
Sunday, April 24, 2016
Analyzing the Bill Gates Botnet - An Analysis
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Cybercriminals Launch Malicious Malvertising Campaign, Thousands of Users Affected
We've recently intercepted, a currently ongoing malicious malvertising attack, affecting thousands of users globally, potentially exposing their PCs, to, a multitude of malicious software, compromising, the, integrity, confidentiality, and, availability, of, their, PCs.
The campaign relies on the Angler Web malware exploitation kit, for, the, purpose of serving malicious software, on the, PCs, of, affected users exposing, their, PCs, to, a multitude, of, malicious software, potentially leading, to, a compromise, of, their, PCs. Once, users, visit, a legitimate Web site, part, of the, campaign, their, PCs, automatically become, part, of the botnet, operated, by, the, cybercriminals, behind it, with, the, campaign, relying, on, the, use, of, the, exploitation, of, a well known, client-side, vulnerability.
Cybercriminals, often, rely, on, the, use, of, compromised, accounting, data, obtained, through, active data mining, of, a botnet's infected population, for, the purpose, of, embedding, malicious, client-side exploits, on well known, and highly popular, Web sites, next, to, the, active, client-side, exploitation, of, known, vulnerabilities, found, on public, and well, known, Web sites. Yet, another highly popular attack vector, remains, the use, of compromised, advertiser network publisher's account, for, the, purpose, of taking advantage, of, the publisher's, already established, clean, network, reputation.
In this post, we'll profile, the, malicious campaign, provide, actionable, intelligence, for, the, infrastructure, behind it, provide, malicious MD5s, as, well, as, discuss, in depth, the, tactics, techniques, and procedures, utilized, by, the, cybercriminals, behind it.
Sample detection rate for the Trojan.Win32.Waldek.gip malware:
MD5: f2b92d07bb35f1649b015a5ac10d6f05
Once executed the sample phones back to:
hxxp://datanet.cc/extra/status.html - 146.185.251.154
Malicious URLs, used, in the, campaign:
hxxp://gamergrad.top/track/k.track?wd=48&fid=2 - 104.24.112.169
hxxp://talk915.pw/track/k.track?wd=48&fid=2 - 104.27.190.84
Known to have responded to the same IP (146.185.251.154) are also the following malicious domains:
hxxp://crenwat.cc
hxxp://oldbog.cc
hxxp://datanet.cc
hxxp://glomwork.cc
hxxp://speedport.cc
hxxp://myhostclub.cc
hxxp://terminreg.cc
hxxp://currentnow.cc
hxxp://copyinv.cc
hxxp://lableok.cc
hxxp://agentad.cc
hxxp://appclone.cc
hxxp://tune4.cc
hxxp://objects.cc
Once executed, the, sample, phones, back, to the, following, C&C server:
hxxp://188.138.70.19
Known to have responded to the same IP (188.138.70.19) are also the following malicious domains:
hxxp://alfatrade.cxaff.com
hxxp://affiliates.alfatrade.com
Known to have phoned back to the same malicious C&C server, are, also, the following malicious MD5s:
MD5: aaa6559738f74bd7a2ff1b025a287043
MD5: b919a06e79318c0d50b8961b0e32eb0a
MD5: a384337cad9335b34d877dd4c59c73ce
MD5: e7b7b7664e89be18bcf2b79cc116731f
MD5: d712ddbc9b4fb27d950be93c1e144cce
Related malicious MD5s known to have phoned back to the same C&C server:
MD5: aaa6559738f74bd7a2ff1b025a287043
MD5: b919a06e79318c0d50b8961b0e32eb0a
MD5: a2bd512e438801a2aa1871a2ac28e5bd
MD5: f01f9ded34cfe21098a2275563cf0d9d
MD5: e7b7b7664e89be18bcf2b79cc116731f
This post has been reproduced from Dancho Danchev's blog.
The campaign relies on the Angler Web malware exploitation kit, for, the, purpose of serving malicious software, on the, PCs, of, affected users exposing, their, PCs, to, a multitude, of, malicious software, potentially leading, to, a compromise, of, their, PCs. Once, users, visit, a legitimate Web site, part, of the, campaign, their, PCs, automatically become, part, of the botnet, operated, by, the, cybercriminals, behind it, with, the, campaign, relying, on, the, use, of, the, exploitation, of, a well known, client-side, vulnerability.
Cybercriminals, often, rely, on, the, use, of, compromised, accounting, data, obtained, through, active data mining, of, a botnet's infected population, for, the purpose, of, embedding, malicious, client-side exploits, on well known, and highly popular, Web sites, next, to, the, active, client-side, exploitation, of, known, vulnerabilities, found, on public, and well, known, Web sites. Yet, another highly popular attack vector, remains, the use, of compromised, advertiser network publisher's account, for, the, purpose, of taking advantage, of, the publisher's, already established, clean, network, reputation.
In this post, we'll profile, the, malicious campaign, provide, actionable, intelligence, for, the, infrastructure, behind it, provide, malicious MD5s, as, well, as, discuss, in depth, the, tactics, techniques, and procedures, utilized, by, the, cybercriminals, behind it.
Sample detection rate for the Trojan.Win32.Waldek.gip malware:
MD5: f2b92d07bb35f1649b015a5ac10d6f05
Once executed the sample phones back to:
hxxp://datanet.cc/extra/status.html - 146.185.251.154
Malicious URLs, used, in the, campaign:
hxxp://gamergrad.top/track/k.track?wd=48&fid=2 - 104.24.112.169
hxxp://talk915.pw/track/k.track?wd=48&fid=2 - 104.27.190.84
Known to have responded to the same IP (146.185.251.154) are also the following malicious domains:
hxxp://crenwat.cc
hxxp://oldbog.cc
hxxp://datanet.cc
hxxp://glomwork.cc
hxxp://speedport.cc
hxxp://myhostclub.cc
hxxp://terminreg.cc
hxxp://currentnow.cc
hxxp://copyinv.cc
hxxp://lableok.cc
hxxp://agentad.cc
hxxp://appclone.cc
hxxp://tune4.cc
hxxp://objects.cc
Once executed, the, sample, phones, back, to the, following, C&C server:
hxxp://188.138.70.19
Known to have responded to the same IP (188.138.70.19) are also the following malicious domains:
hxxp://alfatrade.cxaff.com
hxxp://affiliates.alfatrade.com
Known to have phoned back to the same malicious C&C server, are, also, the following malicious MD5s:
MD5: aaa6559738f74bd7a2ff1b025a287043
MD5: b919a06e79318c0d50b8961b0e32eb0a
MD5: a384337cad9335b34d877dd4c59c73ce
MD5: e7b7b7664e89be18bcf2b79cc116731f
MD5: d712ddbc9b4fb27d950be93c1e144cce
Related malicious MD5s known to have phoned back to the same C&C server:
MD5: aaa6559738f74bd7a2ff1b025a287043
MD5: b919a06e79318c0d50b8961b0e32eb0a
MD5: a2bd512e438801a2aa1871a2ac28e5bd
MD5: f01f9ded34cfe21098a2275563cf0d9d
MD5: e7b7b7664e89be18bcf2b79cc116731f
This post has been reproduced from Dancho Danchev's blog.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Hundreds of Google Play Apps Compromised, Lead to Mobile Malware
Malicious attackers, have, managed, to, infiltrate, and populate, Google Play, with, hundreds, of rogue, applications, exposing, users, to mobile, malware, compromising, the, integrity, of, their, devices, and, exposing, them, to, misleading, advertisements. Once, a socially, engineered, user, obtains, the, application, and, execute, it, their, device, the malware, phones, back, to, a malicious URL, exposing, the, integrity, confidentiality, and, availability, of, the, device.
Malicious attackers, often, rely, on, a variety of social engineering tactics, to, obtain, access, to, a user's device, including, the use, of, compromised, publisher's accounts, obtained, through, data mining, of botnet's of infected, population. Once, access, to, a particular, publisher's account, is, obtained, the malicious attackers, would, attempt, to use, a do-it-yourself, type, of, mobile, malware, generating tool, for, the, purpose, of, modifying, a legitimate, application, for, the, purpose, of, obtaining, access, to, a user's device.
Malicious attackers, are, also, known, to rely, on secondary, marketplaces, for, the, purpose, of, attempting, to, obtain, access, to user's, device, with, the, secondary, marketplaces, populated, with, rogue, and compromised, applications.
Once, a, socially, engineered, user, obtains, an, application, their, device, automatically, becomes, part, of, a, malicious attacker's, botnet, with, the malicious, attackers, relying on, a multitude, of monetization techniques, while, earning, fraudulently, obtained, revenue, in, the, process. Malicious attackers, are, also, known, to, rely, on, rogue, and, fraudulent, affiliate networks, for, the, purpose, of, monetizing, access, to, the, obtained, hosts, through, a, variety, of, rogue, advertising, networks, largely, set, up, for, the, purpose, of, earning, fraudulent, revenue, for, the, malicious attackers.
These affiliate networks, are, known, to, provide, managed, support, including, the, systematic, rotation of the command and control, server, and, the, availability, of, various, templates, empowering, malicious attackers, with, access, to, a, variety, of, fraudulent techniques, allowing, them, to, easily, monetize, access, to, the, infected hosts.
In this post, we'll profile, profile, the, Android.Spy.277.origin, mobile, malware, found, on hundreds, of applications, at Google Play, expose, the, malicious, infrastructure, behind, it, provide, MD5s, and, discuss, in, depth, the, various tactics, techniques, and procedures, utilized, by, malicious, attackers, for, the purpose, of, spreading, mobile, malware, attempting, to, trick, users, into, executing, malicious software, on their, devices.
Sample detection rate for a sample malware:
MD5: a51d7f8413aa3857a4682fa631d39054
Once executed the sample phones back to the following C&C server:
hxxp://startappexchange.com - 184.26.136.91; 184.26.136.113
The same malicious C&C server (startappexchange.com) is also known to have responded to the following IPs:
23.15.5.200
23.63.227.171
95.101.2.24
23.62.239.19
96.6.122.67
23.15.5.205
23.62.236.98
61.213.181.153
23.63.227.208
23.63.227.192
23.3.13.65
96.6.122.74
23.3.13.58
23.62.236.74
184.50.232.74
184.84.243.57
217.7.48.104
217.7.48.192
80.157.151.48
80.157.151.67
67.135.105.35
23.61.194.186
88.221.134.192
88.221.134.211
23.0.160.8
95.101.0.24
95.101.0.50
2.21.243.57
2.21.243.64
23.0.160.51
184.29.105.43
173.223.232.66
184.29.105.83
96.16.98.113
107.14.46.80
62.208.24.33
217.65.36.6
Related malicious MD5s known to have phoned back to the same C&C server:
MD5: 53958d60a2d52c99ad305ec105d47486
MD5: 45eaa4fc36c9a69b3ac78ddce7800daa
MD5: b355ed6fa08ef0415d4e7c6bc602f9a8
MD5: e4c7d87b7b20ae9555c6efe6466b32e6
MD5: 83a449691ff40cf9d3c8c4d7119aaea7
This post has been reproduced from Dancho Danchev's blog.
Malicious attackers, often, rely, on, a variety of social engineering tactics, to, obtain, access, to, a user's device, including, the use, of, compromised, publisher's accounts, obtained, through, data mining, of botnet's of infected, population. Once, access, to, a particular, publisher's account, is, obtained, the malicious attackers, would, attempt, to use, a do-it-yourself, type, of, mobile, malware, generating tool, for, the, purpose, of, modifying, a legitimate, application, for, the, purpose, of, obtaining, access, to, a user's device.
Malicious attackers, are, also, known, to rely, on secondary, marketplaces, for, the, purpose, of, attempting, to, obtain, access, to user's, device, with, the, secondary, marketplaces, populated, with, rogue, and compromised, applications.
Once, a, socially, engineered, user, obtains, an, application, their, device, automatically, becomes, part, of, a, malicious attacker's, botnet, with, the malicious, attackers, relying on, a multitude, of monetization techniques, while, earning, fraudulently, obtained, revenue, in, the, process. Malicious attackers, are, also, known, to, rely, on, rogue, and, fraudulent, affiliate networks, for, the, purpose, of, monetizing, access, to, the, obtained, hosts, through, a, variety, of, rogue, advertising, networks, largely, set, up, for, the, purpose, of, earning, fraudulent, revenue, for, the, malicious attackers.
These affiliate networks, are, known, to, provide, managed, support, including, the, systematic, rotation of the command and control, server, and, the, availability, of, various, templates, empowering, malicious attackers, with, access, to, a, variety, of, fraudulent techniques, allowing, them, to, easily, monetize, access, to, the, infected hosts.
In this post, we'll profile, profile, the, Android.Spy.277.origin, mobile, malware, found, on hundreds, of applications, at Google Play, expose, the, malicious, infrastructure, behind, it, provide, MD5s, and, discuss, in, depth, the, various tactics, techniques, and procedures, utilized, by, malicious, attackers, for, the purpose, of, spreading, mobile, malware, attempting, to, trick, users, into, executing, malicious software, on their, devices.
Sample detection rate for a sample malware:
MD5: a51d7f8413aa3857a4682fa631d39054
Once executed the sample phones back to the following C&C server:
hxxp://startappexchange.com - 184.26.136.91; 184.26.136.113
The same malicious C&C server (startappexchange.com) is also known to have responded to the following IPs:
23.15.5.200
23.63.227.171
95.101.2.24
23.62.239.19
96.6.122.67
23.15.5.205
23.62.236.98
61.213.181.153
23.63.227.208
23.63.227.192
23.3.13.65
96.6.122.74
23.3.13.58
23.62.236.74
184.50.232.74
184.84.243.57
217.7.48.104
217.7.48.192
80.157.151.48
80.157.151.67
67.135.105.35
23.61.194.186
88.221.134.192
88.221.134.211
23.0.160.8
95.101.0.24
95.101.0.50
2.21.243.57
2.21.243.64
23.0.160.51
184.29.105.43
173.223.232.66
184.29.105.83
96.16.98.113
107.14.46.80
62.208.24.33
217.65.36.6
Related malicious MD5s known to have phoned back to the same C&C server:
MD5: 53958d60a2d52c99ad305ec105d47486
MD5: 45eaa4fc36c9a69b3ac78ddce7800daa
MD5: b355ed6fa08ef0415d4e7c6bc602f9a8
MD5: e4c7d87b7b20ae9555c6efe6466b32e6
MD5: 83a449691ff40cf9d3c8c4d7119aaea7
This post has been reproduced from Dancho Danchev's blog.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Friday, August 28, 2015
Historical OSINT - How TROYAK-AS Utillized BGP-over-VPN to Serve the Avalance Botnet
Historical OSINT is a crucial part of an intelligence analyst's mindset, further positioning a growing or an emerging trend, as a critical long term early warning system indicator, highlighting the importance, of current and emerging trends.
In this post, I'll discuss Troyak-AS, a well-known cybercrime-friendly hosting provider, that represented, the growing factor, for the highest percentage of malicious and fraudulent activity online, throughout 2010, its upstream provider NetAssist LLC, and most importantly, a malicious innovation applied by cybercriminals, at the time, namely the introduction of malicious netblocks and ISPs, within the RIPE registry, relying on OPSEC (Operational Security) and basic evasive practices.
According to RSA, the Ukrainian based ISP NetAssist LLC is listed as a legitimate ISP, one whose services haven't been abused in any particular cybercrime-friendly way.
This analysis, will not only prove, otherwise, namely, that NetAssist LLC's involvement in introducing a dozen of cybercrime friendly networks – including TROYAK-AS – has been taking place for purely commercial reasons, with the ISP charging thousands of euros for the process, but also, expose a malicious innovation applied on behalf of opportunistic cybercriminals, at the time, namely, the introduction of innovative bulletproof hosting tactics, techniques and procedures.
Domain name reconnaissance:
troyak.org - 74.208.21.227 (AS8560); 195.93.184.1 (AS44310) - Email: staruy.rom@troyak.org; staruy.rom@inbox.ru
smallshopkz.org - 195.78.123.1 (AS12570)
Name servers:
ns.troyak.org - 195.93.184.1 - (AS44307) ALYANSHIMIYA
ns.bgpvpn.kz - 91.213.93.10
ns.smallshopkz.org (195.78.123.1) is also known to have offered DNS services, to prombd.net (AS44107) PROMBUDDETAL (AS50215 Troyak-as at the time responding to ctlan.net) - 91.201.30.1, and vesteh.net (AS47560) VESTEH-NET 91.200.164.1
Domain name reconnaissance:
bgpvpn.kz
Organization Using Domain Name
Name...................: Mykola Tabakov
Organization Name......: Mykola Tabakov
Street Address.........: office 211, ul. Pushkina, dom 166
City...................: Astana
State..................: Astana
Postal Code............: 010000
Country................: KZ
Administrative Contact/Agent
NIC Handle.............: CA537455-RT
Name...................: Mykola Tabakov
Phone Number...........: +7.7022065468
Fax Number.............: +7.7022065468
Email Address..........: tabanet@mail.ru
Nameserver in listed order:
Primary server.........: ns.bgpvpn.kz
Primary ip address.....: 91.213.93.10
Domain name reconnaissance:
smallshopz.biz
Domain Name:SMALLSHOPKZ.ORG
Created On:30-Oct-2009 13:42:14 UTC
Last Updated On:19-Mar-2010 14:39:19 UTC
Expiration Date:30-Oct-2010 13:42:14 UTC
Sponsoring Registrar:Directi Internet Solutions Pvt. Ltd. d/b/a PublicDomainRegistry.com (R27-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:DI_10606443
Registrant Name:Vladimir Vladimirovich Stebluk
Registrant Organization:N/A
Registrant Street1:off. 306, Bulvar Mira, 16
Registrant Street2:
Registrant Street3:
Registrant City:Karaganda
Registrant State/Province:Qaraghandyoblysy
Registrant Postal Code:100008
Registrant Country:KZ
Registrant Phone:+7.7012032605
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:vladcrazy@smallshopkz.org
NetAssist LLC (netassist.ua) (AS29632) reconnaissance:
inetnum: 62.205.128.0 - 62.205.159.255
netname: UA-NETASSIST-20080201
descr: NetAssist LLC
country: UA
org: ORG-NL64-RIPE
admin-c: MT6561-RIPE
admin-c: AVI27-RIPE
tech-c: MT6561-RIPE
tech-c: APP18-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: MEREZHA-MNT
mnt-routes: MEREZHA-MNT
mnt-domains: MEREZHA-MNT
source: RIPE # Filtered
organisation: ORG-NL64-RIPE
org-name: NetAssist LLC
org-type: LIR
address: NetAssist LLC
Max Tulyev
GEROEV STALINGRADA AVE APP 57 BUILD 54
04213 Kiev
UKRAINE
phone: +380 44 5855265
fax-no: +380 44 2721514
e-mail: info@netassist.kiev.ua
admin-c: AT4266-RIPE
admin-c: KS3536-RIPE
admin-c: MT6561-RIPE
mnt-ref: RIPE-NCC-HM-MNT
mnt-ref: MEREZHA-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered
person: Max Tulyev
address: off. 32, 12 Artema str.,
address: Kiev, Ukraine
remarks: Office phones
phone: +380 44 2398999
phone: +7 495 7256396
phone: +1 347 3414023
phone: +420 226020344
remarks: GSM mobile phones, SMS supported
phone: +7 916 6929474
phone: +380 50 7775633
remarks: Fax is in auto-answer mode
fax-no: +380 44 2726209
remarks: The phone below is for emergency only
remarks: You can also send SMS to this phone
phone: +88216 583 00392
remarks:
remarks: Jabber ID mt6561@jabber.kiev.ua
remarks: SIP 7002@195.214.211.129
e-mail: maxtul@netassist.ua
e-mail: president@ukraine.su
nic-hdl: MT6561-RIPE
mnt-by: MEREZHA-MNT
source: RIPE # Filtered
person: Alexander V Ivanov
address: 14-28 Lazoreviy pr
address: Moscow, Russia
address: 129323
phone: +7 095 7251401
fax-no: +7 095 7251401
e-mail: ivanov077@gmail.com
nic-hdl: AVI27-RIPE
mnt-by: MEREZHA-MNT
source: RIPE # Filtered
person: Alexey P Panyushev
address: 8-142, Panferova street
address: Moscow, Russia
address: 117261
phone: +7 903 6101520
fax-no: +7 903 6101520
e-mail: panyushev@gmail.com
nic-hdl: APP18-RIPE
mnt-by: MEREZHA-MNT
source: RIPE # Filtered
Is NetAssist LLC, on purposely offering its services, for the purpose of orchestrating cybercrime-friendly campaigns, in a typical bulletproof cybercrime friendly fashion, or has it been abused, by an opportunistic cybercriminals, earning fraudulently obtained revenues in the process? Based on the analysis in this post, and the fact, that the company, continues offering IPv4 RIPE announcing services, I believe, that on the majority of occasions, the company has had its services abused, throughout 2010, leading to the rise of the Avalance bothet.
I expect to continue observing such type of abuse, however, in a cybercrime ecosystem, dominated, by the abuse of legitimate services, I believe that cybercriminals will continue efficiently bypassing defensive measures in place, through the abuse and compromise of legitimate infrastructure.
This post has been reproduced from Dancho Danchev's blog.
In this post, I'll discuss Troyak-AS, a well-known cybercrime-friendly hosting provider, that represented, the growing factor, for the highest percentage of malicious and fraudulent activity online, throughout 2010, its upstream provider NetAssist LLC, and most importantly, a malicious innovation applied by cybercriminals, at the time, namely the introduction of malicious netblocks and ISPs, within the RIPE registry, relying on OPSEC (Operational Security) and basic evasive practices.
According to RSA, the Ukrainian based ISP NetAssist LLC is listed as a legitimate ISP, one whose services haven't been abused in any particular cybercrime-friendly way.
This analysis, will not only prove, otherwise, namely, that NetAssist LLC's involvement in introducing a dozen of cybercrime friendly networks – including TROYAK-AS – has been taking place for purely commercial reasons, with the ISP charging thousands of euros for the process, but also, expose a malicious innovation applied on behalf of opportunistic cybercriminals, at the time, namely, the introduction of innovative bulletproof hosting tactics, techniques and procedures.
Domain name reconnaissance:
troyak.org - 74.208.21.227 (AS8560); 195.93.184.1 (AS44310) - Email: staruy.rom@troyak.org; staruy.rom@inbox.ru
smallshopkz.org - 195.78.123.1 (AS12570)
Name servers:
ns.troyak.org - 195.93.184.1 - (AS44307) ALYANSHIMIYA
ns.bgpvpn.kz - 91.213.93.10
ns.smallshopkz.org (195.78.123.1) is also known to have offered DNS services, to prombd.net (AS44107) PROMBUDDETAL (AS50215 Troyak-as at the time responding to ctlan.net) - 91.201.30.1, and vesteh.net (AS47560) VESTEH-NET 91.200.164.1
Domain name reconnaissance:
bgpvpn.kz
Organization Using Domain Name
Name...................: Mykola Tabakov
Organization Name......: Mykola Tabakov
Street Address.........: office 211, ul. Pushkina, dom 166
City...................: Astana
State..................: Astana
Postal Code............: 010000
Country................: KZ
Administrative Contact/Agent
NIC Handle.............: CA537455-RT
Name...................: Mykola Tabakov
Phone Number...........: +7.7022065468
Fax Number.............: +7.7022065468
Email Address..........: tabanet@mail.ru
Nameserver in listed order:
Primary server.........: ns.bgpvpn.kz
Primary ip address.....: 91.213.93.10
smallshopz.biz
Domain Name:SMALLSHOPKZ.ORG
Created On:30-Oct-2009 13:42:14 UTC
Last Updated On:19-Mar-2010 14:39:19 UTC
Expiration Date:30-Oct-2010 13:42:14 UTC
Sponsoring Registrar:Directi Internet Solutions Pvt. Ltd. d/b/a PublicDomainRegistry.com (R27-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:DI_10606443
Registrant Name:Vladimir Vladimirovich Stebluk
Registrant Organization:N/A
Registrant Street1:off. 306, Bulvar Mira, 16
Registrant Street2:
Registrant Street3:
Registrant City:Karaganda
Registrant State/Province:Qaraghandyoblysy
Registrant Postal Code:100008
Registrant Country:KZ
Registrant Phone:+7.7012032605
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:vladcrazy@smallshopkz.org
NetAssist LLC (netassist.ua) (AS29632) reconnaissance:
inetnum: 62.205.128.0 - 62.205.159.255
netname: UA-NETASSIST-20080201
descr: NetAssist LLC
country: UA
org: ORG-NL64-RIPE
admin-c: MT6561-RIPE
admin-c: AVI27-RIPE
tech-c: MT6561-RIPE
tech-c: APP18-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: MEREZHA-MNT
mnt-routes: MEREZHA-MNT
mnt-domains: MEREZHA-MNT
source: RIPE # Filtered
organisation: ORG-NL64-RIPE
org-name: NetAssist LLC
org-type: LIR
address: NetAssist LLC
Max Tulyev
GEROEV STALINGRADA AVE APP 57 BUILD 54
04213 Kiev
UKRAINE
phone: +380 44 5855265
fax-no: +380 44 2721514
e-mail: info@netassist.kiev.ua
admin-c: AT4266-RIPE
admin-c: KS3536-RIPE
admin-c: MT6561-RIPE
mnt-ref: RIPE-NCC-HM-MNT
mnt-ref: MEREZHA-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered
person: Max Tulyev
address: off. 32, 12 Artema str.,
address: Kiev, Ukraine
remarks: Office phones
phone: +380 44 2398999
phone: +7 495 7256396
phone: +1 347 3414023
phone: +420 226020344
remarks: GSM mobile phones, SMS supported
phone: +7 916 6929474
phone: +380 50 7775633
remarks: Fax is in auto-answer mode
fax-no: +380 44 2726209
remarks: The phone below is for emergency only
remarks: You can also send SMS to this phone
phone: +88216 583 00392
remarks:
remarks: Jabber ID mt6561@jabber.kiev.ua
remarks: SIP 7002@195.214.211.129
e-mail: maxtul@netassist.ua
e-mail: president@ukraine.su
nic-hdl: MT6561-RIPE
mnt-by: MEREZHA-MNT
source: RIPE # Filtered
person: Alexander V Ivanov
address: 14-28 Lazoreviy pr
address: Moscow, Russia
address: 129323
phone: +7 095 7251401
fax-no: +7 095 7251401
e-mail: ivanov077@gmail.com
nic-hdl: AVI27-RIPE
mnt-by: MEREZHA-MNT
source: RIPE # Filtered
person: Alexey P Panyushev
address: 8-142, Panferova street
address: Moscow, Russia
address: 117261
phone: +7 903 6101520
fax-no: +7 903 6101520
e-mail: panyushev@gmail.com
nic-hdl: APP18-RIPE
mnt-by: MEREZHA-MNT
source: RIPE # Filtered
Is NetAssist LLC, on purposely offering its services, for the purpose of orchestrating cybercrime-friendly campaigns, in a typical bulletproof cybercrime friendly fashion, or has it been abused, by an opportunistic cybercriminals, earning fraudulently obtained revenues in the process? Based on the analysis in this post, and the fact, that the company, continues offering IPv4 RIPE announcing services, I believe, that on the majority of occasions, the company has had its services abused, throughout 2010, leading to the rise of the Avalance bothet.
I expect to continue observing such type of abuse, however, in a cybercrime ecosystem, dominated, by the abuse of legitimate services, I believe that cybercriminals will continue efficiently bypassing defensive measures in place, through the abuse and compromise of legitimate infrastructure.
This post has been reproduced from Dancho Danchev's blog.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Thursday, August 27, 2015
Historical OSINT: OPSEC-Aware Sprott Asset Management Money Mule Recruiters Recruit, Serve Crimeware, And Malvertisements
Cybercriminals continue multitasking, on their way to take advantage of well proven fraudulent revenue sources, further, positioning themselves as opportunistic market participants, generating fraudulent revenues, standardizing and innovating within the context of OPSEC (Operational Security) while enjoying a decent market share within the cybercrime ecosystem.
In this post, I'll profile a money mule recruitment campaign, featuring a custom fake certificate, successfully blocking access to bobbear.co.uk as well as my personal blog, further exposing a malicious infrastructure, that I'll profile in this post.
Let's assess the campaign, and expose the malicious infrastructure behind it.
The fake Sprott Asset Management sites, entices end users into installing the, the fake, malicious certificate, as a prerequisite, to being working with them, with hosting courtesy of ALFAHOSTNET (AS50793), a well known cybercrime-friendly malicious hosting provider, known, to have been involved in a variety of malvertising campaigns, including related malicious campaigns, that I'll expose in this post.
Domain name reconnaissance for the malicious hosting provider:
alfa-host.net - (AS50793) - Email: alitalaghat@gmail.com; Name: Mohmmad Ali Talaghat (webalfa.net - 78.47.156.245 also registered with the same email)
Name Server: NS1.ALFA-HOST.NET
Name Server: NS2.ALFA-HOST.NET
Alfa-host LLP - (AS50793)
person: Romanov Artem Alekseevich
phone: +75.332211183
address: Kazakhstan, Karagandinskaya obl, Karaganda, ul. Erubaeva 57, 14
Upstream provider reconnaissance:
LLC TC "Interzvyazok"
Hvoiki 15/15
04080 Kiev
UKRAINE
phone: +380 44 238 6333
fax: +380 44 238 6333
e-mail: dz (at) intersv (dot) com
The same upstream provider (Interzvyazok; intersv.com) is also known to have offered services to yet another bulletproof hosting provider in 2011.
Domain name reconnaissance:
sprottcareers.com - 193.105.207.105; 88.212.221.46
sprottcorporate.com - 193.105.207.105; 88.212.221.46
sprottcorporate.com - 92.241.162.58
sprottweb.com - 193.105.207.105; 88.212.221.46
Domain name reconnaissance:
allianceassetonline.com - 92.241.162.58
allianceassetweb.com - 88.212.221.41
uptusconsulting.net - Email: terrizziboris@googlemail.com - 92.241.162.58
Known to have responded to the same IP (193.105.207.105) are also the following malicious domains:auditthere.ru
maccrack.ru
nissanmoto.ru
megatuz.ru
basicasco.ru
megatuz.ru
foreks999.ru
monitod.ru
peeeeee.ru
fra8888.ru
inkognittto.ru
lavandas.ru
Related MD5s known to have phoned back to the same IP (193.105.207.105):MD5: a9442b894c61d13acbac6c59adc67774
MD5:7fd31163fe7d29c61767437b2b1234cd
MD5:d90de03caa80506307fc05a0667246ef
MD5:09241426aac7a4aae12743788ce4cff4
MD5:cb74fb88f36b667e26f41671de8e1841
MD5:8efd31e0f3c251a3c7ef63b377edbf9c
MD5:a750359c72de3fc38d2af2670fd1a343
MD5:f0cbef01f5bd1c075274533f164bb06f
MD5:398b06590179be83306b59cea9da79e5
Related malicious domains known to have been active within (AS50793), ALFAHOSTNET:34real.ru
3pulenepro.net
3weselchak.net
analizes.ru
appppa1.ru
arbuz777.ru
arsenalik.ru
assolo.ru
astramani.ru
basicasco.ru
bits4ever.ru
bonokur.ru
boska7.ru
chudachok9.ru
cosavnos.ru
dermidom44.ru
drtyyyt.ru
dvestekkk.ru
ferdinandi.ru
ferzipersoviy.ru
foreks999.ru
fra8888.ru
globus-trio.ru
google-stats.ru
horonili.ru
inkognittto.ru
karlito777.ru
lavandas.ru
ma456.ru
medriop56.ru
megatuz.ru
mnobabla.ru
monitod.ru
offshoreglobal.ru
okrison.com
opitee.ru
otrijek.ru
peeeeee.ru
pohmaroz44.ru
postmetoday.ru
reklamen6.ru
reklamen7.ru
rrrekti.ru
sekretfive.ru
stolimonov.ru
sworo.ru
trio4.ru
update4ever.ru
victorry.ru
vivarino77.ru
vopret.ru
wifipoints.ru
Known to have responded to the same IP (88.212.221.46) in the past, are also the following malicious domains:
liramdelivery.com - Email: carlyle.jeffrey@gmail.com
ffgroupjobs.com - Email: FfGroupJobs@dnsname.info
secretconsumeril.com
Name servers:
ns2.uptusconsulting.net - 92.241.162.58
ns2.sprottcorporate.com - 92.241.162.58
ns2.sprottweb.com - 92.241.162.58
allianceassetweb.com - Email: martins.allianceam@gmail.com
Surprise, surprise. We've also got the following fraudulent domains, responding to the same name server's IP (92.241.162.58; ns1.oildns.net, ns2.oildns.net) back in 2009.
What's particularly interesting, is the fact, that in 2010, we've also got (92.241.162.58) hosting the following malicious MD5s:
MD5: 8ee5435004ad523f4cbe754b3ecdb86e
MD5: 38f5e6a59716d651915a895c0955e3e6
We've also got ns1.oildns.net responding to (93.174.92.220), with the actual name server, known to have hosted, the following malicious MD5s:
MD5: 5ae4b6235e7ad1bf1e3c173b907def17
Sample detection rate for the malicious certificate:
MD5: ec39239accb0edb5fb923c25ffc81818 - detected by 23 out of 42 antivirus scanners as Gen:Trojan.Heur.SFC.juZ@aC7UB8eib
Sample detection rate for the HOSTS file modifying sample:
MD5: 969001fcc1d8358415911db90135fa84 - detected by 14 out of 42 antivirus scanners as Trojan.Generic.4284920
Once executed, the sample successfully modifies, the HOSTS file on the affected hosts, to block access to:
127.0.0.1 google.com
127.0.0.1 google.co.uk
127.0.0.1 www.google.com
127.0.0.1 www.google.co.uk
127.0.0.1 suckerswanted.blogspot.com
127.0.0.1 ideceive.blogspot.com
127.0.0.1 www.bobbear.co.uk
127.0.0.1 bobbear.co.uk
127.0.0.1 reed.co.uk
127.0.0.1 seek.com.au
127.0.0.1 scam.com
127.0.0.1 scambusters.org
127.0.0.1 www.guardian.co.uk
127.0.0.1 ddanchev.blogspot.com
127.0.0.1 aic.gov.au
127.0.0.1 google.com.au
127.0.0.1 www.reed.co.uk
209.171.44.117 www.sprott.com
209.171.44.117 sprott.com
Sample confirmation email courtesy of Sprott Asset Management:
WORKING PROCESS
During all working process you will process incoming and outgoing transfers from our clients. Main duties are: send payments, receive payments, making records of billing, making simple management duties, checking e-mail daily. You have to provide us your cell phone for urgent calls from your manager. If you don’t have a cell phone you will need to buy it. You must have basic computer skills to operate main process of job duties.
SALARY
During the trial period (1 month), you will be paid 4,600$ per month while working on average 3hours per day, Monday-Friday, plus 8% commission from every payment received and processed. The salary will be sent in the form of wire transfer directly to your account or you may take it from received funds directly. After the trial period your base pay salary will go up to 6,950$ per month, plus 10% commission.
FEES & TRANSFERING PROCEDURE
All fees are covered by the company. The fees for transferring are simply deducted from the payments received. Customer will not contact you during initial stage of the trial period. After three weeks of the trial period you will begin to have contact with the customers via email in regards to collection of the payments. For the first three weeks you will simply receive all of the transferring details, and payments, along with step by step guidance from your supervisor. You will be forwarding the received payments through transferring agents such as Western Union, Money Gram, any P2P agents or by wire transferring.
WESTERN UNION & MONEYGRAM
1. As soon as You receive money transfers from our clients you are supposed to cash it in your bank.
2. You will need to pick up the cash physically at the bank, as well as a transfer to MoneyGram.
3. Please use MoneyGram, located not in your bank, because this providing of anonymosty of our clients.
4. The cashed amounts of money should be transferred to our clients via MoneyGram/Western Union.
according to our transfer instructions except all the fees. The fees are taken from the amount cashed.
5. Not use online service, only physical presence in an office of bank and Western Union.
6. Just after you have transferred money to our clients, please contact your personal manager via e-mail (confirmation of the transfer)
and let him (her) know all the details of your Western Union transfer: SENDER'S NAME, CONTACT DETAILS, ADRESS, AND A REFERENCE NUMBER,
PLEASE BE VERY CAREFUL WHEN YOU RESEND FUNDS, THERE MUST BE NO MISTAKES, because our client will not be able to withdraw the funds.
7. All procedures have to take 1-2 hours, because we have to provide and verify the safety of our clients` money (we have to inform them about all our actions).
Your manager will support you in any step of application process, if you have any questions you may ask it anytime.
Go through related research regarding money mule recruitment:
In this post, I'll profile a money mule recruitment campaign, featuring a custom fake certificate, successfully blocking access to bobbear.co.uk as well as my personal blog, further exposing a malicious infrastructure, that I'll profile in this post.
Let's assess the campaign, and expose the malicious infrastructure behind it.
The fake Sprott Asset Management sites, entices end users into installing the, the fake, malicious certificate, as a prerequisite, to being working with them, with hosting courtesy of ALFAHOSTNET (AS50793), a well known cybercrime-friendly malicious hosting provider, known, to have been involved in a variety of malvertising campaigns, including related malicious campaigns, that I'll expose in this post.
Domain name reconnaissance for the malicious hosting provider:
alfa-host.net - (AS50793) - Email: alitalaghat@gmail.com; Name: Mohmmad Ali Talaghat (webalfa.net - 78.47.156.245 also registered with the same email)
Name Server: NS1.ALFA-HOST.NET
Name Server: NS2.ALFA-HOST.NET
Alfa-host LLP - (AS50793)
person: Romanov Artem Alekseevich
phone: +75.332211183
address: Kazakhstan, Karagandinskaya obl, Karaganda, ul. Erubaeva 57, 14
Upstream provider reconnaissance:
LLC TC "Interzvyazok"
Hvoiki 15/15
04080 Kiev
UKRAINE
phone: +380 44 238 6333
fax: +380 44 238 6333
e-mail: dz (at) intersv (dot) com
The same upstream provider (Interzvyazok; intersv.com) is also known to have offered services to yet another bulletproof hosting provider in 2011.
Domain name reconnaissance:
sprottcareers.com - 193.105.207.105; 88.212.221.46
sprottcorporate.com - 193.105.207.105; 88.212.221.46
sprottcorporate.com - 92.241.162.58
sprottweb.com - 193.105.207.105; 88.212.221.46
Domain name reconnaissance:
allianceassetonline.com - 92.241.162.58
allianceassetweb.com - 88.212.221.41
uptusconsulting.net - Email: terrizziboris@googlemail.com - 92.241.162.58
Known to have responded to the same IP (193.105.207.105) are also the following malicious domains:auditthere.ru
maccrack.ru
nissanmoto.ru
megatuz.ru
basicasco.ru
megatuz.ru
foreks999.ru
monitod.ru
peeeeee.ru
fra8888.ru
inkognittto.ru
lavandas.ru
Related MD5s known to have phoned back to the same IP (193.105.207.105):MD5: a9442b894c61d13acbac6c59adc67774
MD5:7fd31163fe7d29c61767437b2b1234cd
MD5:d90de03caa80506307fc05a0667246ef
MD5:09241426aac7a4aae12743788ce4cff4
MD5:cb74fb88f36b667e26f41671de8e1841
MD5:8efd31e0f3c251a3c7ef63b377edbf9c
MD5:a750359c72de3fc38d2af2670fd1a343
MD5:f0cbef01f5bd1c075274533f164bb06f
MD5:398b06590179be83306b59cea9da79e5
Related malicious domains known to have been active within (AS50793), ALFAHOSTNET:34real.ru
3pulenepro.net
3weselchak.net
analizes.ru
appppa1.ru
arbuz777.ru
arsenalik.ru
assolo.ru
astramani.ru
basicasco.ru
bits4ever.ru
bonokur.ru
boska7.ru
chudachok9.ru
cosavnos.ru
dermidom44.ru
drtyyyt.ru
dvestekkk.ru
ferdinandi.ru
ferzipersoviy.ru
foreks999.ru
fra8888.ru
globus-trio.ru
google-stats.ru
horonili.ru
inkognittto.ru
karlito777.ru
lavandas.ru
ma456.ru
medriop56.ru
megatuz.ru
mnobabla.ru
monitod.ru
offshoreglobal.ru
okrison.com
opitee.ru
otrijek.ru
peeeeee.ru
pohmaroz44.ru
postmetoday.ru
reklamen6.ru
reklamen7.ru
rrrekti.ru
sekretfive.ru
stolimonov.ru
sworo.ru
trio4.ru
update4ever.ru
victorry.ru
vivarino77.ru
vopret.ru
wifipoints.ru
Known to have responded to the same IP (88.212.221.46) in the past, are also the following malicious domains:
liramdelivery.com - Email: carlyle.jeffrey@gmail.com
ffgroupjobs.com - Email: FfGroupJobs@dnsname.info
secretconsumeril.com
Name servers:
ns2.uptusconsulting.net - 92.241.162.58
ns2.sprottcorporate.com - 92.241.162.58
ns2.sprottweb.com - 92.241.162.58
allianceassetweb.com - Email: martins.allianceam@gmail.com
Surprise, surprise. We've also got the following fraudulent domains, responding to the same name server's IP (92.241.162.58; ns1.oildns.net, ns2.oildns.net) back in 2009.
What's particularly interesting, is the fact, that in 2010, we've also got (92.241.162.58) hosting the following malicious MD5s:
MD5: 8ee5435004ad523f4cbe754b3ecdb86e
MD5: 38f5e6a59716d651915a895c0955e3e6
We've also got ns1.oildns.net responding to (93.174.92.220), with the actual name server, known to have hosted, the following malicious MD5s:
MD5: 5ae4b6235e7ad1bf1e3c173b907def17
Sample detection rate for the malicious certificate:
MD5: ec39239accb0edb5fb923c25ffc81818 - detected by 23 out of 42 antivirus scanners as Gen:Trojan.Heur.SFC.juZ@aC7UB8eib
Sample detection rate for the HOSTS file modifying sample:
MD5: 969001fcc1d8358415911db90135fa84 - detected by 14 out of 42 antivirus scanners as Trojan.Generic.4284920
Once executed, the sample successfully modifies, the HOSTS file on the affected hosts, to block access to:
127.0.0.1 google.com
127.0.0.1 google.co.uk
127.0.0.1 www.google.com
127.0.0.1 www.google.co.uk
127.0.0.1 suckerswanted.blogspot.com
127.0.0.1 ideceive.blogspot.com
127.0.0.1 www.bobbear.co.uk
127.0.0.1 bobbear.co.uk
127.0.0.1 reed.co.uk
127.0.0.1 seek.com.au
127.0.0.1 scam.com
127.0.0.1 scambusters.org
127.0.0.1 www.guardian.co.uk
127.0.0.1 ddanchev.blogspot.com
127.0.0.1 aic.gov.au
127.0.0.1 google.com.au
127.0.0.1 www.reed.co.uk
209.171.44.117 www.sprott.com
209.171.44.117 sprott.com
Sample confirmation email courtesy of Sprott Asset Management:
WORKING PROCESS
During all working process you will process incoming and outgoing transfers from our clients. Main duties are: send payments, receive payments, making records of billing, making simple management duties, checking e-mail daily. You have to provide us your cell phone for urgent calls from your manager. If you don’t have a cell phone you will need to buy it. You must have basic computer skills to operate main process of job duties.
SALARY
During the trial period (1 month), you will be paid 4,600$ per month while working on average 3hours per day, Monday-Friday, plus 8% commission from every payment received and processed. The salary will be sent in the form of wire transfer directly to your account or you may take it from received funds directly. After the trial period your base pay salary will go up to 6,950$ per month, plus 10% commission.
FEES & TRANSFERING PROCEDURE
All fees are covered by the company. The fees for transferring are simply deducted from the payments received. Customer will not contact you during initial stage of the trial period. After three weeks of the trial period you will begin to have contact with the customers via email in regards to collection of the payments. For the first three weeks you will simply receive all of the transferring details, and payments, along with step by step guidance from your supervisor. You will be forwarding the received payments through transferring agents such as Western Union, Money Gram, any P2P agents or by wire transferring.
WESTERN UNION & MONEYGRAM
1. As soon as You receive money transfers from our clients you are supposed to cash it in your bank.
2. You will need to pick up the cash physically at the bank, as well as a transfer to MoneyGram.
3. Please use MoneyGram, located not in your bank, because this providing of anonymosty of our clients.
4. The cashed amounts of money should be transferred to our clients via MoneyGram/Western Union.
according to our transfer instructions except all the fees. The fees are taken from the amount cashed.
5. Not use online service, only physical presence in an office of bank and Western Union.
6. Just after you have transferred money to our clients, please contact your personal manager via e-mail (confirmation of the transfer)
and let him (her) know all the details of your Western Union transfer: SENDER'S NAME, CONTACT DETAILS, ADRESS, AND A REFERENCE NUMBER,
PLEASE BE VERY CAREFUL WHEN YOU RESEND FUNDS, THERE MUST BE NO MISTAKES, because our client will not be able to withdraw the funds.
7. All procedures have to take 1-2 hours, because we have to provide and verify the safety of our clients` money (we have to inform them about all our actions).
Your manager will support you in any step of application process, if you have any questions you may ask it anytime.
Go through related research regarding money mule recruitment:
- Profiling a Novel, High Profit Margins Oriented, Legitimate Companies Brand-Jacking Money Mule Recruitment Scheme
- Spotted: cybercriminals working on new Western Union based ‘money mule management’ script
- Keeping Money Mule Recruiters on a Short Leash - Part Eleven
- Keeping Money Mule Recruiters on a Short Leash - Part Ten
- Keeping Money Mule Recruiters on a Short Leash - Part Nine
- Keeping Money Mule Recruiters on a Short Leash - Part Eight - Historical OSINT
- Keeping Money Mule Recruiters on a Short Leash - Part Seven
- Keeping Money Mule Recruiters on a Short Leash - Part Six
- Keeping Money Mule Recruiters on a Short Leash - Part Five
- The DNS Infrastructure of the Money Mule Recruitment Ecosystem
- Keeping Money Mule Recruiters on a Short Leash - Part Four
- Money Mule Recruitment Campaign Serving Client-Side Exploits
- Keeping Money Mule Recruiters on a Short Leash - Part Three
- Money Mule Recruiters on Yahoo!'s Web Hosting
- Dissecting an Ongoing Money Mule Recruitment Campaign
- Keeping Money Mule Recruiters on a Short Leash - Part Two
- Keeping Reshipping Mule Recruiters on a Short Leash
- Keeping Money Mule Recruiters on a Short Leash
- Standardizing the Money Mule Recruitment Process
- Inside a Money Laundering Group's Spamming Operations
- Money Mule Recruiters use ASProx's Fast Fluxing Services
- Money Mules Syndicate Actively Recruiting Since 2002
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Wednesday, July 29, 2015
Assessing The Computer Network Operation (CNO) Capabilities of the Islamic Republic of Iran - Report
Dear blog readers, I would like to let you know, of my latest, publicly released report, on the topic of "Assessing The Computer Network Operation (CNO) Capabilities of the Islamic Republic of Iran", a comprehensive, 45 pages, assessment, of Iran's cyber warfare scene, featuring exclusive, never-published before, assessments of the country's cyber warfare doctrine, analysis of the country's academic incubators of the next generation of cyber warriors, featuring, an exclusive, social network analysis (SNA), of Iran's hacking scene.
The report, answers the following questions:
- Who's who on Iran's Cyber Warfare Scene - the most comprehensive analysis of Iran's cyber warfare scene, ever performed
- Where do they go to school? - in-depth analysis of Iran's academic incubators of the next generation of cyber warriors
- Who's buying them books? - in-depth geopolitically relevant analysis of Iran's cyber warfare doctrine
- How do they own and compromise? - complimentary copies of hacking tools, E-zines, academic papers, SNA (Social Network Analysis) of Iran's Hacking Scene
"Today's growing cyber warfare arms race, prompts for systematic, structured, and multidisciplinary enriched processes to be utilized, in order to anticipate/neutralize and properly attribute an adversary's strategic, tactical and operational Computer Network Operation (CNO) capabilities, so that an adequate response can be formulated and executed on the basis of a factual research answering some of the most relevant questions in the 'fifth domain' of warfare - who are our adversaries, what are they up to, when are they going to launch an attack against us, how exactly are they going to launch it, and what are they going to target first?
This qualitative analysis (45 pages) seeks to assess the Computer Network Operations (CNO) of Islamic Republic of Iran, through the prism of the adversary's understanding of Tactics, Techniques and Procedures (TTP), a structured and geopolitically relevant, enriched OSINT assessment of their operations, consisting of interpreted hacking literature, videos, and, custom made hacking tools, extensive SNA (Social Network Analysis) of the country's Hacking Ecosystem, real-life personalization of the key individuals behind the groups (personally identifiable photos, personal emails, phone numbers, Blogs, Web Sites, Social Networking accounts etc.). It's purpose is to ultimately empower decision/policy makers, as well as intelligence analysts, with recommendations for
countering Islamic Republic of Iran's growing understanding and application of CNO tactics and strategies."
Request, your, complimentary, copy, of, the, report, by, approaching, me, dancho.danchev@hush.com
Enjoy!
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Tuesday, October 21, 2014
Rogue Android Apps Hosting Web Site Exposes Malicious Infrastructure
With cybercriminals continuing to populate the cybercrime ecosystem with automatically generated and monetized mobile malware variants, we continue to observe a logical shift towards convergence of cybercrime-friendly revenue sharing affiliate networks, and malicious infrastructure providers, on their way to further achieve a posive ROI (return on investment) out of their risk-forwarding fraudulent activities.
I've recently spotted a legitimately looking, rogue Android apps hosting Web site, directly connected to a market leading DIY API-enabled mobile malware generating/monetizing platform, further exposing related fraudulent operations, performed, while utilizing the malicious infrastructure, which I'll expose in this post.
Let's assess the campaign, expose the malicious infrastructure behind it, list the cybercrime-friendly premium rate SMS numbers, involved in it, as well as related malicious MD5s, known to have participated in the campaign/have utilized the same malicious infrastructure.
Sample rogue Android apps hosting URL: hxxp://androidapps.mob.wf - 37.1.206.173
Responding to the same IP (37.1.206.173) are also the following fraudulent domains:
hxxp://22-minuty.ru
hxxp://nygolfpro.com
hxxp://bloomster.dp.ua
hxxp://stdstudio.com.ua
hxxp://autosolnce.ru
Detection rate for sample rogue Android apps:
MD5: 4bf349b601fd73c74eafc01ce8ea8be7
MD5: c4508c127029571e5b6f6b08e5c91415
MD5: bd296d35bf41b9ae73ed816cc7c4c38b
Known to have responded to the same IPs (94.242.214.133; 94.242.214.155) are also the following fraudulent domains, participating in a related revenue-sharing affiliate network based type of monetization scheme:
hxxp://4books.ru
hxxp://annoncer.media-bar.ru
hxxp://booksbutton1.com
hxxp://film-club.ru
hxxp://film-popcorn.ru
hxxp://filmbuttons.ru
hxxp://filmi-doma.com
hxxp://filmonika.ru
hxxp://films.909.su
hxxp://indiiskie.ru
hxxp://kinozond.ru
hxxp://media-bar.ru
hxxp://playersharks2.com
hxxp://playersharks4.com
hxxp://pplayer.ru
hxxp://sharksplayer2.com
hxxp://sharksplayer3.ru
hxxp://sharksreader.ru
hxxp://tema-info.ru
hxxp://toppfilms.ru
hxxp://video-movies.com
hxxp://video.909.su
hxxp://videodomm.ru
hxxp://videozzy.com
hxxp://videozzzz.ru
hxxp://websharks.ru
hxxp://yasmotrju.ru
Malicious MD5s known to have phoned back to the same IP (94.242.214.133):
MD5: 9ec8aef6dc0e3db8596ac54318847328
MD5: 895c38ec4fb1fbee47bfb3b6ee3a170b
MD5: c4d88b32b605500b7f86de5569a11e22
MD5: 49861fd4748dd57c192139e8bd5b71e3
MD5: 8b350f8a32ef4b28267995cf8f0ceae1
Premium rate SMS numbers involved in the fraudulent scheme:
7151; 9151; 2855; 3855; 3858; 2858; 8151; 7155; 7255; 3190; 3200; 3170; 3006; 3150; 6150; 4124; 4481; 7781; 5014; 1151; 4125; 1141; 1131; 1350; 3354; 7122; 3353; 7132; 3352; 8355; 8155; 8055; 7515; 1037; 1953; 3968; 5370; 1952; 3652; 5373; 9191; 1005; 7019; 7250; 1951; 7015; 7099; 7030
Once executed MD5: 9ec8aef6dc0e3db8596ac54318847328 phones back to the following C&C servers, further exposing the malicious infrastructure:
67.215.246.10:6881
82.221.103.244:6881
114.252.58.66:6407
89.136.77.86:45060
212.25.54.183:32822
107.191.223.72:22127
87.89.149.106:24874
82.247.154.128:47988
108.181.68.73:47342
82.74.179.126:52352
121.222.168.146:64043
217.121.30.46:34421
115.143.245.78:51548
110.15.205.16:51477
37.114.69.97:19079
85.229.206.243:55955
95.109.112.178:60018
95.68.195.182:44025
239.192.152.143:6771
109.187.54.101:13100
117.194.5.97:55535
95.29.112.178:59039
109.162.133.97:19459
83.205.112.178:11420
95.68.3.182:53450
175.115.103.140:52696
197.2.133.97:27334
84.55.8.7:10060
27.5.132.243:19962
123.109.176.178:36527
175.157.176.178:22906
188.187.147.247:14745
178.212.133.205:52416
145.255.1.250:41973
213.21.32.190:51413
93.73.165.31:61889
176.97.214.119:46605
185.51.127.134:16447
109.239.42.123:16845
77.232.158.215:40266
178.173.37.2:47126
62.84.24.219:47594
37.144.87.15:13448
5.251.28.179:39620
94.19.66.51:42894
94.51.242.89:35691
93.179.102.216:24458
212.106.62.201:44821
95.52.69.39:12249
46.118.64.45:44172
217.175.33.130:45244
185.8.126.226:32972
93.92.200.202:56664
94.214.220.37:35196
46.182.132.67:32103
46.188.123.131:11510
83.139.188.142:34549
188.232.124.16:27582
91.213.23.226:19751
95.32.142.28:55555
95.83.188.157:15714
95.128.244.10:59239
176.31.240.170:6882
79.109.88.241:6881
91.215.90.109:34600
62.198.229.165:6881
91.148.118.250:21558
81.82.210.40:6881
97.121.23.163:31801
78.186.155.62:6881
78.1.158.105:47475
79.160.62.185:9005
213.87.123.81:17790
178.150.154.26:26816
83.174.247.71:59908
109.87.175.144:29374
86.57.186.171:45013
193.222.140.60:35691
176.115.158.138:24253
42.98.191.90:7085
178.127.152.72:10107
82.239.74.201:61137
185.19.22.192:46337
86.185.92.38:10819
78.214.194.145:24521
37.78.85.173:49001
82.70.112.150:32371
37.131.212.35:18525
79.136.156.151:59659
2.134.48.150:12530
95.29.164.86:6881
37.147.16.242:64954
79.45.36.86:22690
112.208.182.65:56374
62.99.29.74:44822
95.16.12.111:12765
124.169.69.69:41216
5.164.83.49:62348
79.22.73.216:61914
46.63.131.146:6881
89.150.119.203:55029
58.23.49.24:2717
83.41.5.241:45624
87.21.80.23:27949
178.150.176.150:57997
178.127.195.146:58278
5.141.236.13:15784
125.182.35.138:54094
99.228.23.82:29302
14.111.131.146:33433
122.177.90.137:25375
178.223.195.146:54596
182.54.112.150:1058
109.23.145.152:31514
213.241.204.31:27769
188.168.58.6:45823
2.94.4.215:50830
42.91.39.236:13923
116.33.113.4:19973
86.182.170.27:25712
177.82.206.231:39043
122.143.152.35:7890
217.13.219.147:39190
77.75.13.195:16279
87.239.5.144:58749
89.141.116.97:49001
176.106.11.49:44690
112.14.110.199:33243
122.26.6.52:20527
178.223.195.146:23034
98.118.85.85:51413
190.63.131.146:6881
46.151.242.82:16046
176.106.19.185:46114
85.113.157.12:62633
192.168.0.105:58749
211.89.227.34:56333
36.68.16.149:42839
31.15.80.10:42061
130.15.95.112:6881
87.119.245.51:6882
109.173.101.19:19700
193.93.187.234:1214
176.106.18.254:43469
176.183.137.53:19155
176.113.168.51:52672
93.123.60.130:52981
79.100.9.81:14053
91.124.125.16:29914
46.16.228.135:53473
95.61.55.234:22974
190.213.101.39:44376
58.173.158.99:50821
188.25.108.102:31047
95.153.175.173:15563
75.120.194.116:58001
61.6.218.126:63291
128.70.19.98:64296
5.167.193.5:25861
185.57.73.27:47892
109.205.249.105:58449
77.228.235.226:57715
2.62.49.161:49001
67.234.161.61:65228
91.243.100.237:40431
105.155.1.67:16084
73.34.178.71:41864
145.255.169.122:4612
92.241.241.4:61613
145.255.21.166:46596
83.253.71.148:34016
173.246.26.126:12988
79.181.115.213:43853
46.237.69.97:50772
86.159.67.146:48959
213.100.105.54:52147
178.45.129.126:45710
188.78.232.53:39336
70.82.20.41:11248
88.132.82.254:52722
85.198.154.126:35403
89.67.245.2:21705
95.76.128.209:36640
61.242.114.3:6383
79.112.156.169:10236
95.25.111.173:40781
108.36.82.254:57393
88.8.84.79:56740
118.36.49.220:59561
60.197.149.187:12996
86.26.224.104:39597
120.61.161.250:10023
151.249.239.173:6881
86.178.212.41:28489
95.180.244.144:48245
111.171.83.212:52952
122.164.99.166:1024
201.110.110.63:19314
79.100.52.144:54312
194.219.103.45:24008
178.89.171.19:10003
124.12.192.197:6881
92.96.186.112:31100
207.216.138.62:6881
194.8.234.230:51413
92.220.24.133:6881
2.134.203.233:6881
122.169.237.54:17407
36.232.153.137:16001
130.43.123.202:45689
86.73.45.54:56161
37.215.93.59:27997
78.154.164.176:42780
5.10.134.6:50452
98.176.222.50:61000
93.54.90.126:1189
220.81.46.201:51526
39.41.111.173:7702
41.111.41.122:19132
211.108.64.209:20728
178.66.212.41:14865
182.187.103.45:57751
118.41.230.79:52520
186.155.231.45:34294
109.174.113.128:15947
188.6.88.229:16785
99.247.58.79:23197
94.137.237.54:14617
197.203.129.67:10204
5.107.65.67:21618
117.194.114.71:64476
94.153.45.54:32715
2.176.158.50:17404
5.18.178.71:50971
78.130.212.41:63075
86.121.45.54:55858
109.187.1.67:15413
108.199.125.160:38558
83.181.18.121:15859
93.109.242.198:26736
95.86.220.68:27877
37.204.22.24:24146
198.203.28.43:17685
What's particularly interesting, about this campaign, is the fact, that, the Terms of Service (ToS) presented to gullible and socially engineered end users, refers to a well known Web site (jmobi.net), directly connected with the market leading DIY API-enabled mobile malware generating/monetization platform, extensively profiled in a previously published post.
As cybercriminals continue to achieve a cybercrime-ecosystem wide standardization, we'll continue to observe an increase in fraudulent activity, with the cybercriminals behind it, continuing to innovate, on their way to achieve efficient monetization schemes, and risk-forwarding centered fraudulent models, further contributing to the adaptive innovation to be applied to the current TTPs (tactics, techniques and procedures) utilized by them.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Saturday, March 22, 2014
Win32.Nixofro Serving, Malicious Infrastructure, Exposes Fraudulent Facebook Social Media Service Provider
I've recently spotted a malicious, cybercrime-friendly SWF iframe/redirector injecting service, that also exposes a long-run Win32.Nixofro serving malicious infrastructure, currently utilized for the purpose of operating a rogue social media service provider, that's targeting Turkish Facebook users through the ubiquitous social engineering vector, for such type of campaigns, namely, the fake Adobe Flash player.
Let's profile the service, discuss its relevance in the broader context of the threat landscape, provide actionable/historical threat intelligene on the malicious infrastructure, the rogue domains involved in it, the malicious MD5s served by the cybercriminals behind it, and directly link it to a previously profiled Facebook spreading P2P-Worm.Win32.Palevo serving campaign.
The managed SWF iframe/redirector service, is a great example of a cybercrime-as-a-service type of underground market proposition, empowering, both, sophisticated and novice cybercriminals with the necessary (malvertising) 'know-how', in an efficient manner, directly intersecting with the commercial availability of sophisticated mass Web site/Web server malicious script embedding platforms.
The managed SWF iframe/redirector injecting service is currently responding to 108.162.197.62 and 108.162.196.62 Known to have responded to the same IPs (108.162.197.62; 108.162.196.62) is also a key part of the malicious infrastructure that I'll expose in this post, namely hizliservis.pw - Email: furkan@cod.com.
Known to have phoned back to the same IP (108.162.197.62) are also the following malicious MD5s:
MD5: 432efe0fa88d2a9e191cb95fa88e7b36
MD5: 720ecb1cf4f28663f4ab25eedf620341
MD5: 02691863e9dfb9e69b68f5fca932e729
MD5: 69ed70a82cb35a454c60c501025415aa
MD5: cc586a176668ceef14891b15e1b412ab
MD5: 74291941bddcec131c8c6d531fcb1886
MD5: 7c27d9ff25fc40119480e4fe2c7ca987
MD5: 72c030db7163a7a7bf2871a449d4ea3c
MD5: 432efe0fa88d2a9e191cb95fa88e7b36
Known to have phoned to the same IP (108.162.196.62) are also the following malicious MD5s:
MD5: eda3f015204e9565c779e0725915864f
MD5: effcfe91beaf7a3ed2f4ac79525c5fc5
MD5: 14acd831691173ced830f4b51a93e1ca
MD5: 7f93b0c611f7020d28f7a545847b51e0
MD5: bcfce3a9bf2c87dab806623154d49f10
MD5: 4c90a89396d4109d8e4e2491c5da4846
MD5: 289c4f925fdec861c7f765a65b7270af
Sample redirection chain leading to the fake Adobe Flash Player:
hxxp://hizliservis.pw/unlu.htm -> hxxp://hizliservis.pw/indir.php -> hxxp://unluvideolari.info -> hxxp://videotr.in/player.swf -> hxxp://izleyelim.s3.amazonaws.com/movie.mp4&skin=newtubedark/NewTubeDark.xml&streamer=lighttpd&image=hqdefault.jpg
Domain name reconnaissance:
hizliservis.pw - Email: furkan@cod.com
videotr.in - Email: tiiknet@yandex.com; snack@log-z.com
izleyelim.s3.amazonaws.com - 176.32.97.249
Within hizliservis.pw, we can easily spot yet another part of the same malicious/fraudulent infrastructure, namely, the rogue social media distribution platform's login interface.
Sample redirection chain leading to a currently active fake Adobe Flash Player (Win32.Nixofro):
hxxp://socialmediasystem.net/down.php -> hxxps://profonixback31.googlecode.com/svn/FlashPlayer_Guncelle.exe
Detection rate for the fake Adobe Flash Player:
MD5: 28c3c503d398914bdd2c2b3fdc1f9ea4 - detected by 36 out of 50 antivirus scanners as Win32.Nixofro
Once executed, the sample phones back to profonixuser.net (141.101.117.218)
Known to have responded to the same IP (141.101.117.218) are also the following malicious MD5s:
MD5: 53360155012d8e5c648aca277cbde587
MD5: a66a1c42cc6fb775254cf32c8db7ad5b
MD5: a051fd83fc8577b00d8d925581af1a3b
MD5: f47784817a8a04284af4b602c7719cb7
MD5: 2e5c75318275844ce0ff7028908e8fb4
MD5: 90205a9740df5825ce80229ca105b9e8
Domain name reconnaissance for the rogue social media distibution platform:
socialmediasystem.Net (141.101.118.159; 141.101.118.158) - Email: furkan@cod.com
Sample redirection chain for the rogue social media distribution platform's core functions:
hxxp://profonixuser.net/new.php?nocache=1044379803 -> hxxp://sosyalmedyakusu.com/oauth.php (108.162.199.203; 108.162.198.203) Email: furkan@cod.com -> hxxp://hizliservis.pw/face.php -> hxxp://socialhaberler.com/manyak.php -> hxxp://profonixuser.net/new.php -> hxxp://profonixuser.net/amk.php (141.101.117.218) -> hxxp://me.cf/dhtcw (31.170.164.67) -> hxxps://video-players.herokuapp.com/?55517841177 (107.20.187.159) -> hxxp://kingprofonix.net/hxxp://kingprofonix.com (108.162.198.203) the same domain is also known to have responded to 108.162.197.62
Related MD5s known to have phoned back to the same IP (108.162.198.203) in the past:
MD5: 505f615f9e1c4fdc03964b36ec877d57
Sample internal redirectors structure:
hxxp://profonixuser.net/fb.php -> hxxp://profonixuser.net/manyak.php -> hxxp://molotofcu.com/google/hede.php (199.27.134.199) -> hxxp://profonixuser.net/pp.php -> hxxp://gdriv.es/awalbbmprtbpahpolcdt?jgxebgqjl -> hxxps://googledrive.com/host/0B08vFK4UtN5kdjV2NklHVTVjcTQ -> hxxp://sosyalmedyakusu.com/s3x.php?ref=google
hxxp://profonixuser.net/user.php -> hxxp://goo.gl/ber2EP -> hxxps://buexe-x.googlecode.com/svn/FlashPlayer%20Setup.exe -> MD5: 60137c1cb77bed9afcbbbc3ad910df3f -> phones back to wjetphp.com (46.105.56.61)
Secondary sample internal redirectors structure:
hxxp://profonixuser.net/yarak.txt -> hxxp://profonixuser.net/u.exe -> hxxp://profonixuser.net/yeni.txt -> hxxp://profonixuser.net/yeni.exe -> hxxp://profonixuser.net/recep.html -> hxxp://goo.gl/ber2EP -> hxxp://wjetphp.com/unlu/player.swf -> hxxp://profonixuser.net/kral.txt -> hxxp://likef.in/fate.exe - 108.162.194.123; 108.162.195.123; 108.162.199.107 - known to have phoned back to the same IP is also the following malicious MD5: effcfe91beaf7a3ed2f4ac79525c5fc5 - detected by 35 out of 50 antivirus scanners as Trojan-Ransom.Win32.Foreign.kcme
Once executed, the sample phones back to likef.biz (176.53.119.195). The same domain is also known to have responded to the following IPs 141.101.116.165; 141.101.117.165.
Here's comes the interesting part. The fine folks at ExposedBotnets, have already intercepted a malicious Facebook spreading campaign, that's using the already profiled in this post videotr.in.
Having directly connected the cybercrime-friendly SWF iframe/redirector injecting service, with hizliservis.pw as well as the SocialMediaSystem as being part of the same malicious infrastructure, it's time to profile the fraudulent/malicious adversaries behind the campaigns. The cybercriminals behind these campaigns, appear to be operating a rogue social media service, targeting Facebook Inc.
Sample screenshots of the social media distribution platform's Web based interface:
Sample advertisement of the rogue social media distribution platform:
Skype ID of the rogue company: ProFonixcod
Secondary company name: ProfMedya - hxxp://profmedya.com - 178.33.42.254; 188.138.9.39; 89.19.20.242 - Email: kayahoca@gmail.com. The same domain, profmedya.com used to respond to 188.138.9.39.
Domains known to have responded to the same IP (188.138.9.39) are also the following malicious domains:
hxxp://facebooook.biz
hxxp://worldmedya.net
fhxxp://astotoliked.net
hxxp://adsmedya.com
hxxp://facebookmedya.biz
hxxp://fastotolike.com
hxxp://fbmedyahizmetleri.com
hxxp://fiberbayim.com
hxxp://profonixcoder.com
hxxp://sansurmedya.biz
hxxp://sosyalpaket.com
hxxp://takipciniarttir.net
hxxp://videomedya.net
hxxp://videopackage.biz
hxxp://worldmedya.net
hxxp://www--facebook.net
hxxp://www.facebook-java.com
hxxp://www.facemlike.com
hxxp://www.fastcekim.com
hxxp://www.fastotolike.com
hxxp://www.fbmedyahizmetleri.com
hxxp://www.profmedya.com
hxxp://www.sansurmedya.com
Rogue social media distribution platform operator's name: Fatih Konar
Associated emails: fiberbayimdestek@hotmail.com.tr; nerdenezaman@hotmail.com.tr
Google+ Account: hxxps://plus.google.com/103847743683129439807/about
Twitter account: hxxps://twitter.com/ProfonixCodtr
Domain name reconnaissance:
profonixcod.com (profonix-cod.com) - 216.119.143.194 - Email: abazafamily_@hotmail.com (related domains known to have been registered with the same email - warningyoutube.com; likebayi.com)
profonixcod.net
Updated will be posted as soon as new developments take place.
Let's profile the service, discuss its relevance in the broader context of the threat landscape, provide actionable/historical threat intelligene on the malicious infrastructure, the rogue domains involved in it, the malicious MD5s served by the cybercriminals behind it, and directly link it to a previously profiled Facebook spreading P2P-Worm.Win32.Palevo serving campaign.
The managed SWF iframe/redirector service, is a great example of a cybercrime-as-a-service type of underground market proposition, empowering, both, sophisticated and novice cybercriminals with the necessary (malvertising) 'know-how', in an efficient manner, directly intersecting with the commercial availability of sophisticated mass Web site/Web server malicious script embedding platforms.
Known to have phoned back to the same IP (108.162.197.62) are also the following malicious MD5s:
MD5: 432efe0fa88d2a9e191cb95fa88e7b36
MD5: 720ecb1cf4f28663f4ab25eedf620341
MD5: 02691863e9dfb9e69b68f5fca932e729
MD5: 69ed70a82cb35a454c60c501025415aa
MD5: cc586a176668ceef14891b15e1b412ab
MD5: 74291941bddcec131c8c6d531fcb1886
MD5: 7c27d9ff25fc40119480e4fe2c7ca987
MD5: 72c030db7163a7a7bf2871a449d4ea3c
MD5: 432efe0fa88d2a9e191cb95fa88e7b36
Known to have phoned to the same IP (108.162.196.62) are also the following malicious MD5s:
MD5: eda3f015204e9565c779e0725915864f
MD5: effcfe91beaf7a3ed2f4ac79525c5fc5
MD5: 14acd831691173ced830f4b51a93e1ca
MD5: 7f93b0c611f7020d28f7a545847b51e0
MD5: bcfce3a9bf2c87dab806623154d49f10
MD5: 4c90a89396d4109d8e4e2491c5da4846
MD5: 289c4f925fdec861c7f765a65b7270af
Sample redirection chain leading to the fake Adobe Flash Player:
hxxp://hizliservis.pw/unlu.htm -> hxxp://hizliservis.pw/indir.php -> hxxp://unluvideolari.info -> hxxp://videotr.in/player.swf -> hxxp://izleyelim.s3.amazonaws.com/movie.mp4&skin=newtubedark/NewTubeDark.xml&streamer=lighttpd&image=hqdefault.jpg
Domain name reconnaissance:
hizliservis.pw - Email: furkan@cod.com
videotr.in - Email: tiiknet@yandex.com; snack@log-z.com
izleyelim.s3.amazonaws.com - 176.32.97.249
Within hizliservis.pw, we can easily spot yet another part of the same malicious/fraudulent infrastructure, namely, the rogue social media distribution platform's login interface.
Sample redirection chain leading to a currently active fake Adobe Flash Player (Win32.Nixofro):
hxxp://socialmediasystem.net/down.php -> hxxps://profonixback31.googlecode.com/svn/FlashPlayer_Guncelle.exe
Detection rate for the fake Adobe Flash Player:
MD5: 28c3c503d398914bdd2c2b3fdc1f9ea4 - detected by 36 out of 50 antivirus scanners as Win32.Nixofro
Once executed, the sample phones back to profonixuser.net (141.101.117.218)
Known to have responded to the same IP (141.101.117.218) are also the following malicious MD5s:
MD5: 53360155012d8e5c648aca277cbde587
MD5: a66a1c42cc6fb775254cf32c8db7ad5b
MD5: a051fd83fc8577b00d8d925581af1a3b
MD5: f47784817a8a04284af4b602c7719cb7
MD5: 2e5c75318275844ce0ff7028908e8fb4
MD5: 90205a9740df5825ce80229ca105b9e8
Domain name reconnaissance for the rogue social media distibution platform:
socialmediasystem.Net (141.101.118.159; 141.101.118.158) - Email: furkan@cod.com
Sample redirection chain for the rogue social media distribution platform's core functions:
hxxp://profonixuser.net/new.php?nocache=1044379803 -> hxxp://sosyalmedyakusu.com/oauth.php (108.162.199.203; 108.162.198.203) Email: furkan@cod.com -> hxxp://hizliservis.pw/face.php -> hxxp://socialhaberler.com/manyak.php -> hxxp://profonixuser.net/new.php -> hxxp://profonixuser.net/amk.php (141.101.117.218) -> hxxp://me.cf/dhtcw (31.170.164.67) -> hxxps://video-players.herokuapp.com/?55517841177 (107.20.187.159) -> hxxp://kingprofonix.net/hxxp://kingprofonix.com (108.162.198.203) the same domain is also known to have responded to 108.162.197.62
Related MD5s known to have phoned back to the same IP (108.162.198.203) in the past:
MD5: 505f615f9e1c4fdc03964b36ec877d57
Sample internal redirectors structure:
hxxp://profonixuser.net/fb.php -> hxxp://profonixuser.net/manyak.php -> hxxp://molotofcu.com/google/hede.php (199.27.134.199) -> hxxp://profonixuser.net/pp.php -> hxxp://gdriv.es/awalbbmprtbpahpolcdt?jgxebgqjl -> hxxps://googledrive.com/host/0B08vFK4UtN5kdjV2NklHVTVjcTQ -> hxxp://sosyalmedyakusu.com/s3x.php?ref=google
hxxp://profonixuser.net/user.php -> hxxp://goo.gl/ber2EP -> hxxps://buexe-x.googlecode.com/svn/FlashPlayer%20Setup.exe -> MD5: 60137c1cb77bed9afcbbbc3ad910df3f -> phones back to wjetphp.com (46.105.56.61)
Secondary sample internal redirectors structure:
hxxp://profonixuser.net/yarak.txt -> hxxp://profonixuser.net/u.exe -> hxxp://profonixuser.net/yeni.txt -> hxxp://profonixuser.net/yeni.exe -> hxxp://profonixuser.net/recep.html -> hxxp://goo.gl/ber2EP -> hxxp://wjetphp.com/unlu/player.swf -> hxxp://profonixuser.net/kral.txt -> hxxp://likef.in/fate.exe - 108.162.194.123; 108.162.195.123; 108.162.199.107 - known to have phoned back to the same IP is also the following malicious MD5: effcfe91beaf7a3ed2f4ac79525c5fc5 - detected by 35 out of 50 antivirus scanners as Trojan-Ransom.Win32.Foreign.kcme
Once executed, the sample phones back to likef.biz (176.53.119.195). The same domain is also known to have responded to the following IPs 141.101.116.165; 141.101.117.165.
Here's comes the interesting part. The fine folks at ExposedBotnets, have already intercepted a malicious Facebook spreading campaign, that's using the already profiled in this post videotr.in.
Having directly connected the cybercrime-friendly SWF iframe/redirector injecting service, with hizliservis.pw as well as the SocialMediaSystem as being part of the same malicious infrastructure, it's time to profile the fraudulent/malicious adversaries behind the campaigns. The cybercriminals behind these campaigns, appear to be operating a rogue social media service, targeting Facebook Inc.
Sample screenshots of the social media distribution platform's Web based interface:
Sample advertisement of the rogue social media distribution platform:
Skype ID of the rogue company: ProFonixcod
Secondary company name: ProfMedya - hxxp://profmedya.com - 178.33.42.254; 188.138.9.39; 89.19.20.242 - Email: kayahoca@gmail.com. The same domain, profmedya.com used to respond to 188.138.9.39.
Domains known to have responded to the same IP (188.138.9.39) are also the following malicious domains:
hxxp://facebooook.biz
hxxp://worldmedya.net
fhxxp://astotoliked.net
hxxp://adsmedya.com
hxxp://facebookmedya.biz
hxxp://fastotolike.com
hxxp://fbmedyahizmetleri.com
hxxp://fiberbayim.com
hxxp://profonixcoder.com
hxxp://sansurmedya.biz
hxxp://sosyalpaket.com
hxxp://takipciniarttir.net
hxxp://videomedya.net
hxxp://videopackage.biz
hxxp://worldmedya.net
hxxp://www--facebook.net
hxxp://www.facebook-java.com
hxxp://www.facemlike.com
hxxp://www.fastcekim.com
hxxp://www.fastotolike.com
hxxp://www.fbmedyahizmetleri.com
hxxp://www.profmedya.com
hxxp://www.sansurmedya.com
Rogue social media distribution platform operator's name: Fatih Konar
Associated emails: fiberbayimdestek@hotmail.com.tr; nerdenezaman@hotmail.com.tr
Google+ Account: hxxps://plus.google.com/103847743683129439807/about
Twitter account: hxxps://twitter.com/ProfonixCodtr
Domain name reconnaissance:
profonixcod.com (profonix-cod.com) - 216.119.143.194 - Email: abazafamily_@hotmail.com (related domains known to have been registered with the same email - warningyoutube.com; likebayi.com)
profonixcod.net
Updated will be posted as soon as new developments take place.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Thursday, March 06, 2014
Summarizing Webroot's Threat Blog Posts for February
The following is a brief summary of all of my posts at Webroot's Threat Blog for February, 2014. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:
01. Cybercriminals release Socks4/Socks5 based Alexa PageRank boosting application
02. Market leading ‘standardized cybercrime-friendly E-shop’ service brings 2500+ boutique E-shops online
03. Managed TeamViewer based anti-forensics capable virtual machines offered as a service
04. Malicious campaign relies on rogue WordPress sites, leads to client-side exploits through the Magnitude exploit kit
05. ‘Hacking for hire’ teams occupy multiple underground market segments, monetize their malicious ‘know how’
06. DoubleClick malvertising campaign exposes long-run beneath the radar malvertising infrastructure
07. Spamvertised ‘Image has been sent’ Evernote themed campaign serves client-side exploits
08. Spamvertised ‘You received a new message from Skype voicemail service’ themed emails lead to Angler exploit kit
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Summarizing Webroot's Threat Blog Posts for January
The following is a brief summary of all of my posts at Webroot's Threat Blog for January, 2014. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:
02. New “Windows 8 Home Screen’ themed passwords/game keys stealer spotted in the wild
03. Vendor of TDoS products resets market life cycle of well known 3G USB modem/GSM/SIM card-based TDoS tool
04. New TDoS market segment entrant introduces 96 SIM cards compatible custom GSM module, positions itself as market disruptor
05. DIY Python-based mass insecure WordPress scanning/exploting tool with hundreds of pre-defined exploits spotted in the wild
06. Google’s reCAPTCHA under automatic fire from a newly launched reCAPTCHA-solving/breaking service
07. Fully automated, API-supporting service, undermines Facebook and Google’s ‘SMS/Mobile number activation’ account registration process
08. Newly launched managed ‘compromised/hacked accounts E-shop hosting as service’ standardizes the monetization process
09. Newly released Web based DDoS/Passwords stealing-capable DIY botnet generating tool spotted in the wild
10. Cybercriminals release new Web based keylogging system, rely on penetration pricing to gain market share
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Comments (Atom)