Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Friday, March 11, 2011

More Spamvertised DHL Notifications Spread Malware

Yesterday's campaign is still ongoing, with new MD5's in the wild. Here are the details.

Sample subjects: DHL notification #random number
Sample message: Dear customer! The parcel was send your home address. And it will arrice within 7 bussness day. More information and the tracking number are attached in document below. Thank you. 2011 DHL International GmbH. All rights reserverd.
Sample filenames: DHL_tracking.zip; doc.zip

doc.exe - Trojan-Spy.SpyEy!IK - Result: 18/ 43 (41.9%)
MD5: 83db662187dd7cd58fc4a368ea27775d
SHA1 : 4edb2d95c0570a36f6cb992e55111cdd7c3eda69
SHA256: 99f1e003bbf1025b0bbe257ece65d1704852fd1ba48e6cc79bd39cde6e6d14c3

DHL_tracking.exe - Win-Trojan/Spyeyes.45568 - Result: 29/ 43 (67.4%)
MD5   : 81fc09b014617bce59f678374b486512
SHA1 : 3d92a768f58b2900b98c9f97ce2753d27a4749ae
SHA256: 24b23bf7ebd03bf5feb0c637ea1e64661e27c78c66684dd49f074af2b2505bb7

Upon execution phones back to:
adobe.com/geo/productid.php
elsoplongt.com/rk`,jopbh/qwq - Email: redaccion@elsoplongt.com
accuratefiles.com/rk`,jopbh/qwq
lulango.com/rk`,jopbh/qwq - Email: lulango@gmail.com
erherg34gsafwe.com/xgate.php - AS49469, Email: admin@erherg34gsafwe.com
    - erherg34gsafwe.com/ftp/base.bin
        - erherg34gsafwe.com/ftp/ftpplug2.dll
            - erherg34gsafwe.com/ftp/base.bin

Domains responding to:
192.150.16.117
72.41.115.170
74.117.180.216
87.106.193.21
94.63.244.56

Additional malicious activity within AS49469 (SA-NOVA-TELECOM-GRUP-SRL Sa Nova Telecom Grup SRL, courtesy of the ZeusTracker and the SpyEye Tracker:

bigupdate.ru - Email: admin@hotupdaters.ru
bigupdatings.ru - Email: admin@bigupdatings.ru
bigupdater.ru - Email: admin@bigupdater.ru
bigupdates.ru - Email: admin@istuplenie.ru
bigupdating.ru - Email: admin@bigupdating.ru
bigupdaters.ru - Email: admin@bigupdaters.ru
94.63.244.30
metamphcrystal.com - Email: admin@metamphcrystal.com

Related malware-serving domains within AS49469, SA-NOVA-TELECOM-GRUP-SRL Sa Nova Telecom Grup SRL
xppclapgirl.com - 89.114.9.33
natnatraoi.com - 12.211.117.127 - Email: barbarasorber@yahoo.com
d34ghqarfrgad.com - 94.63.244.56 - Email: admin@d34ghqarfrgad.com
g3u4g.net - 89.114.9.33 - Email: G3U4G.NET@domainservice.com
suhi4hr.net - 89.114.9.60 - Email: SUHI4HR.NET@domainservice.com
mialedot.ru - 94.63.244.44 - Email: abuse@mialedot.ru
blackmemoso.com - Email: grasp@yourisp.ru

This post has been reproduced from Dancho Danchev's blog.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Thursday, March 10, 2011

Compromised University Leads to Fraudulent Pharmaceutical Ads

Continuing the Compromised University Leads to Fraudulent Google Brand-jacked Pharmaceutical Ads series, yet another university has been compromised by pharmaceutical scammers, part of an affiliate network.

In this very latest example of this tactic, seeking to abuse the high pagerank of the web site in question, the web site of the Department of Mathematics at Rutgers University (math.rutgers.edu/mdnews/) appears to have been compromised by pharmaceutical scammers.

Included URLs:
math.rutgers.edu/mdnews/levitraline.html
math.rutgers.edu/mdnews/levitrastory.html
math.rutgers.edu/mdnews/cialis-pills.html
math.rutgers.edu/mdnews/levitradosage.html
math.rutgers.edu/mdnews/viagra-buy-online.html

Redirects to:
worldselectshop.com/?id=abamos - 95.211.1.82 - Email: worldselectshop.com@protecteddomainservices.com

The same affiliate ID is also active at:
usadrugstorenow.com/products/diflucan.htm?id=abamos - 212.117.185.19 - Email: usadrugstorenow.com@protecteddomainservices.com

This post has been reproduced from Dancho Danchev's blog.

Dancho Danchev

Spamvertised DHL Notification Malware Campaign

A currently spamvertised malware campaign is brand-jacking DHL for malware-serving purposes.

Sample filename: document.zip => DHL_notification.exe
Sample message: Dear customer. The parcel was send your home address. And it will arrice within 7 bussness day. More information and the tracking number are attached in document below. Thank you. 2011 DHL International GmbH. All rights reserverd - notice the typo.

DHL_notification.exe - Trojan-Spy.Win32.SpyEyes - Result: 27 /43 (62.8%)
MD5   : bda72e57d263241d52b1fe2ef014cba9
SHA1 : fa9dc14b100f1bf5124cd23c322c109b38a70675
SHA256: 199f2357c24e71d955a4e6c2d07645aa04d9474e0c8c914a1edd69a02e3f8a70

Upon execution phones back to:
adobe.com/geo/productid.php
elsoplongt.com/rk`,jopbh/qwq - Email: redaccion@elsoplongt.com
accuratefiles.com/rk`,jopbh/qwq
lulango.com/rk`,jopbh/qwq - Email: lulango@gmail.com
erherg34gsafwe.com/xgate.php - AS49469, Email: admin@erherg34gsafwe.com
    - erherg34gsafwe.com/ftp/base.bin
    - erherg34gsafwe.com/ftp/ftpplug2.dll
    -     erherg34gsafwe.com/ftp/base.bin

Domains responding to:
192.150.16.117
72.41.115.170
74.117.180.216
87.106.193.21
94.63.244.56

This post has been reproduced from Dancho Danchev's blog.

Dancho Danchev

Keeping Money Mule Recruiters on a Short Leash - Part Six

Following my previous post on "Keeping Money Mule Recruiters on a Short Leash - Part Five", in this post we're once again going to expose a portfolio of money mule recruitment domains, their related ASs and name servers of notice, including some additional SpyEye activity within one of the ASs.

What's particularly interesting is the ongoing use of similar templates, including fake "certified by" documents aiming to boost the visitor's confidence in the mule recruitment company. Sample "certified by" documents include:

Money mule recruitment web sites:
ACOON-GROUPLLC.CC - Email: bombay@yourisp.ru - seen here
ANTIQUEE-CORP.INFO - Email: admin@antiquee-corp.info
ARAMATEGROUP-INT.INFO - Email: admin@aramategroup-int.info
art-marketllc.cc - Email: hear@ppmail.ru
ARTSOLVE-LTD.AT - Email: admin@artsolve-ltd.at
ARTSOLVELTD.CC - Email: admin@artsolveltd.cc
artsolveltd.cc - Email: admin@artsolveltd.cc
ARTSOLVELTDCO.AT - Email: admin@artsolveltd.cc
artsolveltdco.at - Email: admin@artsolveltd.cc
ASTECH-GROUPDE.CC - Email: admin@i-compass-group.cc
atlant-groupinc.cc - Email: bombay@yourisp.ru - seen here
Atlant-usainc.net - Email: admin@atlant-usainc.net
BREDGARCORP-ANT.BE
CREATENCE-GROUPLLC.AT - Email: admin@creatence-groupllc.at
CREATENCE-GROUPLLC.CC - Email: hunt@bz3.ru
CREATENCEGROUP-LLC.CO - Email: px@bz3.ru
DEVAS-LLC.CO - Email: gate@ppmail.ru
DRYSDALE-ANTCORP.AT - Email: admin@drysdale-antcorp.at
DRYSDALE-ANTCORP.BIZ - Email: admin@drysdale-antcorp.biz
DRYSDALE-GROUP-INC.CC - Email: atomic@bz3.ru
DUNCROFT-ANTTEAM.ORG - Email: admin@drysdale-antcorp.biz
FINTEC-UKLTD.WS
fintec-ukltd.ws
fourthgroup-ltd.cc - Email: rots@cheapbox.ru
generalabbrialgroup-ltd.net - Email: admin@generalabbrialgroup-ltd.net
generation-groupltd.cc - Email: jz@ppmail.ru
I-COMPASS-GROUP.AT - Email: admin@i-compass-group.at
katemdutkins.co.cc
LILAC-GROUPLLC.CC - Email: lane@free-id.ru
LILACGROUP-LLC.CO - Email: baggy@bz3.ru
MIMOSA-INCGROUP.INFO - Email: admin@mimosa-incgroup.info
moneyvisual-ukllc.com - Email: admin@moneyvisual-ukllc.com
nimrodltd-uk.net - Email: admin@nimrodltd-uk.net
OLIVER-ANTCORP.NET - Email: admin@oliver-antcorp.net
qead-groupllc.net - Email: admin@qead-groupllc.net
RENAISSANCELLC.BE
renaissancellc.be
renaissance-llc.cc - Email: admin@renaissance-llc.cc
ROYALTHELMAS-GROUP-LLC.CC - Email: zap@ca4.ru
ROYALTHELMAS-TEAMANT.ASIA - Email: admin@royalthelmas-teamant.asia
SCHWARTZBROTHERSANT-CORP.COM - Email: admin@schwartzbrothersant-corp.com
STRATEGICGROUP-LLC.CO - Email: flute@free-id.ru
THRONE-GROUPLLC.CC - Email: lane@free-id.ru
THRONEGROUP-LLC.CO - Email: floyd@ca4.ru
THRONE-UK.AT - Email: admin@throne-uk.at
TINASSANSERVICEANT-ANTTEAM.NET - Email: admin@tinassanserviceant-antteam.net
TINASSANSERVICE-GROUPLLC.CC - Email: six@yourisp.ru
westerntrust.co.uk
westview-art.net - Email: admin@westview-art.net

Domains responding to:
78.46.105.205 - AS24940, HETZNER-AS Hetzner Online AG RZ
98.141.220.116 - AS29713, INTERPLEXINC Interplex LLC.
98.141.220.117 - AS29713, INTERPLEXINC Interplex LLC.
114.207.244.143 - AS9318, HANARO-AS Hanaro Telecom Inc.
114.207.244.144 - AS9318, HANARO-AS Hanaro Telecom Inc.
114.207.244.145 - AS9318, HANARO-AS Hanaro Telecom Inc.
114.207.244.146 - AS9318, HANARO-AS Hanaro Telecom Inc.
193.105.134.230 - AS42708, PORTLANE Network
193.105.134.231 - AS42708, PORTLANE Network
193.105.134.232 - AS42708, PORTLANE Network
193.105.134.233 - AS42708, PORTLANE Network
193.105.134.234 - AS42708, PORTLANE Network
195.182.57.84 - AS47311, Cerannics-AS Cerannics llp
195.182.57.91 - AS47311, Cerannics-AS Cerannics llp
204.45.118.54 - 204.45.118.48/29/INSIGHT-INVESTMENTS-LLC

More malicious activity within AS24940, HETZNER-AS Hetzner Online AG RZ, courtesy of the SpyEye tracker:
188.40.198.185
188.40.87.88
www.privathosting.eu
spl.privathosting.eu
46.4.194.162
188.40.87.91
88.198.36.61

Name servers of notice:
ns1.uknamo.com - 69.10.44.188 - Email: morph@ppmail.ru
ns2.uknamo.com - 178.162.181.11
ns3.uknamo.com - 66.199.236.116
ns1.ukansnami.com - 178.162.181.11 - Email: glide@yourisp.ru
ns2.ukansnami.com - 178.162.181.11
ns3.ukansnami.com - 66.199.236.117
ns3.dnsukrect.com - 66.199.236.118 - Email: code@yourisp.ru
NS1.LIBUNITAU.CC - 178.162.152.76 - Email: ached@yourisp.ru - seen here
NS2.LIBUNITAU.CC - 66.199.236.115
NS3.LIBUNITAU.CC - 178.162.181.11
NS1.AUSTDEC.CC - 178.162.152.75 - Email: bold@yourisp.ru - seen here
NS2.AUSTDEC.CC - 66.199.236.114
NS3.AUSTDEC.CC - 178.162.181.11
NS1.SURPLUSUSA.CC - 209.159.156.162 - Email: skulk@ppmail.ru - seen here
NS2.SURPLUSUSA.CC - 76.73.47.26
NS3.SURPLUSUSA.CC - 69.50.192.97
NS1.USABONDS.CC - Email: bart@cheapbox.ru - seen here
NS2.USABONDS.CC
NS3.USABONDS.CC

The cybercriminals have also switched from using unique emails for registrations to default admin@money-mule-recruitment domain type of structure. Monitoring of their money mule recruitment activities is ongoing.

Related posts:
Keeping Money Mule Recruiters on a Short Leash - Part Five
The DNS Infrastructure of the Money Mule Recruitment Ecosystem
Keeping Money Mule Recruiters on a Short Leash - Part Four
Money Mule Recruitment Campaign Serving Client-Side Exploits
Keeping Money Mule Recruiters on a Short Leash - Part Three
Money Mule Recruiters on Yahoo!'s Web Hosting
Dissecting an Ongoing Money Mule Recruitment Campaign
Keeping Money Mule Recruiters on a Short Leash - Part Two
Keeping Reshipping Mule Recruiters on a Short Leash
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Inside a Money Laundering Group's Spamming Operations
Money Mule Recruiters use ASProx's Fast Fluxing Services
Money Mules Syndicate Actively Recruiting Since 2002

This post has been reproduced from Dancho Danchev's blog.

Dancho Danchev

Keeping Money Mule Recruiters on a Short Leash - Part Six

Dancho Danchev

Monday, March 07, 2011

Compromised University Leads to Fraudulent Google Brand-jacked Pharmaceutical Ads

An exploited web application vulnerability within Cochise County Online University CMS (moodle.cochise.az.gov/user), is currently resulting in a blackhat SEO campaign (1,890 pages) leading to fraudulent Google brand-jacked pharmaceutical pages.

Naturally, once the compromise took place, the cybercriminals started considering the blackhat SEO content farm themed for pharmaceutical scams, as parts of their infrastructure and spamvertised links to it across multiple web forums.

Ther redirection chain is as follows:
- moodle.cochise.az.gov/user - random pharmaceutical content
    - goodmedk.com
        - gooqpilly.com
        - 50.22.28.50

goodmedk.com/whftltyixallwke6hoqstgzsiq.html -     77.67.80.48, AS3257 - Email: jognbroownn@usa.com
goodmedk.com/kavglmapejes7bdfg6mf8d.py
goodmedk.com/hxinlaresbnzbikmnatmck.py
goodmedk.com/huvtleikspann6hoqstgzsiq.html
goodmedk.com/txajlatev0egij9pi-g.pl
goodmedk.com/tldhlaoet8cegh7ng9e.html

Redirectors used:
gooqpilly.com - 77.67.80.42, AS3257 - Email: jognbroownn@usa.com
50.22.28.50/c.php - 50.22.28.50-static.reverse.softlayer.com

Redirects to the following currently active fraudulent online pharmacies:
pillshealthmedsplus.net - 89.114.9.82 - Email: acquit@bz3.ru
allrxtabs.com - 91.212.135.69 - Email: rxrevenue@gmail.com
canadianselect.net - 89.149.196.197 - Email: canadianselect.net@protecteddomainservices.com
worldselectshop.com - 95.211.1.82 - Email: worldselectshop.com@protecteddomainservices.com
generic-pills-online.eu - 95.163.15.207
menhealth-pharmacy.co.uk - 109.237.213.194
4rx.com - 174.127.67.233 - Email: webmaster@4rx.com

The hijacking of a trusted brand such as Google shouldn't be surprising, as it's an inseparable part of social engineering driven abuse of the trust-chain. From Google's name to the visual impersonation of Google Search this campaign demonstrates exactly the same.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev