Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Wednesday, December 04, 2013

Facebook Circulating 'Who's Viewed Your Profile' Campaign Exposes 800k+ Users to CrossRider PUA/Rogue Firefox Add-ons/Android Adware AirPush

A massive privacy-violating, Facebook circulating "Who's Viewed Your Profile" campaign, has been operating beneath the radar, exposing over 800,000 users internationally, to a cocktail of PUAs (Potentially Unwanted Applications), rogue Firefox Add-ons impersonating Adobe's Flash Player, as well as the Android based adware AirPush.

Relying on a proven social engineering tactic of "offering what's not being offered in general", next to hosting the rogue files on legitimate service providers -- Google Docs and Dropbox in this particular case -- the campaign is a great example that the ubiquitous for the social network social engineering scheme, continues to trick gullible and uninformed users into installing privacy-violating applications on their hosts/mobile devices.

Let's dissect the campaign, expose its infrastructure, (conservatively) assess the damage, and provide fresh MD5s for the currently served privacy-violating PUAs, Firefox add-ons, and Android adware.

Primary spamvertised Facebook URL: FCOSYUC.tk/?15796422
Redirection chain: p2r0f3rviewer9890.co.nf -> bit.ly/1bZCeNv?vsdvc -> wh0prof.uni.me/?sdvsjka -> wh0prof.uni.me/ch/
Rogue Google Store Extension URL (currently offline): hxxps://chrome.google.com/webstore/detail/dllaajjfgpigkeblmlbamflggfjkgbej
Campaign's GA Account ID: UA-12798017-1

Domain name reconnaissance:
wh0prof.uni.me - 192.157.201.42

Known to have responded to the same IP are also the following domains:
cracks4free.info
pr0lotra.p9.org

Google Docs Hosted PUA URLs:
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqVFljUDBnTjFHdVE&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqRXBMLWZ4cVZJV2s&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqUjllLWc4MVFRQUk&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqOXlyNko0VFBOdnM&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqZm5yeUFudFhqclU&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqbWpfNW5FalJmRGM&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqS3V1ZkZBQjJGbjQ&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqX2xXbEJLbEY0Q3M&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqMU5RVkJSWURxME0&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqVFljUDBnTjFHdVE&export=download

Dropbox Firefox Add-on/Android APK Hosted URLs:
hxxps://dl.dropboxusercontent.com/s/so3vm50w298qkto/WhoViewsYourProfile.apk
hxxps://dl.dropboxusercontent.com/s/kor9c2mqv49esva/kkadobe-ff.xpi

Detection rate for the served PUAs, the Android adware and the rogue Firefox Add-on:
MD5: c7fcf7078597ea752b8d54e406c266a7 - detected by 5 out of 48 antivirus scanners as PUP.Optional.CrossRider
MD5: 30cf98d7dc97cae57f8d72487966d20b - detected by 6 out of 48 antivirus scanners as Trojan.Dropper.FB
MD5: f2459b6bde1d662399a3df725bf8891b - detected by 13 out of 48 antivirus scanners as Adware/AirPush!Android; Android Airpush; Adware/ANDR.Airpush.G.Gen
MD5: 3fb95e1ed77d1b545cf7385b4521b9ae - detected by 18 out of 48 antivirus scanners as JS/TrojanClicker.Agent.NDL

Once executed MD5: 30cf98d7dc97cae57f8d72487966d20b phones back to 195.167.11.4.

Time to (conservatively) assess the campaign's damage over the year(s):

The click-through rate should be considered conservative, and it remains unknown whether the URL shortening service was used by the cybercriminal(s) since day one of the campaign.

The campaign remains active, and is just the tip of the iceberg in terms of similar campaigns tricking Facebook's users into thinking that they can eventually see who's viewed their profile. Facebook users who stumble across such campaigns on their own, or their friends' Walls, are advised to consider reporting the campaign back to Facebook, immediately.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Facebook Circulating 'Who's Viewed Your Profile' Campaign Exposes 800k+ Users to CrossRider PUA/Rogue Firefox Add-ons/Android Adware AirPush

The click-through rate should be considered conservative, and it remains unknown whether the URL shortening service was used by the cybercriminal(s) since day one of the campaign.

Dancho Danchev

Tuesday, December 03, 2013

Summarizing Webroot's Threat Blog Posts for November

The following is a brief summary of all of my posts at Webroot's Threat Blog for November, 2013. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:

01. Google-dorks based mass Web site hacking/SQL injecting tool helps facilitate malicious online activity
02. Deceptive ads lead to the SpyAlertApp PUA (Potentially Unwanted Application)
03. Cybercriminals differentiate their ‘access to compromised PCs’ service proposition, emphasize on the prevalence of ‘female bot slaves’
04. New vendor of ‘professional DDoS for hire service’ spotted in the wild
05. Source code for proprietary spam bot offered for sale, acts as force multiplier for cybercrime-friendly activity
06. Low Quality Assurance (QA) iframe campaign linked to May’s Indian government Web site compromise spotted in the wild
07. Popular French torrent portal tricks users into installing the BubbleDock/Downware/DownloadWare PUA (Potentially Unwanted Application)
08. Web site of Brazilian ‘Prefeitura Municipal de Jaqueira’ compromised, leads to fake Adobe Flash player
09. Malicious multi-hop iframe campaign affects thousands of Web sites, leads to a cocktail of client-side exploits
10. Vendor of TDoS products/services releases new multi-threaded SIP-based TDoS tool
11. Cybercriminals spamvertise tens of thousands of fake ‘Sent from my iPhone’ themed emails, expose users to malware
12. Fake ‘Annual Form (STD-261) – Authorization to Use Privately Owned Vehicle on State Business’ themed emails lead to malware
13. ‘Newly released proxy-supporting Origin brute-forcing tools targets users with weak passwords’
14. Fake WhatsApp ‘Voice Message Notification’ themed emails expose users to malware
15. Cybercriminals impersonate HSBC through fake ‘payment e-Advice’ themed emails, expose users to malware
16. Fake ‘MMS Gallery’ notifications impersonate T-Mobile U.K, expose users to malware
17. Fake ‘October’s Billing Address Code’ (BAC) form themed spam campaign leads to malware

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev

Thursday, November 14, 2013

Fake Chrome/Firefox/Internet Explorer/Safari Updates Expose Users to Android Malware

A currently ongoing malicious campaign using compromised sites as the primary traffic acquisition tactic, is attempting to socially engineer users (English and Russian speaking) into thinking that they're using an outdated version of their browser, and need to apply a bogus (security/antivirus) update. In reality though, the update is a variant of Trojan:Android/Fakeinst.EQ/Android.SmsSend.

Sample screenshots of the fake browser update landing pages:

Social engineering redirection chain: hxxp://france-leasebacks.com/includes/domit/1.php -> hxxp://advertcliks.net/ir/28/1405/56e9ca1335c2773445a79d5ddf75a755/ (93.115.82.239; Email: maxaxaha@gmail.com) -> hxxp://newupdateronline.org (109.163.230.182; Email: vbistrih@yandex.com).

Known to have responded to 109.163.230.182 are also the following domains:
1mc8.asia
anglecultivatep.in
appallinglyndiscoveries.in
bilious-6biros.in
boathire.pw
cvwv87.pro
dlsdcncnew1.pw
efuv77.pro
familye-perspex.in
farting-meagre.in
flvupdate.in
fringeclamberedk.in
hopefully-great8.in
investment-growsa.asia
money-tree.pw
moon-media.pw
moontree.pw
mountainlake.pw
movingv-relation.in
new-updateronline.org

Sample Android samples pushed by the campaign:
MD5: da7fffa08bdeb945ca8237c2894aedd0 - detected by 11 out of 46 antivirus scanners as Android.SmsSend.809.origin; Android.Trojan.FakeInst.HE
MD5: 1e1f57f6c8c9fb39da8965275548174f - detected by 17 out of 46 antivirus scanners as HEUR:Trojan-SMS.AndroidOS.FakeInst.fe; Andr/RuSms-AL
MD5: b0f597636859b7f5b2c1574d7a8bbbbb - detected by 13 out of 47 antivirus scanners as HEUR:Trojan-SMS.AndroidOS.FakeInst.fe; Andr/RuSms-AL
MD5: b40aebc327e1bc6aabe5ccb4f18e8ea4 - detected by 16 out of 48 antivirus scanners as Android:FakeIns-AF; Trojan:Android/Fakeinst.EQ

All samples phone back to dlsdcncnew.net (109.163.230.182; Email: constantin.zawyalov@yandex.ru). Responding to the same IP is also newapk-flv.org.

The same email is also known to have been previously used to register the following domains:
downloader8days.in
open-filedownload4.in (known to have responded to 188.95.159.30)
upweight.in
bestnewbrowsers.in
bestowedcomedyb.org (known to have responded to 109.163.230.180)
expandload.in
2012internet-load.in
4interfilefolder.in
99030.in
admitted-6crept.org
rufileserver.in

It appears that the traffic is not segmented -- to affect mobile device users only -- at any point of the redirection chain, an indication of what I believe is a boutique cybercrime-friendly operation. In comparison, the relatively more sophisticated ones would segment the traffic, usually acquired through the active exploitation of tens of thousands of legitimate Web sites, or the direct purchase of segmented mobile traffic.

Interestingly, both novice players in this market segment, and the experienced ones, are implementing basic evasive tactics, such as, for instance, the need to provide a valid mobile number, where a potential victim will receive a confirmation code for accessing the inventory of rogue games and applications, thereby preventing automatic acquisition of the apps for further analysis. Moreover, providing a valid mobile number to the cybercriminals behind the campaign, is naturally prone to be abused in ways largely based on the preferences of those who obtained them through such a way, therefore users are advised not to treat their mobile number in a privacy conscious way.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev

Fake Chrome/Firefox/Internet Explorer/Safari Updates Expose Users to Android Malware

Social engineering redirection chain: hxxp://france-leasebacks.com/includes/domit/1.php -> hxxp://advertcliks.net/ir/28/1405/56e9ca1335c2773445a79d5ddf75a755/ (93.115.82.239; Email: maxaxaha@gmail.com) -> hxxp://newupdateronline.org (109.163.230.182; Email: vbistrih@yandex.com).

Known to have responded to 109.163.230.182 are also the following domains:
1mc8.asia
anglecultivatep.in
appallinglyndiscoveries.in
bilious-6biros.in
boathire.pw
cvwv87.pro
dlsdcncnew1.pw
efuv77.pro
familye-perspex.in
farting-meagre.in
flvupdate.in
fringeclamberedk.in
hopefully-great8.in
investment-growsa.asia
money-tree.pw
moon-media.pw
moontree.pw
mountainlake.pw
movingv-relation.in
new-updateronline.org

Sample Android samples pushed by the campaign:
MD5: da7fffa08bdeb945ca8237c2894aedd0 - detected by 11 out of 46 antivirus scanners as Android.SmsSend.809.origin; Android.Trojan.FakeInst.HE
MD5: 1e1f57f6c8c9fb39da8965275548174f - detected by 17 out of 46 antivirus scanners as HEUR:Trojan-SMS.AndroidOS.FakeInst.fe; Andr/RuSms-AL
MD5: b0f597636859b7f5b2c1574d7a8bbbbb - detected by 13 out of 47 antivirus scanners as HEUR:Trojan-SMS.AndroidOS.FakeInst.fe; Andr/RuSms-AL
MD5: b40aebc327e1bc6aabe5ccb4f18e8ea4 - detected by 16 out of 48 antivirus scanners as Android:FakeIns-AF; Trojan:Android/Fakeinst.EQ

All samples phone back to dlsdcncnew.net (109.163.230.182; Email: constantin.zawyalov@yandex.ru). Responding to the same IP is also newapk-flv.org.

The same email is also known to have been previously used to register the following domains:
downloader8days.in
open-filedownload4.in (known to have responded to 188.95.159.30)
upweight.in
bestnewbrowsers.in
bestowedcomedyb.org (known to have responded to 109.163.230.180)
expandload.in
2012internet-load.in
4interfilefolder.in
99030.in
admitted-6crept.org
rufileserver.in

It appears that the traffic is not segmented -- to affect mobile device users only -- at any point of the redirection chain, an indication of what I believe is a boutique cybercrime-friendly operation. In comparison, the relatively more sophisticated ones would segment the traffic, usually acquired through the active exploitation of tens of thousands of legitimate Web sites, or the direct purchase of segmented mobile traffic.

Interestingly, both novice players in this market segment, and the experienced ones, are implementing basic evasive tactics, such as, for instance, the need to provide a valid mobile number, where a potential victim will receive a confirmation code for accessing the inventory of rogue games and applications, thereby preventing automatic acquisition of the apps for further analysis.

Moreover, providing a valid mobile number to the cybercriminals behind the campaign, is naturally prone to be abused in ways largely based on the preferences of those who obtained them through such a way, therefore users are advised not to treat their mobile number in a privacy conscious way.

Updates will be posted as soon as new developments take place.

Dancho Danchev

Tuesday, November 12, 2013

New Commercially Available Modular Malware Platform Released On the Underground Marketplace

Cybercriminals have recently released a new (v3 to be more precise indicating possible beneath the radar operation until now), commercially available, modular malware platform, including such cybercrime-friendly features like DNS Changer, Loaders, Injects, and Ransomware features -- completely blocking the Internet access of the affected user in this particular case -- with several upcoming modules such as stealth VNC, and Remote IE (a feature which would allow them to completely hijack any sort of encrypted session taking place on the affected host, naturally including the cookies).

Sample screenshots of the command and control interface+DNS Changer in action:

With prices for the standard package starting from $1,500, I expect that the malware bot will quickly gain market share thanks to its compatibility with existing/working crimeware concepts/releases, as well as thanks to the general availability of 24/7/365 managed malware crypting services, applying the necessary degree of QA (Quality Assurance) to a potential campaign before launching it. Moreover, yet another factor that would greatly contribute to the success of such type of newly released platforms is the the ease of acquisition of legitimate traffic -- think blackhat SEO, compromised FTP accounts, or mass SQL injection campaigns -- to be later on converted into malware-infected hosts, most commonly through social engineering, or the client-side exploitation of outdated and already patched vulnerabilities in browser plugins/third-party applications.

Furthermore, with or without the full scale modularity in place -- some of the modules are currently in the works, as well as the lack of built-in renting/reselling/traffic acquisition/affiliate network type of monetization elements, typical for what can be best described as platform type of underground market release compared to a standalone modular malware bot, the bot's worth keeping an eye on.

The DNS Changer IP seen in the screenshot 62.76.176.214 (62-76-176-214.clodo.ru), can also be connected to related malicious activity. For instance, MD5: cef012fb4fa7cd55f04558ecee04cd4e is known to have previously phoned back to 62.76.176.214.

And most interestingly, according to this assessment, next to phoning back to 62.76.176.214, the following malicious domains are also known to have been used as C&Cs by the same sample:
6r3u8874dfd9.com - known to have responded to 31.170.179.179
r55u87799hd39.com - known to have responded to 31.170.179.179
r95u8114dfd9.com

The following malicious MD5s are also known to have phoned back to the same C&C IP (31.170.179.179) since the beginning of the month:
MD5: 56f05611ec91f010d015536b7e9fe1a5
MD5: 49aeaa9fad5649d20a9c56e611e81d96
MD5: bf4fa138741ec4af0a0734b28142f7ae
MD5: cd92df2172a40ebb507fa701dcb14fea
MD5: 1d51cde1ab7a1d3d725e507089d3ba5e
MD5: a00695df0a50b3d3ffeb3454534d97a8
MD5: ea8340c95589ca522dac1e04839a9ab9
MD5: f2933ca59e8453a2b50f6d38a9ad9709
MD5: dd9c4ba82de8dcf0f3e440b302e223e8
MD5: d92ad37168605579319c3dff4d6e8c26
MD5: 004bf3f6b7f49d5c650642dde3255b16
MD5: deb8bcd6c7987ee4e0a95273e76feccd
MD5: 1791cb3e3da28aec11416978f415dcd3
MD5: 7eae6322c9dcaa0f12a99f2c52b70224
MD5: 0027511d25a820bcdc7565257fd61ba4
MD5: 294edcdaab9ce21cb453dc40642f1561
MD5: b414d9f54a723e8599593503fe0de4f1
MD5: 20ee0617e7dc03c571ce7d5c2ee6a0a0
MD5: e1059ae3fb9c62cf3272eb6449de23cf

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev