Embassy of Portugal in India Serving Malware

Yet another embassy web site is falling victim into a malware attack serving Adobe exploits to its visitors. As of last Friday, the official web site of the Embassy of Portugal in India has been compromised (embportindia.co.in). Who's behind the attack? Interestingly, that's the very same group that compromised the Azerbaijanian Embassies in Pakistan and Hungary earlier this month. Assessing this campaign once again establishes a direct connection with the Rusian Business Network's pre-shutdown netblocks and static locations.

The very same domain using the same web traffic redirection script,  used in the malware campaigns at the Azerbaijanian Embassies in Pakistan and Hungary, can be found at the Portugal embassy's web site. betstarwager .cn/in.cgi?cocacola84 redirects to ghrgt.hostindianet .com/index.php?cocacola84 (94.247.3.151) where Multiple Adobe Reader and Acrobat buffer overflows are served :

zzzz.hostindianet .com/load.php?id=4 -> ghrgt.hostindianet .com/cache/readme.pdf
zzzz.hostindianet .com/load.php?id=5 -> ghrgt.hostindianet .com/cache/flash.swf

The second iFramed domain ntkrnlpa .cn/rc/ (159.226.7.162) has a juicy history linking it to previous campaigns. In February, 2008, an anti-malware vendor's site (AvSoft Technologie) was iFramed with the iFrame back then (ntkrnlpa .info/rc/?i=1) pointing to the Russian Business Network's original netblock It gets even more interesting when you take into consideration the fact that ntkrnlpa.info was also sharing ifrastructure with zief.pl, among the most widely abused domains in the recent Google Trends keywords hijacking campaigns. Zief.pl is also service of choice for certain campaigns of the Virut malware family, irc.zief.pl in particular.

It gets even more malicious considering that on the same IP (ntkrnlpa .cn/rc/ 159.226.7.162) where one of the malware domains in the embassy's campaign is parked, we can easily spot domains (baidu-baiduxin3 .cn for instance) that were participating in last year's IE7 massive zero day exploit serving campaign.  Moreover, in a typical multitasking stage, the cybercriminals behind the campaign are also hosting Zeus crimeware campaigns on it.

A reincarnation of a well known RBN domain, confirmed participation at related compromises of embassy web sites by the same group, sharing ifrastructure with domains from a massive IE7 ex-zero day attack and hosting Zeus crimeware command and control locations -underground multitasking at its best.

Related posts:
Ethiopian Embassy in Washington D.C Serving Malware
USAID.gov compromised, malware and exploits served
Azerbaijanian Embassies in Pakistan and Hungary Serving Malware
Embassy of India in Spain Serving Malware
Embassy of Brazil in India Compromised
The Dutch Embassy in Moscow Serving Malware
U.S Consulate in St. Petersburg Serving Malware
Syrian Embassy in London Serving Malware
French Embassy in Libya Serving Malware
Continue reading →

Ethiopian Embassy in Washington D.C Serving Malware - Part Two

Can a lightning strike the same place twice? In the world of cybercrime, there's no such thing as a coincidence especially when it comes to multiple malware embedded embassy web sites during the past couple of months courtesy of a single group, with soft-drinks themed redirectors establishing a direct connection with a well known RBN domain from the not so distance past.






Related posts:
Embassy of Portugal in India Serving Malware

Ethiopian Embassy in Washington D.C Serving Malware
USAID.gov compromised, malware and exploits served
Azerbaijanian Embassies in Pakistan and Hungary Serving Malware
Embassy of India in Spain Serving Malware
Embassy of Brazil in India Compromised
The Dutch Embassy in Moscow Serving Malware
U.S Consulate in St. Petersburg Serving Malware
Syrian Embassy in London Serving Malware
French Embassy in Libya Serving Malware Continue reading →

Syrian Embassy in London Serving Malware

After Bank of India was serving malware in August, next to the U.S Consulate in St.Petersburg two days later in September, now the Syrian Embassy in London is the latest victim of a popular malware embedding attack which took place between the 21st and 24th of September.

As obfuscating the IFRAMEs in order to make it harder for a security researcher to conduct CYBERINT is about to become a commodity with the feature implemented within the now commoditized malware kits, it's interesting to note that in this particular attack the attackers took advantage of different javascript obfuscations, and that once control of the domain was obtained, scam pages were uploaded on the

embassy's server. The embassy had recently removed the malicious IFRAMEs, but the third one remains active acting as a counter for the malicious campaign.

Which domains act as infection vectors?

sicil.info/forum/index.php and sicil.info/g/index.php (203.121.79.71) using patched vulnerabilities exploited in the usual MPack style :

function setslice_exploit
function vml_exploit
function firefox_exploit
function firefox1_exploit
function wmplayer_exploit
function qtime_exploit
function yahoo_e
function winzip_exploit
function flash_exploit
function w2k_ex

0ki.ru/forum/index.php (80.91.191.224) where a WebAttacker launches several other exploits, and x12345.org/img/counter.php?out=1189360677 (66.36.243.97)

What are the malware authors trying to infect the visitors with?

A Banker Trojan with a low detection rate :

BitDefender 2007.09.28 BehavesLike:Win32.ProcessHijack
Ikarus 2007.09.28 Trojan.Delf.NEB
Microsoft 2007.09.28 PWS:Win32/Ldpinch.gen
Symantec 2007.09.28 Infostealer.Banker.C

98shd3.exe
File size: 65024 bytes
MD5: ef98a662c72e3227d5c4bb3465133040
SHA1: e5b9b216d77de977848f8791850c726b45fc18c2

Think malware authors were virtually satisfied to only have the visitors infected with the malware? Not at all. This is perhaps the first but definitely not the last time I see an embassy hosting pharmaceutical scam pages and ring tone ones. List of historically hosted scam pages :

syrianembassy.co.uk/news/lv/levitra-vs-viagra.htm
syrianembassy.co.uk/news/lv/buy-levitra.htm
syrianembassy.co.uk/news/rn/michael-jackson-ringtone.htm
syrianembassy.co.uk/news/xa/cheap-discount.htm-group.com-herbal-xanax-xnx.htm
syrianembassy.co.uk/news/rn/free-mp3-ringtone-maker.htm
syrianembassy.co.uk/news/xa/buy-site-xanax.htm
syrianembassy.co.uk/news/ph/37-5mg-phentermine.htm

UPDATE :
The folks at ScanSafe contacted me to point out that they've discovered the malware at the Syrian embassy on the 12th of August providing us with more insights on how long the attackers had access to the embassy's site.

In ScanSafe's example, different malicious URLs (miron555.org/s/index.php) were rotated compared to the ones used during 21/24 of September. And given the embassy's site states it was last updated in 2005, cleaning it up and ensuring the attackers no longer have access to it may take a while. Continue reading →

Embassy of India in Spain Serving Malware

The very latest addition to the "embassies serving malware" series is the Indian Embassy in Spain/Embajada de la India en España (embajadaindia.com) which is currently iFrame-ED -- original infection seems to have taken place two weeks ago -- with three well known malicious domains.

Interestingly, the malicious attackers centralized the campaign by parking the three iFrames at the same IP, and since no efforts are put into diversifying the hosting locations, two of them have already been suspended. Let's dissect the third, and the only currently active one. iFrames embedded at the embassy's site:
msn-analytics .net/count.php?o=2
pinoc .org/count.php?o=2
wsxhost .net/count.php?o=2

wsxhost .net/count.php?o=2 (202.73.57.6) redirects to 202.73.57.6 /mito/?t=2 and then to 202.73.57.6 /mito/?h=2e where the binary is served, a compete analysis of which has already been published. The rest of the malicious domains -- registered to palfreycrossvw@gmail.com -- parked at mito's IP appear to have been participating in iFrame campaigns since August, 2008 :

google-analyze .cn
yahoo-analytics .net
google-analyze .org
qwehost .com
zxchost .com
odile-marco .com
edcomparison .com
fuadrenal .com
rx-white .com

As always, the embassy is iFramed "in between" the rest of the remotely injectable sites part of their campaigns. 

Related assessments of embassies serving malware:
Embassy of Brazil in India Compromised
The Dutch Embassy in Moscow Serving Malware
U.S Consulate in St. Petersburg Serving Malware
Syrian Embassy in London Serving Malware
French Embassy in Libya Serving Malware Continue reading →

Syrian Embassy in London Serving Malware

After Bank of India was serving malware in August, next to the U.S Consulate in St.Petersburg two days later in September, now the Syrian Embassy in London is the latest victim of a popular malware embedding attack which took place between the 21st and 24th of September. As obfuscating the IFRAMEs in order to make it harder for a security researcher to conduct CYBERINT is about to become a commodity with the feature implemented within the now commoditized malware kits, it's interesting to note that in this particular attack the attackers took advantage of different javascript obfuscations, and that once control of the domain was obtained, scam pages were uploaded on the embassy's server. The embassy had recently removed the malicious IFRAMEs, but the third one remains active acting as a counter for the malicious campaign.

Which domains act as infection vectors?

sicil.info/forum/index.php and sicil.info/g/index.php (203.121.79.71) using patched vulnerabilities exploited in the usual MPack style :

function setslice_exploit

function vml_exploit

function firefox_exploit

function firefox1_exploit

function wmplayer_exploit

function qtime_exploit
function yahoo_e

function winzip_exploit

function flash_exploit

function w2k_ex

0ki.ru/forum/index.php (80.91.191.224) where a WebAttacker launches several other exploits, and x12345.org/img/counter.php?out=1189360677 (66.36.243.97)

What are the malware authors trying to infect the visitors with?

A Banker Trojan with a low detection rate :

BitDefender 2007.09.28 BehavesLike:Win32.ProcessHijack

Ikarus 2007.09.28 Trojan.Delf.NEB

Microsoft 2007.09.28 PWS:Win32/Ldpinch.gen

Symantec 2007.09.28 Infostealer.Banker.C

98shd3.exe

File size: 65024 bytes

MD5: ef98a662c72e3227d5c4bb3465133040

SHA1: e5b9b216d77de977848f8791850c726b45fc18c2

Think malware authors were virtually satisfied to only have the visitors infected with the malware? Not at all. This is perhaps the first but definitely not the last time I see an embassy hosting pharmaceutical scam pages and ring tone ones. List of historically hosted scam pages :

syrianembassy.co.uk/news/lv/levitra-vs-viagra.htm

syrianembassy.co.uk/news/lv/buy-levitra.htm

syrianembassy.co.uk/news/rn/michael-jackson-ringtone.htm

syrianembassy.co.uk/news/xa/cheap-discount.htm-group.com-herbal-xanax-xnx.htm
syrianembassy.co.uk/news/rn/free-mp3-ringtone-maker.htm

syrianembassy.co.uk/news/xa/buy-site-xanax.htm

syrianembassy.co.uk/news/ph/37-5mg-phentermine.htm

UPDATE :

The folks at ScanSafe contacted me to point out that they've discovered the malware at the Syrian embassy on the 12th of August providing us with more insights on how long the attackers had access to the embassy's site. In ScanSafe's example, different malicious URLs (miron555.org/s/index.php) were rotated compared to the ones used during 21/24 of September. And given the embassy's site states it was last updated in 2005, cleaning it up and ensuring the attackers no longer have access to it may take a while.

Continue reading →

Ethiopian Embassy in Washington D.C Serving Malware

Oops, they keep doing it again and again. The web site of the Ethiopian Embassy in Washington D.C (ethiopianembassy.org) has been compromised and is currently iFrame-ed to point to a live exploits serving URL on behalf of Russian cybercriminals, naturally in a multitasking mode since the iFrame used to act as a redirector in several other malware campaigns.

Despite that the iFrame domain (1tvv .com/index.php) is already "taken care of", details on the original campaign can still be provided. Multiple dynamic redirectors with a hard coded malware serving domain are nothing new, thanks to sophisticated traffic management kits allowing this to happen. The mentality applied here is pretty simple and is basically mimicking fast-flux as a concept.

With or without one of the redirection domains, the campaign keeps running like the following: us18.ru/@/include/spl.php (91.203.4.112) as the hard coded malware serving domain within the mix, is currently serving Office Snapshot Viewer, MDAC, Adobe Collab overflow exploits etc. courtesy of web malware exploitation kit (Fiesta). Traffic management is done through trafficinc .ru and trafficmonsterinc .ru also parked at 91.203.4.112 with Win32.VirToolObfusca served at the end.

Related posts:
USAID.gov compromised, malware and exploits served
Azerbaijanian Embassies in Pakistan and Hungary Serving Malware
Embassy of India in Spain Serving Malware
Embassy of Brazil in India Compromised
The Dutch Embassy in Moscow Serving Malware
U.S Consulate in St. Petersburg Serving Malware
Syrian Embassy in London Serving Malware
French Embassy in Libya Serving Malware Continue reading →

Embassy of Brazil in India Compromised

Only an amateur or unethical competition would embedd malicious links at the Embassy of Brazil in India's site, referencing their online community. With the chances of an Embassy involvement into the fake antivirus software industry close to zero, let's assess the attack that took place.

The compromise is a great example of a mixed use of pure malicious domains in a combination with compromised legitimate ones and on purposely registered accounts at free web space providers, hosting the blackhat SEO content. However, digging deeper we expose the entire malicious doorways ecosystem pushing PDF exploits, banker malware and Zlob variants. The malicious attackers embedded links to their blackhat SEO farms advertising fake security software, and also a link to a traffic redirection doorway

epmwckme.dex1.com
htkobaf.dex1.com
ogbucof.dex1.com
segundomuelle.com/mex/antivirus
jgzleaa.dex1.com
igpran.ru/services/tolstye

The active and redirecting traff .asia (89.149.251.203) is currently serving a fake account suspended notice - "This account has been suspended. Either the domain has been overused, or the reseller ran out of resources." but is whatsoever redirecting us to antimalware09 .net. This particular traffic redirection doorway is actively redirecting us to a command and control server running a well known web malware exploitation kit which is currently serving PDF exploits.  

google-analyze .com/socket/index.php (216.195.59.77) from where we're redirected to google-analyze.com/tracker/load.php which is serving system.exe (Trojan-Spy.Win32.Zbot.ehk; Win32.TrojanSpy.Zbot.gen!C.5), and google-analyze .com/tracker/pdf.php (Exploit:Win32/Pdfjsc.G; Exploit.JS.Pdfka.w; Bloodhound.Exploit.196). Naturally, within the live exploit URLs there are multiple IFRAMEs redirecting us to more of this group's campaigns. google-analyze .com  has multiple IFRAMEs pointing to google-analystic .net (209.160.67.56), yet another traffic redirection doorway further exposing their campaigns.

For instance, google-analystic .net/in.cgi?20 loads google-analystic.net/tea.php (209.160.67.56) where google-analystic .net/in.cgi?8 is redirecting to 91.203.93.61 /in.cgi?2 taking us to 91.203.93.61 /25/2/ where we deobfuscate the javascript leading us to the exact location of the PDF exploit - 91.203.93.61 /25/2/getfile.php?f=pdf. This is just for starters. google-analystic .net/in.cgi?9 redirects to mangust32 .cn/pod/index.php (218.93.202.102) where they serve load.exe (Backdoor:Win32/Koceg.gen!A) at
mangust32 .cn/pod2/load.php and load.exe at mangust32 .cn/eto2/load.php, moreover, google-analystic .net/in.cgi?10 leads us to mmcounter .com/in.cgi?id194 (94.102.50.130) a traffic management login which is no longer responding. The last IFRAME found within google-analystic points to busyhere .ru/in.cgi?pipka (91.203.93.16) which redirects to beshragos .com/work/index.php (79.135.187.38) where once we deobfuscate the script, we get to see the PDF exploit location beshragos.com /work/getfile.php?f=pdf.

What's contributing to the increase of PDF exploits durin the last month? It's an updated version of a web based malware exploitation tool, which despite the fact that it remains proprietary for the time being, will leak in the next couple of weeks causing the usual short-lived epidemic.

Related posts:
The Dutch Embassy in Moscow Serving Malware
U.S Consulate in St. Petersburg Serving Malware
Syrian Embassy in London Serving Malware
French Embassy in Libya Serving Malware
Continue reading →

Login Details for Foreign Embassies in the Wild

Login details for international embassies have been in the wild since August 30th in a full disclosure style :

"Here is a list with working passwords to exactly 100 email-accounts to Embassies and Governments around the world. Yes it’s the real deal and still working when we are posting this. So why in the world would anyone publish this kind of information? Because seriously, I’m not going to call the president of Iran and tell him that I got access to all their embassies. I’m DEranged, not suicidal! He has bombs and stuff…"

The researcher's main motivation behind releasing these is that there's no point in contacting the email owners directly as no one would take his emails seriously enought and change them, so by going full disclosure it would prompt the embassies in question to change the passwords. Dan Egerstad may be quite right, at least on the passwords changing issue. Could these email accounts be accessed globally and if yes why? For instance, could Uzbekistan's embassy in London successfully login into Uzbekistan's embassy in Moscow, and even worse, could a host not belonging to the embassy's network access these mailboxes for flexibility? If yes, there're way too many ways this data could have been obtained. While going through the accounting data, we could both confirm that best practices for strong passwords are place at some embassies, and also question the lack of such best practices at certain ones, a security measure that works against brute forcing attempts, but is totally irrelevant when it comes to keylogging and sniffing.

Many people would logically consider the possibility of abusing these login details by obtaining the content of the mailboxes. However, another perspective worth keeping in mind is the use of this login data as the foundation for targeted attacks on a embassy-to-embassy basis, the way we've seen it happen before.

Continue reading →

Azerbaijanian Embassies in Pakistan and Hungary Serving Malware

The very latest addition to the "Compromised International Embassies Series" are the Hungarian and Pakistani embassies of the Republic of Azerbaijan, which are currently iFramed with exploits-serving domains.

Is there such a thing as a coincidence, especially when it comes to three malware embedded attacks in a week affecting Azerbaijan's USAID.gov section, and now their Pakistani (azembassy.com.pk) and Hungarian (azerembassy.hu) embassies?  Depends, and while the USAID.gov attack was exclusively orchestrated for their section, the Pakistani and Hungarian ones are part of a more widespread campaign. Theoretically, this could be a noise generation tactic. Here's a brief assessment of the attacks.

Both embassies are embedded with identical domains, parked at the same IP and redirecting to the same client-side exploits serving URL operated by Russian cybercriminals. filmlifemusicsite .cn/in.cgi?cocacola95; promixgroup .cn/in.cgi?cocacola91; betstarwager .cn/in.cgi?cocacola86 and betstarwager .cn/in.cgi?cocacola80 all respond to (78.26.179.64; 66.232.116.3) and redirect to clickcouner .cn/?t=5 (193.138.173.251)

Parked domains at 78.26.179.64; 66.232.116.3 :
denverfilmdigitalmedia .cn
litetopfindworld .cn
nanotopfind .cn
filmlifemusicsite .cn
litetoplocatesite .cn
litedownloadseek .cn
yourliteseek .cn
diettopseek .cn
bestlotron .cn
promixgroup .cn
betstarwager .cn

What prompted this sudden attention to Azerbaijanian web sites? Azerbaijan's President visit to Iran in the same week when Russian Foreign Minister Sergei Lavrov is visiting Azerbaijan? And why is the phone back domain for the malware served at the USAID.gov site phoning back to a well known Russian Business Network domain (fileuploader .cn/check/check.php) which was again active in January, 2008 and used by one of my favorite malware groups to monitor during 2007/2008 - the "New Media Malware Gang" (Part Three; Part Two and Part One)?

Food for thought.

Related posts:
Embassy of India in Spain Serving Malware
Embassy of Brazil in India Compromised
The Dutch Embassy in Moscow Serving Malware
U.S Consulate in St. Petersburg Serving Malware
Syrian Embassy in London Serving Malware
French Embassy in Libya Serving Malware Continue reading →

Historical OSINT - Inside the 2007-2009 Series of Cyber Attacks Against Multiple International Embassies

Remember, the, Russian, Business, Network, and, the, New, Media, Malware, Gang?

It's, been, several, years, since, I, last, posted, an, update, regarding, the, group's, activities, including, the, direct, establishing, of, a, direct, connection, between, the, Russian, Business, Network, the, New, Media, Malware, gang, including, a, variety, of, high, profile, Web, site, compromise, campaigns.

What's, particularly, interesting, about, the, group's, activities, is, the, fact, that, back, in, 2007, the, group's, activities, used, to, dominate, the, threat, landscape, in, a, targeted, fashion, including, the, active, utilization, of, client-side, exploits, and, the, active, exploitation, of, legitimate, Web, sites, successfully, positioning, the, group, including, the, Russian, Business, Network, as, a, leading, provider, of, malicious, activities, online, leading, to, a, series, of, analyses, successfully, detailing, the, activities, of, the, group, including, the, direct, establishing, of, a, connection, between, the, New, Media, Malware, Gang, the, Russian, Business, Network, and, the, Storm, Worm, botnet.

In, this, post, I'll, provide, a, detailed, analysis, of, the, group's, activities, discuss, in, the, depth, the, tactics, techniques, and, procedures, (TTPs), of, the, group, including, a, direct, establishing, of, a, connection, between, the, New, Media, Malware, Gang, the, Russian, Business, Network, and, the, direct, compromise, of, a, series, of, high, profile, Web, site, compromise, campaigns.

Having, successfully, tracked, down, and, profiled, the, group's, activities, for, a, period, of, several, years, and, based, on, the, actionable, intelligence, provided, regarding, the, group's, activities, we, can, easily, establish, a, direct, connection, between, the, New, Media, Malware, Gang, and, the, Russian, Business, Network, including, a, series, of, high, profile, Web, site, compromise, campaigns.

Key Summary Points:
- RBN Connection, New Media Malware Gang connection - "ai siktir" "Die()", money mule recruitment, money laundering of virtual currency
- Actionable CYBERINT data to assist law enforcement, academics and the private sector in ongoing or past cybercrime investigations
- Complete domain portfolios registered up to the present day using the same emails used to register the malicious domains during 2007-2009 to assist law enforcement, academics and the private sector in catching up with their malicious activities over the years
- Detailed analysis of each and every campaign's domain portfolios (up to present day) further dissecting the fraudulent schemes launched by the same cybercriminals that embedded malware on the embassies' web sites
- Complete IP Hosting History for each and every of the malicious domains/command and control servers during the time of the attack
 - The "Big Picture" detailing the inter-connections between the campaigns, with historical OSINT data pointing to the "New Media Malware Gang", back then customers of the Russian Business Network

Let's, profile, the, group's, activities, including, a, direct, establishing, of, a, connection, between, the, Russian, Business, Network, the, New, Media, Malware, Gang, and, the, Storm, Worm, botnet.

In, 2007, I, profiled, the, direct, compromise, of, the, Syrian, Embassy, in, London, including, a, related, compromise of, the, USAID.gov compromised, malware and exploits served, the, U.S Consulate St. Petersburg Serving Malware, Bank of India Serving Malware, French Embassy in Libya Serving Malware, Ethiopian Embassy in Washington D.C Serving Malware, Embassy of India in Spain Serving Malware, Azerbaijanian Embassies in Pakistan and Hungary Serving Malware, further, detailing, the, malicious, activities, of, the, Russian, Business, Network, and, the, New, Media, Malware, Gang.

Let's profile, the, campaigns, and, discuss, in, depth, the, direct, connection, between, the, group's, activities, the, Russian, Business, Network, and, the, New, Media, Malware, Gang.

sicil.info - on 2007-09-26 during the time of the attack, the domain was registered using the srvs4you@gmail.com email. The domain name first appeared online on 2006-06-10 with an IP 213.186.33.24. On 2007-07-11, it changed IPs to 203.121.79.71, followed by another change on 2008-01-06 to 202.75.38.150, another change on 2008-05-06 to 203.186.128.154, yet another change on 2008-05-18 to 190.183.63.103, and yet another change on 2008-07-27 to 190.183.63.56.

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (sicil.info):
MD5: 4802db20da46fca2a1896d4c983b13ba
MD5: f9434d86ef2959670b73a79947b0f4d2
MD5: 32dba64ae55e7bb4850e27274da42d1b
MD5: cd6a7ff6388fbd94b7ee9cdc88ca8f4d
MD5: 57dff9e8154189f0a09fb62450decac6

Known, to, have, responded, to, the, same, malicious, C&C, server, IPs (sicil.info), are, also, the, following, malicious, domains:
hxxp://144.217.69.62
hxxp://63.246.128.71
hxxp://207.150.177.28
hxxp://66.111.47.62
hxxp://66.111.47.4
hxxp://66.111.47.8

Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (213.186.33.24):
MD5: 1a08c0ce5ab15e6fd8f52cd99ea64acb
MD5: 95cc3a0243aa050243ab858794c1d221
MD5: cc63d67282789e03469f2e6520c6de80
MD5: 3829506c454b86297d2828077589cbf8
MD5: 1e18b17149899d55d3625d47135a22a7

Once, executed, a, sample, malware (MD5: 1a08c0ce5ab15e6fd8f52cd99ea64acb), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://ioasis.org - 208.112.115.36
hxxp://polyhedrusgroup.com - 143.95.229.33
hxxp://espoirsetvie.com - 213.186.33.24
hxxp://ladiesdehaan.be - 185.59.17.113
hxxp://chonburicoop.net - 27.254.96.151
hxxp://ferienwohnung-walchensee-pur.de - 109.237.138.48

Related posts: Dissecting a Sample Russian Business Network (RBN) Contract/Agreement Through the Prism of RBN's AbdAllah Franchise

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (0ki.ru; 89.179.174.156):
MD5: cd33ea55b2d13df592663f18e6426921
MD5: 8e0c7757b82d14b988afac075e8ed5dc
MD5: e6aaafcafdd0a20d6dbe7f8c0bf4d012
MD5: e513a1b25e59670f777398894dfe41b6
MD5: 0fad43c03d80a1eb3a2c1ae9e9a6c9ed
MD5: 6e1b789f0df30ba0798fbc47cb1cec1c
MD5: 9f02232ed0ee609c8db1b98325beaa94

Once, executed, a, sample, malware (MD5: e6aaafcafdd0a20d6dbe7f8c0bf4d012), phones, back, to, the, following, C&C, server, IPs:
hxxp://lordofthepings.ru (173.254.236.159)
hxxp://poppylols.ru
hxxp://chuckboris.ru
hxxp://kosherpig.xyz
hxxp://ladyhaha.xyz
hxxp://porkhalal.site
hxxp://rihannafap.site
hxxp://bieberfans.top
hxxp://runands.top
hxxp://frontlive.net
hxxp://offerlive.net
hxxp://frontserve.net
hxxp://offerserve.net
hxxp://hanghello.ru
hxxp://hanghello.net
hxxp://septemberhello.net
hxxp://hangmine.net
hxxp://septembermine.net
hxxp://hanglive.net
hxxp://wrongserve.ru
hxxp://wrongserve.net
hxxp://madelive.net

Once, executed, a, sample, malware (MD5: e513a1b25e59670f777398894dfe41b6), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 173.254.236.159
hxxp://yardlive.ru
hxxp://yardlive.net
hxxp://musiclive.net - 141.8.225.124
hxxp://yardserve.net
hxxp://musicserve.net - 185.53.177.20
hxxp://wenthello.net
hxxp://spendhello.ru
hxxp://wentmine.net
hxxp://spendmine.net
hxxp://spendhello.net
hxxp://joinlive.net
hxxp://wentserve.ru
hxxp://hanghello.net
hxxp://joinhello.net

hxxp://x12345.org - 46.4.22.145

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (miron555.org):
MD5: 0e423596c502c1e28cce0c98df2a2b6d
MD5: e75d92defb11afe50a8cc51dfe4fb6ee
MD5: adcedd763f541e625f91030ee4de7c19
MD5: 2c664a4c1374b3d887f59599704aef6c
MD5: 2c664a4c1374b3d887f59599704aef6c
MD5: 0e423596c502c1e28cce0c98df2a2b6d

Over the years (up to present day) srvs4you@gmail.com is also known to have been used to register the following domains:
hxxp://10lann10.org
hxxp://24cargo.net
hxxp://ace-assist.biz
hxxp://activation-confirm.com
hxxp://adwoords.net
hxxp://alert-careerbuilder.com
hxxp://annebehnert.info
hxxp://apollo-services.net
hxxp://appolage.org
hxxp://auctions-ukash.com
hxxp://bbcfinancenews.com
hxxp://bestgreatoffers.org
hxxp://blackbird-registration.com
hxxp://bloomborg.biz
hxxp://businessproc1.com
hxxp://bussolutionsinc.org
hxxp://calisto-trading.com
hxxp://calisto-trading.net
hxxp://calisto-trading.org
hxxp://candy-country.com
hxxp://casheq.com
hxxp://cfca-usa.com
hxxp://cfodaily.biz
hxxp://citizenfinancial.net
hxxp://citylending.net
hxxp://clean2mail.com
hxxp://confirm-activation.com
hxxp://consultingwiz.org
hxxp://courierusa-online.com
hxxp://cristhmasx.com
hxxp://d-stanley.net
hxxp://dariazacherl.info
hxxp://des-group.com
hxxp://digital-investment-projects.com
hxxp://dns4your.net
hxxp://dvasuka.com
hxxp://easy-midnight.com
hxxp://easy-transfer.biz
hxxp://easymidnight.com
hxxp://ecareerstyle.com
hxxp://ecnoho.com
hxxp://efinancialnews.biz
hxxp://eluxuryauctions.com
hxxp://elx-ltd.net
hxxp://elx-trading.org
hxxp://elxltd.net
hxxp://emoney-ex.com
hxxp://epsincorp.net
hxxp://equitrust.org
hxxp://erobersteng.com
hxxp://erxlogistics.com
hxxp://esdeals.com
hxxp://estemaniaks.com
hxxp://eu-bis.com
hxxp://eu-cellular.com
hxxp://eubiz.org
hxxp://euwork.org
hxxp://expressdeal.info
hxxp://ezado.net
hxxp://fairwaylending.org
hxxp://fan-gaming.org
hxxp://fcinternatonal1.com
hxxp://fidelitylending.net
hxxp://financial-forbes.com
hxxp://financialnews-us.net
hxxp://firstcapitalgroup.org
hxxp://freemydns.org
hxxp://fremontlending.net
hxxp://fresh-solutions-mail.com
hxxp://fresh-solutions.us
hxxp://garnantfoundation.com
hxxp://gazenvagen.com
hxxp://globerental.com
hxxp://googmail.biz
hxxp://i-expertadvisor.com
hxxp://icebart.com
hxxp://icqdosug.com
hxxp://iesecurityupdates.com
hxxp://indigo-consulting.org
hxxp://indigo-job-with-us.com
hxxp://indigojob.com
hxxp://indigovacancies.com
hxxp://inncoming.com
hxxp://ivsentns.com
hxxp://iwiwlive.net
hxxp://iwiwonline.net
hxxp://jobs-in-eu.org
hxxp://kelermaket.com
hxxp://kklfnews.com
hxxp://knses.com
hxxp://komodok.com
hxxp://krdns.biz
hxxp://ksfcnews.com
hxxp://ksfcradio.com
hxxp://ktes314.org
hxxp://lda-import.com
hxxp://legal-solutions.org
hxxp://lgcareer.com
hxxp://lgtcareer.com
hxxp://librarysp.com
hxxp://littlexz.com
hxxp://mariawebber.org
hxxp://megamule.net
hxxp://moneycnn.biz
hxxp://njnk.net
hxxp://ns4ur.net
hxxp://nytimesnews.biz
hxxp://o2cash.net
hxxp://offsoftsolutions.com
hxxp://pcpro-tbstumm.com
hxxp://perfect-investments.org
hxxp://progold-inc.biz
hxxp://protectedsession.com
hxxp://razsuka.com
hxxp://reutors.biz
hxxp://rushop.us
hxxp://science-and-trade.com
hxxp://secure-operations.org
hxxp://securesitinngs.com
hxxp://servicessupport.biz
hxxp://sessionprotected.com
hxxp://sicil.info
hxxp://sicil256.info
hxxp://simple-investments-mail.org
hxxp://simple-investments.net
hxxp://simple-investments.org
hxxp://sp3library.com
hxxp://speeduserhost.com
hxxp://storempire.com
hxxp://tas-corporation.com
hxxp://tas-corporation.net
hxxp://tascorporation.net
hxxp://topixus.net
hxxp://tsrcorp.net
hxxp://u-file.org
hxxp://ukashauction.net
hxxp://ultragame.org
hxxp://unitedfinancegroup.org
hxxp://vanessakoepp.org
hxxp://verymonkey.com
hxxp://vesa-group.com
hxxp://vesa-group.net
hxxp://vipvipns.net
hxxp://vipvipns.org
hxxp://wondooweria.com
hxxp://wondoowerka.com
hxxp://wootpwnseal.com
hxxp://worldeconomist.biz
hxxp://wumtt-westernunion.com
hxxp://xsoftwares.com
hxxp://xxx2008xxx.com
hxxp://yourcashlive.com
hxxp://yourlive.biz
hxxp://yourmule.com

On 2008-09-25 0ki.ru was registered using the kseninkopetr@nm.ru email. The same email address is not known to have been used to register any additional domains.

On 2008-06-19 x12345.org was registered using the xix.x12345@yahoo.com email. On 2007-09-10 the domain use to respond to 66.36.243.97, then on 2007-11-13 it changed IPs to 58.65.236.10, following another change on 2008-05-06 to 203.186.128.154. No other domains are known to have been registered using the same email address.

On 2007-06-07, miron555.org was registered using the mironbot@gmail.com email, followed by another registration email change on 2008-02-12 to nepishite555suda@gmail.com. On 2007-04-24, the domain responded to 75.126.4.163. It then changed IPs on 2007-05-09 to 203.121.71.165, followed by another change on 2007-06-08 to 58.65.239.247, yet another change on 2007-07-15 to 58.65.239.10, another change on 2007-08-19 to 58.65.239.66, more IP changes on 2007-09-03 to 217.170.77.210, and yet another change on 2007-09-18 to 88.255.90.138.

Historically (up to present day), mironbot@gmail.com is also known to have been used to register the following domains:
hxxp://24-7onlinepharmacy.net
hxxp://bestmoviesonline.info
hxxp://brightstonepharma.com
hxxp://deapotheke.com
hxxp://dozor555.info
hxxp://my-traff.cn
hxxp://pharmacyit.net
hxxp://trffc.org
hxxp://trffc3.ru
hxxp://xmpharm.com

In, 2008, I, profiled, the, direct, compromise, of, The Dutch Embassy in Moscow Serving Malware, further, detailing, the, malicious, and, activity, of, the, Russian, Business, Network, and, the, New, Media, Malware, Gang.

Let's, profile, the, campaign, and, discuss, in-depth, the, direct, connection, between, the, group's, activities, and, the, direct, compromise, of, the, Embassy's Web, site.

On 2009-03-04, lmifsp.com was registered using the redemption@snapnames.com email. On 2007-11-30, it used to respond to 68.178.194.64, then on 2008-12-01 it changed IPs to 68.178.232.99.

In, 2008, I, profiled, the, direct, compromise, of, Embassy of Brazil in India Compromised, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.

Let's, profile, the, campaign, and, discuss, in-depth, the, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.

hxxp://google-analyze.com - 87.118.118.193

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (google-analyze.com - 87.118.118.193):
MD5: 2bcb74c95f30e3741210c0de0c1b406f

On 2008-10-15, traff.asia was registered using the traffon@gmail.com email.

On 2008-06-19, google-analyze.com was registered using the incremental@list.ru email. On 2007-12-21 it responded to 66.36.241.153, then it changed IPs on 2007-12-22 to 66.36.231.94, followed by another change on 2008-02-03 to 79.135.166.74, then to 195.5.116.251 on 2008-03-16, to 70.84.133.34 on 2008-07-31, followed by yet another change to 216.195.59.77 on 2008-09-15.

On 2008-08-05, google-analystic.net, is, known, to, have, responded, to, 212.117.163.162, and, was registered using the abusecentre@gmail.com email. On 2008-04-11 it used to respond to 64.28.187.84, it then changed IPS to 85.255.120.195 on 2008-08-03, followed by another change on 2008-08-10 to 85.255.120.194, then to 85.255.120.197 on 2008-09-07, to 69.50.161.117 on 2008-09-14, then to 66.98.145.18 on 2008-10-11, followed by another change on 2008-10-25 to 209.160.67.56.

On 2008-11-11, beshragos.com was registered using the migejosh@yahoo.com email. On 2008-11-11 it used to respond to 79.135.187.38.

In, 2009, I, profiled, the, direct, compromise, of, Ethiopian Embassy in Washington D.C Serving Malware, further, detailing, the, group's, activities, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.

Let's, profile, the, campaign, and, discuss, in-depth, the, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.

On 2009-01-19, 1tvv.com is, known, to, have, responded, to, 69.172.201.153; 66.96.161.140; 122.10.52.139; 122.10.18.138; 67.229.44.15; 74.200.250.130; 69.170.135.92; 64.74.223.38, and, was registered using the mogensen@fontdrift.com email.

On 2005-08-27, the domain (1tvv.com) is, known, to, have, responded to 198.65.115.93, then on 2006-05-12 to 204.13.161.31, with yet another IP change on 2010-04-08 to 216.240.187.145, followed by yet another change on 2010-06-02 to 69.43.160.145, then on 2010-07-25 to 69.43.160.145.

On 2010-01-04, trafficinc.ru was registered using the auction@r01.ru email.

On 2009-03-01, trafficmonsterinc.ru was registered using the trafficmonsterinc.ru@r01-service.ru email.

On 2009-05-02, us18.ru, is, known, to, have, responded, to, 109.70.26.37; 185.12.92.229; 109.70.26.36, and, was registered using the belyaev_andrey@inbox.ru email.

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: 0b545cd12231d0a4239ce837cd371166
MD5: dae41c862130daebcff0e463e2c30e50
MD5: 601806c0a01926c2a94558148764797a
MD5: 45f97cd8df4448bbe073a38c264ef93f
MD5: 94aeba45e6fb4d17baa4989511e321b3

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (69.172.201.153):
MD5: 4e0ce2f9f92ac5193c2a383de6015523
MD5: a38d47fcfdaf14372cea3de850cf487d
MD5: 014d2f1bae3611e016f96a37f98fd4b7
MD5: daad60cb300101dc05d2ff922966783b
MD5: 0a775110077e2c583be56e5fb3fa4f09

Once, executed, a, sample, malware (MD5: 4e0ce2f9f92ac5193c2a383de6015523), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://pelcpawel.fm.interia.pl - 217.74.66.160
hxxp://pelcpawel.fm.interiowo.pl - 217.74.66.160
hxxp://chicostara.com - 91.142.252.26
hxxp://suewyllie.com
hxxp://dewpoint-eg.com - 195.157.15.100
hxxp://sso.anbtr.com - 195.22.28.222

Once, executed, a, sample, malware (MD5: a38d47fcfdaf14372cea3de850cf487d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://ledyazilim.com - 213.128.83.163
hxxp://ksandrafashion.com - 166.78.145.90
hxxp://lafyeri.com - 69.172.201.153
hxxp://kulppasur.com - 52.28.249.128
hxxp://toalladepapel.com.ar

hxxp://trafficinc.ru, is, known, to, have, responded, to, 222.73.91.203

hxxp://trafficmonsterinc.ru, is, known, to, have, responded, to, 178.208.83.7; 178.208.83.27; 91.203.4.112

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: ce4e2e12ee16d5bde67a3dc2e3da634b
MD5: 4423e04fb3616512bf98b5a565fccdd7
MD5: 33f890c294b2ac89d1ee657b94e4341d
MD5: 1c5096c3ce645582dd18758fe523840a
MD5: 1efae0b0cb06faacae46584312a12504

Once, executed, a, sample, malware (MD5: ce4e2e12ee16d5bde67a3dc2e3da634b), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://rms-server.tektonit.ru - 109.234.156.179
hxxp://365invest.ru - 178.208.83.7

Once, executed, a, sample, malware (MD5: 4423e04fb3616512bf98b5a565fccdd7), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://topstat.mcdir.ru - 178.208.83.7

Once, executed, a, sample, malware (MD5: 33f890c294b2ac89d1ee657b94e4341d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://cadretest.ru - 178.208.83.7

Once, executed, a, sample, malware (MD5: 1c5096c3ce645582dd18758fe523840a), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://pelcpawel.fm.interia.pl - 217.74.65.161
hxxp://testtrade.ru - 178.208.83.7
hxxp://chicostara.com - 91.142.252.26

In, 2009, I, profiled, the, direct, compromise, of Embassy of India in Spain Serving Malware, further, detailing, the, malicious, activity, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.

On 2008-09-07, msn-analytics.net was registered using the palfreycrossvw@gmail.com email. On 2007-06-17 it used to respond to 82.98.235.50, it then changed IPs on 2008-09-07 to 58.65.234.9, followed by another change on 2009-11-14 to 96.9.183.149, then to 96.9.158.41 on 2009-12-29, and to 85.249.229.195 on 2010-03-09.

On 2008-07-10, pinoc.org was registered using the 4ykakabra@gmail.com email. On 2008-07-10 it responded to 58.65.234.9, it then changed IPs on 2008-08-17 to 91.203.92.13, followed by another change on 2008-08-24 to 58.65.234.9, followed by yet another change to 208.73.210.76 on 2009-10-03, and yet another change on 2009-10-06 to 96.9.186.245.

On 2008-09-20, wsxhost.net was registered using the palfreycrossvw@gmail.com email. On 2008-09-20 wsxhost.net responded to 58.65.234.9, it then changed IPs on 2008-12-22 to 202.73.57.6, followed by another change on 2009-05-18 to 202.73.57.11, yet another change on 2009-06-22 to 92.38.0.66, then to 91.212.198.116 on 2009-07-06, yet another change on 2009-08-17 to 210.51.187.45, then to 210.51.166.239 on 2009-08-25, and finally to 213.163.89.54 on 2009-09-05.

On 2008-06-29 google-analyze.cn was registered using the johnvernet@gmail.com email.

Historically (up to present day) johnvernet@gmail.com is known to have registered the following domains:
hxxp://baidustatz.com
hxxp://edcomparison.com
hxxp://google-analyze.org
hxxp://google-stat.com
hxxp://kolkoman.com
hxxp://m-analytics.net
hxxp://pinalbal.com
hxxp://pornokman.com
hxxp://robokasa.com
hxxp://rx-white.com
hxxp://sig4forum.com
hxxp://thekapita.com
hxxp://visittds.com

msn-analytics.net, is, known, to, have, responded, to, 216.157.88.21; 85.17.25.214; 216.157.88.22; 85.17.25.215; 85.17.25.202; 216.157.88.25; 5.39.99.49; 167.114.156.214; 5.39.99.50; 66.135.63.164; 85.17.25.242; 69.43.161.210

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: eb95798965a18e7844f4c969803fbaf8
MD5: 106b6e80be769fa4a87560f82cd24b57
MD5: 519a9f1cb16399c515723143bf7ff0d0
MD5: b537c3d65ecc8ac0f3cd8d6bf3556da5
MD5: 613e8c31edf4da1b8f8de9350a186f41

Once, executed, a, sample, malware (MD5: eb95798965a18e7844f4c969803fbaf8), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://vboxsvr.ovh.net
hxxp://thinstall.abetterinternet.com - 85.17.25.214
hxxp://survey-winner.net - 94.229.72.117
hxxp://survey-winner.net - 208.91.196.145
hxxp://comedy-planet.com

Once, executed, a, sample, malware (MD5: 106b6e80be769fa4a87560f82cd24b57), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://memberfortieth.net
hxxp://beginadvance.net
hxxp://knownadvance.net
hxxp://beginstranger.net
hxxp://knownstranger.net - 23.236.62.147

Once, executed, a, sample, malware (MD5: b537c3d65ecc8ac0f3cd8d6bf3556da5), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://followfortieth.net
hxxp://memberfortieth.net
hxxp://beginadvance.net
hxxp://knownadvance.net
hxxp://beginstranger.net
hxxp://knownstranger.net - 23.236.62.147

pinoc.org, is, known, to, have, responded, to, 103.224.212.222; 185.53.179.24; 185.53.179.9; 185.53.177.10; 188.40.174.81; 46.165.247.18; 178.162.184.130

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: 000125b0d0341fc078c7bdb5b7996f9e
MD5: b3bbeaca85823d5c47e36959b286bb22
MD5: 4faa9445394ba4edf73dd67e239bcbca
MD5: 9f3b9de8a3e7cd8ee2d779396799b17a
MD5: 38d07b2a1189eb1fd64296068fbaf08a

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://os.onlineapplicationsdownloads.com - 103.224.212.222
hxxp://static.greatappsdownload.com - 54.230.187.48
hxxp://ww1.os.onlineapplicationsdownloads.com - 91.195.241.80
hxxp://os2.onlineapplicationsdownloads.com - 103.224.212.222
hxxp://ww1.os2.onlineapplicationsdownloads.com - 91.195.241.80

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://errors.myserverstat.com - 103.224.212.222

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://scripts.dlv4.com - 103.224.212.222
hxxp://ww38.scripts.dlv4.com - 185.53.179.29

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://complaintsboard.com - 208.100.35.85
hxxp://7ew8gov.firoli-sys.com - 103.224.212.222
hxxp://yx-vom2s.hdmediastore.com - 45.33.9.234
hxxp://q8x3kb.wwwmediahosts.com - 204.11.56.48

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://newworldorderreport.com - 50.63.202.29
hxxp://69jh93.firoli-sys.com - 103.224.212.222
hxxp://bpvv11ndq5.wwwmediahosts.com - 204.11.56.48
hxxp://0dbhwuja.hdmediastore.com - 45.33.9.234

wsxhost.net, is, known, to, have, responded, to, 184.168.221.45; 50.63.202.82; 69.43.161.172

Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C&C, server, IPs:
MD5: 117036e5a7b895429e954f733e0acada
MD5: 1172e5a2ca8a43a2a2274f2c3b76a7be
MD5: 6e330742d22c5a5e99e6490de65fabd6
MD5: f1c9cd766817ccf55e30bb8af97bfdbb
MD5: 7f4145bc211089d9d3c666078c35cf3d

Once, executed, a, sample, malware (MD5: 117036e5a7b895429e954f733e0acada), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://amacweb.org
hxxp://superaffiliatehookup.com
hxxp://germanamericantax.com
hxxp://lineaidea.it
hxxp://speedysalesletter.com

Once, executed, a, sample, malware (MD5: 1172e5a2ca8a43a2a2274f2c3b76a7be), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://allstatesdui.com - 50.63.202.36
hxxp://wellingtontractorparts.com - 72.167.232.158
hxxp://amacweb.org - 160.16.211.99
hxxp://nctcogic.org - 207.150.212.74

Once, executed, a, sample, malware (MD5: 6e330742d22c5a5e99e6490de65fabd6), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://santele.be - 176.62.170.69
hxxp://fever98radio.com - 141.8.224.93
hxxp://brushnpaint.com - 74.220.219.132
hxxp://jameser.com - 54.236.195.15
hxxp://hillsdemocrat.com - 67.225.168.30

Once, executed, a, sample, malware (MD5: f1c9cd766817ccf55e30bb8af97bfdbb), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 109.70.26.37
hxxp://afterpeace.net - 195.38.137.100
hxxp://sellhouse.net - 184.168.221.45

Once, executed, a, sample, malware (MD5: 7f4145bc211089d9d3c666078c35cf3d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 109.70.26.37
hxxp://forcerain.net
hxxp://afterrain.net - 50.63.202.43)
hxxp://forcerain.ru
hxxp://forceheld.net

google-analyze.cn, is, known, to, have, responded, to, 103.51.144.81; 184.105.178.89; 65.19.157.235; 124.16.31.146; 123.254.111.190; 103.232.215.140; 103.232.215.147; 205.164.14.78; 50.117.116.117; 50.117.120.254; 205.164.24.45; 50.117.116.205; 50.117.122.90; 184.105.178.84; 50.117.116.204

Related malicious MD5s known to have phoned back to the same malicious C&C, server, IPs:
MD5: df05460b5e49cbba275f6d5cbd936d1d
MD5: 7732ffcf2f4cf1d834b56df1f9d815c9
MD5: 615eb515da18feb2b87c0fb5744411ac
MD5: 24fec5b3ac1d20e61f2a3de95aeb177c
MD5: 348eed9b371ddb2755eb5c2bfaa782ee

On 2008-08-27, yahoo-analytics.net was registered using the fuadrenalray@gmail.com email.

- google-analyze.org - Email: johnvernet@gmail.com - on, 2008-07-09, google-analyze.org , is, known, to, have, responded, to, 58.65.234.9, followed, by, a, hosting, change, on, 2008-08-17, with, google-analyze.org, responding, to, 91.203.92.13, followed, by, another, hosting, change, on, 2008-08-24, with, google-analyze.org, responding, to, 202.73.57.6.

- qwehost.com - Email: 4ykakabra@gmail.com - on, 2009-05-18, qwehost.com, is, known, to, have, responded, to, 202.73.57.11, followed, by, a, hosting, change, to, 202.73.57.11, followed, by, another, hosting, change, on, 2009-06-22, pointing, to, 92.38.0.66, followed, by, yet, another, hosting, change, pointing, to, 91.212.198.116, followed, by, yet, another, hosting, change, on, 2009-08-17, pointing, to, 210.51.187.45.

- zxchost.com - Email: 4ykakabra@gmail.com - on, 2009-03-02, zxchost.com, is, known, to, have, responded, to, 202.73.57.6, followed, by, a, hosting, change, on, 2009-05-18, pointing, to, 202.73.57.11, followed, by, yet, another, hosting, change, on, 2009-06-22, pointing, to, 92.38.0.66, followed, by, yet, another, hosting, change, on, 2009-08-25, pointing, to, 210.51.166.239.

- odile-marco.com - Email: OdileMarcotte@gmail.com - on, 2009-05-18, odile-marco.com, is, known, to, have, responded, to, 202.73.57.6, followed, by, a, hosting, change, on, 2009-06-22, pointing, to, 202.73.57.11, followed, by, yet, another, hosting, change, on, 2009-07-06, pointing, to, 92.38.0.66, followed, by, yet, another, hosting, change, on, 2009-08-17, pointing, to, 91.212.198.116.

- edcomparison.com - Email: johnvernet@gmail.com - on, 2009-05-18, edcomparison.com, is, known, to, have, responded, to, 202.73.57.6, followed, by, a, hosting, change, on, 2009-06-22, pointing, to, 202.73.57.11, followed, by, yet, another, hosting, change, on, 2009-07-13,  this, time, pointing, to, 92.38.0.66, followed, by, yet, another, hosting, change, on, 2009-08-17, this, time, pointing, to, 210.51.187.45.

- fuadrenal.com - Email: fuadrenalRay@gmail.com - on, 2009-01-26, fuadrenal.com, is, known, to, have, responded, to, 202.73.57.6, followed, by, a, hosting, change, on, 2009-05-18, pointing, to, 202.73.57.11, followed, by, yet, another, hosting, change, on, 2009-07-13, this, time, pointing, to, 91.212.198.116, followed, by, yet, another, hosting, change, on, 2009-08-17, this, time, pointing, to, 91.212.198.116.

- rx-white.com - Email: johnvernet@gmail.com - on, 2009-05-18, rx-white.com, is, known, to, have, responded, to, 202.73.57.6, followed, by, a, hosting, change, on, 2009-06-22, pointing, to, 202.73.57.11, followed, by, yet, another, hosting, change, on, 2009-07-06, this, time, pointing, to, 92.38.0.66, followed, by, yet, another, hosting, change, on, 2009-08-17, this, time, pointing, to, 91.212.198.116.

In, 2009, I, profiled, the, direct, compromise, of, Embassy of Portugal in India Serving Malware, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.

On, 2009-03-30, ntkrnlpa.info, is, known, to, have, responded, to, 83.68.16.6. Related, domains, known, to, have, participated, in, the, same, campaign - betstarwager.cn; ntkrnlpa.cn.

In, 2007, I, profiled, the, direct, compromise, of, French Embassy in Libya Serving Malware, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.

On, 2008-11-05, tarog.us (Email: bobby10@mail.zp.ua), used, to, respond, to, 67.210.13.94, followed, by, a, hosting, change, on, 2009-03-02, pointing, to, 208.73.210.121. Related, domains, known, to, have, participated, in, the, campaign: fernando123.ws; winhex.org - Email: ipspec@gmail.com

On, 2007-02-18, winhex.org, used, to, respond, to, 195.189.247.56, followed, by, a, hosting, change, on, 2007-03-03, pointing, to, 89.108.85.97, followed, by, yet, another, hosting, change, on, 2007-04-29, this, time, pointing, to, 203.121.71.165, followed, by, yet, another, hosting, change, on, 2007-08-19, this, time, pointing, to, 69.41.162.77.

On, 2007-11-23, kjlksjwflk.com (Email: sflgjlkj45@yahoo.com), used, to, respond, to, 58.65.239.114, followed, by, a, hosting, change, on, 2009-02-16, pointing, to, 38.117.90.45, followed, by, yet, another, hosting, change, on, 2009-03-09, this, time, pointing, to, 216.188.26.235.

In, 2009, I, profiled, the, direct, compromise, of, Azerbaijanian Embassies in Pakistan and Hungary Serving Malware, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.

Related, domains, known, to, have, participated, in, the, campaign:
- hxxp://filmlifemusicsite.cn; hxxp://promixgroup.cn; hxxp://betstarwager.cn; hxxp://clickcouner.cn

In, 2009, I, profiled, the, direct, compromise, of, USAID.gov compromised, malware and exploits served, further, establishing, a, direct, connection, between, the, gang's, activities, and, the, New, Media, Malware, Gang.

Related, domains, known, to, have, participated, in, the, campaign:
hxxp://should-be.cn - Email: admin@brut.cn; hxxp://orderasia.cn; hxxp://fileuploader.cn

In, 2007, I, profiled, the, direct, compromise, of, U.S Consulate St. Petersburg Serving Malware, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.

On, 2007-08-31, verymonkey.com (Email: srvs4you@gmail.com), used, to, respond, to, 212.175.23.114, followed, by, a, hosting, change, on, 2007-09-07, pointing, to, 209.123.181.185, followed, by, yet, another, hosting, change, on, 2007-09-27, this, time, pointing, to, 88.255.90.50, followed, by, yet, another, hosting, change, on, 2008-11-11, this, time, pointing, to, 216.188.26.235.

What's, particularly, interested, about, the, gang's, activities, is, the, fact, that, back, in 2007, the, group, pioneered, for, the, first, time, the, utilization, of, Web, malware, exploitation, kits, further, utilizing, the, infrastructure, of, the, Russian, Business, Network, successfully, launching, a, multi-tude, of, malicious, campaigns, further, spreading, malicious, software, further, utilizing, the, infrastructure, of, the, Russian, Business, Network.

Related posts:
Syrian Embassy in London Serving Malware
USAID.gov compromised, malware and exploits served
U.S Consulate St. Petersburg Serving Malware
Bank of India Serving Malware
French Embassy in Libya Serving Malware
The Dutch Embassy in Moscow Serving Malware
Ethiopian Embassy in Washington D.C Serving Malware
Embassy of India in Spain Serving Malware
Azerbaijanian Embassies in Pakistan and Hungary Serving Malware Continue reading →

The Dutch Embassy in Moscow Serving Malware

The Register reports that the Royal Netherlands Embassy in Moscow was serving malware to its visitors at the beginning of last week :

"Earlier this week, the site for the Netherlands Embassy in Russia was caught serving a script that tried to dupe people into installing software that made their machines part of a botnet, according to Ofer Elzam, director of product management for eSafe, a business unit of Aladdin that blocks malicious web content from its customers' networks."

Let's be a little more descriptive. The only IP that was included in the IFRAME was 68.178.194.64/tab.php which was then forwarding to 68.178.194.64/w/wtsin.cgi?s=z. ip-68-178-194-64.ip.secureserver.net (also responding to lmifsp.com and foxbayrental.com) has been down as of 22 Jan 2008 18:56:38 GMT, but apparantly it was also used in several other malware embedded attacks. For instance, the IFRAME is currently active at restorants.ru. The secondary IFRAME is a redirector script in a traffic management script that can load several different URLs, to both, generate fake visits to certain sites that are paying for this, and a live exploit URL as it happens in between.

Historical preservation of actionable intelligence on who's what and what's when is a necessity. Here are for instance two far more in-depth assessments given the exploits URLs were still alive back then, discussing the malware embedded at the sites of the U.S Consulate in St. Petersburg, and the Syrian Embassy in the U.K.

Related posts:
MDAC ActiveX Code Execution Exploit Still in the Wild
Malware Serving Exploits Embedded Sites as Usual
Massive RealPlayer Exploit Embedded Attack
A Portfolio of Malware Embedded Magazines
The New Media Malware Gang
The New Media Malware Gang - Part Two
Another Massive Embedded Malware Attack
I See Alive IFRAMEs Everywhere
I See Alive IFRAMEs Everywhere - Part Two
Have Your Malware in a Timely Fashion
Cached Malware Embedded Sites
Compromised Sites Serving Malware and Spam
Malware Serving Online Casinos Continue reading →

Embassy of China in Canada Issues a Statement on U.S Cyber Espionage Campaigns Against Japan

I just came across to a statement issued by the Embassy of China in Canada on the U.S cyber espionage campaigns launched against Japan.

What's so special about this statement? First it does quite Wikileaks which is a bit of an outdated approach including the actual source to shed more light into a bigger problem and issue for China that the press statement on the Web site of the Chinese Embassy in Canada mentions. In this specific case the statement implies the use of the so called "hunt-forward" missions which could really mean big trouble for China if the U.S somehow manages to secure a deal with a neighbouring country next to China which could really mean big trouble for China as the U.S will then attempt to establish the foundation for a successful cyber attacks and possibly information operations interception campaigns used managed and operated by China including its partners and allies where to ultimate goal would be to measure their true capabilities and set the foundation for a successful cyber situational awareness campaign in terms of cyber attacks and the true state of China's true cyberspace operations and cyber attack capabilities including the capabilities of some of its neighbouring countries.

The so called Hunt Forward Operations also known as (HFOs) are an early warning system for cyber situational awareness that could improve the true state of the visibility of the actual country that's doing these missions in this specific case the U.S could really learn a lot about new tactics and techniques courtesy of the attackers based in the specific country where it's hosting its mission which could be really bad news for China in terms of having the U.S deploy hunt forward missions in its neighbouring countries where the U.S could really get a better picture of China's understanding and actual applicability of basic cyber warfare principles and concepts in action including the "know-how" of its neighbouring countries.

Despite the fact that the U.S is willing to share its knowledge and understanding of cyber attacks "know-how" with the host country of a hunt forward mission it could also learn a lot about the cyber attacks that originate from the host country and possibly improve its own situational awareness in the field including from a geographical perspective.

Happy hunting.

Continue reading →

I See Alive IFRAMEs Everywhere

During the weekend, the entire Newsland.ru which is among the most popular Russian news portals, was marked as as "this site may harm your computer" by StopBadware.org due to an IFRAME embedded link pointing to where else if not to the RBN. Considering that each and every embedded malware attack during 2007 that I assessed in previous posts, had something to do with the RBN in the form of a single RBN IP which was used in numerous malicious activities all at once, different sites get embedded with it, blackhat SEO postings at different forums etc. in this one the parties behind the attack dedicated a special IP with what looks like as a clean IP reputation. A cached copy of the page will still load the live exploit url at 81.95.150.115/cgi-bin/in.cgi?p=user1 What really happened at Newsland.ru? Was it an end user who submitted a news story with the somehow embedded IFRAME to sort of conduct unethical competitive engagement by having Google mark the entire portal as harmful, or it was planned and executed on purposely?

In another such incident, Podfeed.net was recently hacked and malware embedded at its front page. The now clean site however, used to have an embedded link, over 20 times to be precise, pointing to the following URL :

yl18.net/0.js (125.65.77.25) with the .js having two IFRAMEs within, namely yl18.net/0.html - 404 dead, and the second IFRAME yl18.net/z.html which loads a third IFRAME within, pointing to yzgames.cn/game.htm (125.46.105.140). This IFRAME-ing game relies entirely on yl18.net/0.js to keep up and running, and a direct loading link to the script was also somehow embedded on high trafficked sites such as cincinnatiusa.com; cincinnati.com; guidance.nice.org.uk. Moreover, Maarten Van Horenbeeck at the ISC's blog has some detection rates while the malware was still active. This embedded malware campaign is a perfect example of an ongoing cover up, just like the case when several hours after the community started looking at the Bank of India's malware serving site and the RBN URL removed the javascript and redirected it to Google.com, and we had the same situation with the recent discovery of 100 malwares on a single RBN IP, where the directory name has changed several hours later for yet another time. The same is the situation withe the malicious parties behind Possibility Media's malware attack that once started getting visited by security vendors replaced all their main index page with a "get lost" message, as well as with RBN's fake "account suspended" messages which aren't really in a process of cover up, but in a deception stage like always.

While I was researching a third domain that was serving a Banking trojan, and loading IFRAMEs to sicil.info which in case you don't remember is the IFRAME behind the Syrian Embassy hack, I came across to injected blackhat SEO campaigns at two universities advertised in between the IFRAMEs, now removed, cached copies available - emissary.wm.edu/EE/cache; hsutx.edu/student_life/brand/wp-content/uploads. The reason I won't mention the domain in question is that the script kiddies behind it forgot to take care of their directory permissions just like the Russian Business Network did recently, and while in RBN's case over 100 malwares were spotted, in this case it's a web C&C for a metaphisher type of banking malware kit, namely Zeus. It gets even more interesting, as it appears that a Turkish defacer like the ones I blogged about yesterday is somehow connected with the group behind the recent Possibility Media's Attack, and the Syrian Embassy Hack as some of his IFRAMES are using the exact urls in the previous attacks. And you you already know while reading my previous assessments and the connections between them, one of the attack IP's in the Possibility Media's malware attack was also among the ones used in the Bank of India hack - it's the "ai siktir vee?" group with another unique IP.

Key points :

- a Turkish defacer is taking advantage of an remotely installed web backdoor in order to host a metaphisher type of banking malware kit
- the defacer is embedding iframes that were used in the Bank of India hack, the Syrian Embassy hack, and the recent Possibility Media's malware attack
- if defacers start cooperating with malware groups given each of them excels at different practices, it's gonna get very ugly

If you don't take care of your site's web vulnerability management, someone else will. Continue reading →

Have Your Malware In a Timely Fashion

Keep your allies close, the human right violators closer. French officials have been receiving lots of criticism by human rights groups regarding Moammar Gadhafi's visit in France, in fact Human Rights Watch issued a press release entitled Al-Qadhafi in France. Despite the logical response in the form of criticism, it's lacking the long-term strategic vision and the proven approach of dealing with crying kids - pay them attention, give them a candy and therefore try to integrate them don't isolate them.

If it were "embedded malware as usual" the wannabes would have started mass mailing links to malware infected sites spreading rumors regarding the visit, like a previous PSYOPS operation on behalf of an unnamed intelligence agency. However, in this case they embedded malware at a French Government's site related to Libya in order to eventually infect all the visitors looking for more information during the visit. That's a social engineering trick taking advantage of the momentum by proactively anticipating the rush of visitors to the site. Another such recent combination of tactics aimed to increase the lifecycle of the malware embedded attack by embedding it at Chinese Internet Security Response Team's site during the China's "Golden Week" holiday.

According to McAfee "Web Site of the French Embassy in Libya Under Attack" :

"The people behind these attacks love to use highly topical issues in order to attract as many people as possible. This week in my country, the visit by Libyan President Muammar Khadafi is stirring controversy. It has made many headlines in France. No doubt this is why the French Embassy Web Site is now infected by malicious code. Please do not attempt to reach the site, it is still dangerous."

Let's pick up from where McAfee left in the assessment. 4qobj63z.tarog.us/tds/in.cgi?14 (58.65.233.98) loads an IFRAME to fernando123.ws/forum/index.php (88.255.94.114) which is MPack hosting the actual binary at fernando123.ws/forum/load.php or fernando123.ws/forum/load.exe

Detection rate : Result: 9/32 (28.13%)
File size: 43008 bytes
MD5: 8ce2134060b284fa9826d8d7ca119f33
SHA1: 3074f95d6b54fa49079b20876efa0f4722e7fe7d

As for the second campaign at 4583lwi4.tarog.us/in.cgi?19, the malicious parties were quick enough to redirect the IFRAME to Google.com, in exactly the same fashion the RBN did in the Bank of India incident definitely monitoring the exposure activities in real-time. However, accessing through a secondary IP retrieves the real IFRAME, namely winhex.org/tds/in.cgi?19 (85.255.120.194) which loads winhex.org/traff/all.php that on the other hand loads kjlksjwflk.com/check/versionl.php?t=577 which is now down, and 208.72.168.176/e-notfound1212/index.php where an obfuscation that's once deobfuscated attempts to load 208.72.168.176/e-notfound1212/load.php

Detection rate : Result: 14/32 (43.75%)
File size: 116244 bytes
MD5: 42dacb9f7dd4beeb7a1718a8d843e000
SHA1: d595dd0e4dcf37b69b48b8932dcf08e9f73623d0

Deja vu - 208.72.168.176 is the "New Media Malware Gang" in action, whose ecosystem clearly indicated connections with the RBN, Possibility Media's malware attack, Bank of India and the Syrian Embassy malware attacks, and Storm Worm which I assessed in numerous previous posts.

All your malware downloaders are belong to us - again and again. Continue reading →