Thursday, January 05, 2017

Historical OSINT - Massive Black Hat SEO Campaign, Spotted in the Wild, Serves Scareware - Part Two

In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercriminals, continue, actively, populating, their, botnet's. infected, population, further, spreading, malicious, software, further, earning, fraudulent, revenue, in, the, process, of, monetizing, access, to, malware-infected, hosts, largely, relying, on, the, utilization, of, an, affiliate-network, based, type, of, monetization, scheme.

We've, recently, intercepted, a, currently, active, malicious, black, hat, SEO (search engine optimization), type, of, malicious, campaign, serving, malicious, software, to, unsuspecting, users, further, monetizing, access, to, malware-infected, hosts, largely, relying, on, the, utilization, of, an, affiliate-network, based, type, of, monetization, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://notice-of-unreported-income-email.donatehalf.com
hxxp://911-pictures.jewishreference.com
hxxp://911-pictures.dpakman91.com
hxxp://9-11-quotes.midweekpolitics.com

Sample, URL, redirection, chain:
hxxp://trivet.gmgroupenterprises.com/style.js - 72.29.67.237
    - hxxp://trivet.gmgroupenterprises.com/?trivettrivetgmgroupenterprisescom.swf
        - hxxp://vpizdutebygugol.xorg.pl/go/ - 193.203.99.111
            - hxxp://vpizdutebygugol.xorg.pl/go4/
                - hxxp://http://free-checkpc.com/l/d709f38e78s84y76u - 193.169.12.5
                    - hxxp://safe-fileshere.com/s/w58238e9a6dh76k73r/setup.exe - 193.169.12.5

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (193.203.99.111):
MD5: b761960b60f2e5617b4da2e303969ff1
MD5: a27ae350b9d29b13749b14e376a00b52
MD5: adbad83fadc017d60972efa65eb3c230
MD5: b1323d4c7e1f6455701d49621edfb545
MD5: c166767c8aa7a8eee0d12a6d9646b3e8

Once, executed, a, sample, malware (MD5: b761960b60f2e5617b4da2e303969ff1), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://bdx.xorg.pl - 193.203.99.111

Once, executed, a, sample, malware (MD5: a27ae350b9d29b13749b14e376a00b52), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://vboxsvr.ovh.net
hxxp://gwg.xorg.pl - 193.203.99.111

Once, executed, a, sample, malware (MD5: adbad83fadc017d60972efa65eb3c230), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://vboxsvr.ovh.net
hxxp://htu.xorg.pl - 193.203.99.111

Once, executed, a, sample, malware (MD5: b1323d4c7e1f6455701d49621edfb545), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://htu.xorg.pl - 193.203.99.111

Once, executed, a, sample, malware (MD5: c166767c8aa7a8eee0d12a6d9646b3e8), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://bdx.xorg.pl - 193.203.99.111

Sample, detection, rate, for, a, sample, malicious, executable:
MD5: 7df300b01243a42b4ddff724999cd4f7

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://updatepcnow.com - 208.73.211.249
hxxp://safe-updates.com - 50.63.202.54; 54.85.196.8

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (208.73.211.249):
MD5: 940be22f37e30c90d9fded842c23b24d
MD5: ef29c61908f678f313aa298343845175
MD5: 47f5002a0b9d312f28822d92a3962c81
MD5: ba83653117a6196d8b2a52fb168b8142
MD5: f29209f1ca6c4666207ea732c1f32978

Once, executed, a, sample, malware (MD5: 940be22f37e30c90d9fded842c23b24d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://softonic-analytics.net - 46.28.209.74
hxxp://superscan.sd.en.softonic.com - 46.28.209.70
hxxp://www.ledyazilim.com - 213.128.83.163

Once, executed, a, sample, malware (MD5: ef29c61908f678f313aa298343845175), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://ksandrafashion.com - 208.73.211.173
hxxp://www.lafyeri.com
hxxp://kulppasur.com

Once, executed, a, sample, malware (MD5: 47f5002a0b9d312f28822d92a3962c81), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://ftuny.com/borders.php

Once, executed, a sample, malware (MD5: ba83653117a6196d8b2a52fb168b8142), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://mhc.ir - 82.99.218.195
hxxp://naphooclub.com - 208.73.211.173
hxxp://mdesigner.ir - 176.9.98.58

Once, executed, a, sample, malware (MD5: f29209f1ca6c4666207ea732c1f32978), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://ftuny.com/borders.php

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (50.63.202.54):
MD5: 45497b47a6df2f6216b4c4bebc572dd3
MD5: d5585af92c512bec3009b1568c8d2f7d
MD5: 08db02c9873c0534656901d5e9501f46
MD5: 830b22b4a0520d1b46a493f03a6a0a66
MD5: 5ee1bfa766f367393782972718d4e82f

Once, executed, a, sample, malware (MD5: 45497b47a6df2f6216b4c4bebc572dd3), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://lordofthepings.ru - 173.254.236.159
hxxp://poppylols.ru
hxxp://chuckboris.ru
hxxp://kosherpig.xyz - 195.157.15.100

Once, executed, a, sample, malware (MD5: d5585af92c512bec3009b1568c8d2f7d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 173.254.236.159
hxxp://yardnews.net - 104.154.95.49

Once, executed, a, sample, malware (MD5: 08db02c9873c0534656901d5e9501f46), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 173.254.236.159
hxxp://musicbroke.net - 195.22.28.210

Once, executed, a, sample, malware (MD5: 830b22b4a0520d1b46a493f03a6a0a66), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 173.254.236.159

Once, executed, a, sample, malware (MD5: 5ee1bfa766f367393782972718d4e82f), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 173.254.236.159

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (54.85.196.8):
MD5: 05288748ddccf2e5fedef5d9e8218fef
MD5: 08936ff676b062a87182535bce23d901
MD5: ea2b2ea5a0bf2b8f6403b2200e5747a7
MD5: 8a7e330ad88dcb4ced3e5e843424f85f
MD5: bf3d996376663feaea6031b1114eb714

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://graves111.net - 64.86.17.47 - Email: gertrudeedickens@text2re.com
hxxp://lending10.com
hxxp://adriafin.com
hxxp://7sevenseas.com
hxxp://ironins.com
hxxp://trdatasft.com
hxxp://omeoqka.cn
hxxp://trustshield.cn
hxxp://capide.cn
hxxp://tds-soft.comewithus.cn
hxxp://graves111.net
hxxp://reversfor5.net
hxxp://limestee.net
hxxp://landlang.net
hxxp://langlan.net
hxxp://limpopos.net
hxxp://clarksinfact.net

Sample, URL, redirection, chain:
hxxp://checkvirus-zone.com - 64.86.16.7 - Email: gertrudeedickens@text2re.com
    - hxxp://checkvirus-zone.com/?p=

Sample, detection, rate, for, a, sample, malicious, executable:
MD5: b157106188c2debab5d2f1337c708e35

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://pencil-netwok.com/?act=fb&1=1&2=0&3= - 204.11.56.48; 204.11.56.45; 209.222.14.3; 208.73.210.215; 208.73.211.152; 204.13.160.107

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: 3c3346426923504571f81caffdac698d
MD5: ad4244794693b41c775b324c4838982a
MD5: 6649b79938f19f7ec9d06b7ba8a7aa8e
MD5: 0526944bfb43b14d8f72fd184cd8c259
MD5: 29932b0cb61011ffc4834c3b7586d956

Once, executed, a, sample, malware (MD5: 3c3346426923504571f81caffdac698d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://www.vancityprinters.com - 104.31.76.211
hxxp://vancityprinters.com - 23.94.18.39
hxxp://vinasonthanh.com - 123.30.109.9

Once, executed, a, sample, malware (MD5: ad4244794693b41c775b324c4838982a), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://banboon.com - 204.11.56.48
hxxp://bdb.com.my - 103.4.7.143
hxxp://baulaung.org - 52.28.249.128

Once, executed, a, sample, malware (MD5: 6649b79938f19f7ec9d06b7ba8a7aa8e), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://cubingapi.com - 204.11.56.48
hxxp://error.cubingapi.com - 204.11.56.48

Once, executed, a, sample, malware (MD5: 0526944bfb43b14d8f72fd184cd8c259), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://www.vancityprinters.com - 104.31.77.211
hxxp://vancityprinters.com - 23.94.18.39
hxxp://vinasonthanh.com - 123.30.109.9

Once, executed, a, sample, malware (MD5: 29932b0cb61011ffc4834c3b7586d956), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://vancityprinters.com - 23.94.18.39
hxxp://vinasonthanh.com - 123.30.109.9
hxxp://rms365x24.com - 166.78.145.90

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, soon, as, new, developments, take, place.