Saturday, August 29, 2015

Friday, August 28, 2015

Historical OSINT - How TROYAK-AS Utillized BGP-over-VPN to Serve the Avalance Botnet

Historical OSINT is a crucial part of an intelligence analyst's mindset, further positioning a growing or an emerging trend, as a critical long term early warning system indicator, highlighting the importance, of current and emerging trends.


In this post, I'll discuss Troyak-AS, a well-known cybercrime-friendly hosting provider, that represented, the growing factor, for the highest percentage of malicious and fraudulent activity online, throughout 2010, its upstream provider NetAssist LLC, and most importantly, a malicious innovation applied by cybercriminals, at the time, namely the introduction of malicious netblocks and ISPs, within the RIPE registry, relying on OPSEC (Operational Security) and basic evasive practices.

According to RSA, the Ukrainian based ISP NetAssist LLC is listed as a legitimate ISP,  one whose services haven't been abused in any particular cybercrime-friendly way. 

This analysis, will not only prove, otherwise, namely, that NetAssist LLC's involvement in introducing a dozen of cybercrime friendly networks – including TROYAK-AS – has been taking place for purely commercial reasons, with the ISP charging thousands of euros for the process, but also, expose a malicious innovation applied on behalf of opportunistic cybercriminals, at the time, namely, the introduction of innovative bulletproof hosting tactics, techniques and procedures.

Domain name reconnaissance:
troyak.org - 74.208.21.227 (AS8560); 195.93.184.1 (AS44310) - Email: staruy.rom@troyak.org; staruy.rom@inbox.ru
smallshopkz.org - 195.78.123.1 (AS12570)


Name servers:
ns.troyak.org - 195.93.184.1 - (AS44307) ALYANSHIMIYA
ns.bgpvpn.kz - 91.213.93.10


ns.smallshopkz.org (195.78.123.1) is also known to have offered DNS services, to prombd.net (AS44107) PROMBUDDETAL (AS50215 Troyak-as at the time responding to ctlan.net) - 91.201.30.1, and vesteh.net (AS47560) VESTEH-NET 91.200.164.1

Domain name reconnaissance:
bgpvpn.kz
Organization Using Domain Name
Name...................: Mykola Tabakov
Organization Name......: Mykola Tabakov
Street Address.........: office 211, ul. Pushkina, dom 166
City...................: Astana
State..................: Astana
Postal Code............: 010000
Country................: KZ

Administrative Contact/Agent
NIC Handle.............: CA537455-RT
Name...................: Mykola Tabakov
Phone Number...........: +7.7022065468
Fax Number.............: +7.7022065468
Email Address..........: tabanet@mail.ru

Nameserver in listed order:
Primary server.........: ns.bgpvpn.kz
Primary ip address.....: 91.213.93.10



Domain name reconnaissance:
smallshopz.biz
Domain Name:SMALLSHOPKZ.ORG
Created On:30-Oct-2009 13:42:14 UTC
Last Updated On:19-Mar-2010 14:39:19 UTC
Expiration Date:30-Oct-2010 13:42:14 UTC
Sponsoring Registrar:Directi Internet Solutions Pvt. Ltd. d/b/a PublicDomainRegistry.com (R27-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:DI_10606443
Registrant Name:Vladimir Vladimirovich Stebluk
Registrant Organization:N/A
Registrant Street1:off. 306, Bulvar Mira, 16
Registrant Street2:
Registrant Street3:
Registrant City:Karaganda
Registrant State/Province:Qaraghandyoblysy
Registrant Postal Code:100008
Registrant Country:KZ
Registrant Phone:+7.7012032605
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:vladcrazy@smallshopkz.org



NetAssist LLC (netassist.ua) (AS29632) reconnaissance:
inetnum:        62.205.128.0 - 62.205.159.255
netname:        UA-NETASSIST-20080201
descr:          NetAssist LLC
country:        UA
org:            ORG-NL64-RIPE
admin-c:        MT6561-RIPE
admin-c:        AVI27-RIPE
tech-c:         MT6561-RIPE
tech-c:         APP18-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      MEREZHA-MNT
mnt-routes:     MEREZHA-MNT
mnt-domains:    MEREZHA-MNT
source:         RIPE # Filtered



organisation:  ORG-NL64-RIPE
org-name:      NetAssist LLC
org-type:       LIR
address:        NetAssist LLC
Max Tulyev
GEROEV STALINGRADA AVE  APP 57  BUILD 54
04213 Kiev
UKRAINE
phone:          +380 44 5855265
fax-no:         +380 44 2721514
e-mail:         info@netassist.kiev.ua
admin-c:      AT4266-RIPE
admin-c:      KS3536-RIPE
admin-c:      MT6561-RIPE
mnt-ref:       RIPE-NCC-HM-MNT
mnt-ref:       MEREZHA-MNT
mnt-by:       RIPE-NCC-HM-MNT
source:        RIPE # Filtered




person:         Max Tulyev
address:        off. 32, 12 Artema str.,
address:        Kiev, Ukraine
remarks:        Office phones
phone:          +380 44 2398999
phone:          +7 495 7256396
phone:          +1 347 3414023
phone:          +420 226020344
remarks:        GSM mobile phones, SMS supported
phone:          +7 916 6929474
phone:          +380 50 7775633
remarks:        Fax is in auto-answer mode
fax-no:         +380 44 2726209
remarks:        The phone below is for emergency only
remarks:        You can also send SMS to this phone
phone:          +88216 583 00392
remarks:
remarks:      Jabber ID mt6561@jabber.kiev.ua
remarks:      SIP 7002@195.214.211.129
e-mail:         maxtul@netassist.ua
e-mail:         president@ukraine.su
nic-hdl:        MT6561-RIPE
mnt-by:        MEREZHA-MNT
source:         RIPE # Filtered

person:         Alexander V Ivanov
address:        14-28 Lazoreviy pr
address:        Moscow, Russia
address:        129323
phone:          +7 095 7251401
fax-no:         +7 095 7251401
e-mail:         ivanov077@gmail.com
nic-hdl:        AVI27-RIPE
mnt-by:         MEREZHA-MNT
source:         RIPE # Filtered


person:         Alexey P Panyushev
address:        8-142, Panferova street
address:        Moscow, Russia
address:        117261
phone:          +7 903 6101520
fax-no:         +7 903 6101520
e-mail:         panyushev@gmail.com
nic-hdl:        APP18-RIPE
mnt-by:         MEREZHA-MNT
source:         RIPE # Filtered

Is NetAssist LLC, on purposely offering its services, for the purpose of orchestrating cybercrime-friendly campaigns, in a typical bulletproof cybercrime friendly fashion, or has it been abused, by an opportunistic cybercriminals, earning fraudulently obtained revenues in the process? Based on the analysis in this post, and the fact, that the company, continues offering IPv4 RIPE announcing services, I believe, that on the majority of occasions, the company has had its services abused, throughout 2010, leading to the rise of the Avalance bothet.

I expect to continue observing such type of abuse, however, in a cybercrime ecosystem, dominated, by the abuse of legitimate services, I believe that cybercriminals will continue efficiently bypassing defensive measures in place, through the abuse and compromise of legitimate infrastructure.

Related posts:
AS50215 Troyak-as Taken Offline, Zeus C&Cs Drop from 249 to 181
TROYAK-AS: the cybercrime-friendly ISP that just won't go away

With or without McColo, spam volume increasing again
Atrivo/Intercage's disconnection briefly disrupts spam levels
Google: Spam volume for Q1 back to pre-McColo levels
Overall spam volume unaffected by 3FN/Pricewert's ISP shutdown

AS50215 TROYAK-AS Starchenko Roman Fedorovich activity during Q1, 2010:
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams
PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild
Tax Report Themed Zeus/Client-Side Exploits Serving Campaign in the Wild
Keeping Money Mule Recruiters on a Short Leash - Part Two

The Avalanche Botnet's ZeuS crimeware/client-side exploit serving campaigns:
Zeus Crimeware/Client-Side Exploits Serving Campaign in the Wild
Scareware, Sinowal, Client-Side Exploits Serving Spam Campaign in the Wild
IRS/PhotoArchive Themed Zeus/Client-Side Exploits Serving Campaign in the Wild
Tax Report Themed Zeus/Client-Side Exploits Serving Campaign in the Wild
PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild
Facebook/AOL Update Tool Spam Campaign Serving Crimeware and Client-Side Exploits
Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
Pushdo Injecting Bogus Swine Flu Vaccine
"Your mailbox has been deactivated" Spam Campaign Serving Crimeware
Ongoing FDIC Spam Campaign Serves Zeus Crimeware
The Multitasking Fast-Flux Botnet that Wants to Bank With You

This post has been reproduced from Dancho Danchev's blog.

Thursday, August 27, 2015

Historical OSINT: OPSEC-Aware Sprott Asset Management Money Mule Recruiters Recruit, Serve Crimeware, And Malvertisements

Cybercriminals continue multitasking, on their way to take advantage of well proven fraudulent revenue sources, further, positioning themselves as opportunistic market participants, generating fraudulent revenues, standardizing and innovating within the context of OPSEC (Operational Security) while enjoying a decent market share within the cybercrime ecosystem.


In this post, I'll profile a money mule recruitment campaign, featuring a custom fake certificate, successfully blocking access to bobbear.co.uk as well as my personal blog, further exposing a malicious infrastructure, that I'll profile in this post.

Let's assess the campaign, and expose the malicious infrastructure behind it.

The fake Sprott Asset Management sites, entices end users into installing the, the fake, malicious certificate, as a prerequisite, to being working with them, with hosting courtesy of ALFAHOSTNET (AS50793), a well known cybercrime-friendly malicious hosting provider, known, to have been involved in a variety of malvertising campaigns, including related malicious campaigns, that I'll expose in this post.


Domain name reconnaissance for the malicious hosting provider:
alfa-host.net - (AS50793) - Email: alitalaghat@gmail.com; Name: Mohmmad Ali Talaghat (webalfa.net - 78.47.156.245 also registered with the same email)
Name Server: NS1.ALFA-HOST.NET
Name Server: NS2.ALFA-HOST.NET

Alfa-host LLP - (AS50793)
person: Romanov Artem Alekseevich
phone: +75.332211183
address: Kazakhstan, Karagandinskaya obl, Karaganda, ul. Erubaeva 57, 14

Upstream provider reconnaissance:
LLC TC "Interzvyazok"
Hvoiki 15/15
04080 Kiev
UKRAINE
phone: +380 44 238 6333
fax: +380 44 238 6333
e-mail: dz (at) intersv (dot) com

The same upstream provider (Interzvyazok; intersv.com) is also known to have offered services to yet another bulletproof hosting provider in 2011.


Domain name reconnaissance:
sprottcareers.com - 193.105.207.105; 88.212.221.46
sprottcorporate.com - 193.105.207.105; 88.212.221.46
sprottcorporate.com - 92.241.162.58
sprottweb.com - 193.105.207.105; 88.212.221.46



Domain name reconnaissance:
allianceassetonline.com - 92.241.162.58
allianceassetweb.com - 88.212.221.41
uptusconsulting.net - Email: terrizziboris@googlemail.com - 92.241.162.58

Known to have responded to the same IP (193.105.207.105) are also the following malicious domains:auditthere.ru
maccrack.ru
nissanmoto.ru
megatuz.ru
basicasco.ru
megatuz.ru
foreks999.ru
monitod.ru
peeeeee.ru
fra8888.ru
inkognittto.ru
lavandas.ru

Related MD5s known to have phoned back to the same IP (193.105.207.105):MD5: a9442b894c61d13acbac6c59adc67774
MD5:7fd31163fe7d29c61767437b2b1234cd
MD5:d90de03caa80506307fc05a0667246ef
MD5:09241426aac7a4aae12743788ce4cff4
MD5:cb74fb88f36b667e26f41671de8e1841
MD5:8efd31e0f3c251a3c7ef63b377edbf9c
MD5:a750359c72de3fc38d2af2670fd1a343
MD5:f0cbef01f5bd1c075274533f164bb06f
MD5:398b06590179be83306b59cea9da79e5

Related malicious domains known to have been active within (AS50793), ALFAHOSTNET:34real.ru
3pulenepro.net
3weselchak.net
analizes.ru
appppa1.ru
arbuz777.ru
arsenalik.ru
assolo.ru
astramani.ru
basicasco.ru
bits4ever.ru
bonokur.ru
boska7.ru
chudachok9.ru
cosavnos.ru
dermidom44.ru
drtyyyt.ru
dvestekkk.ru
ferdinandi.ru
ferzipersoviy.ru
foreks999.ru
fra8888.ru
globus-trio.ru
google-stats.ru
horonili.ru
inkognittto.ru
karlito777.ru
lavandas.ru
ma456.ru
medriop56.ru
megatuz.ru
mnobabla.ru
monitod.ru
offshoreglobal.ru
okrison.com
opitee.ru
otrijek.ru
peeeeee.ru
pohmaroz44.ru
postmetoday.ru
reklamen6.ru
reklamen7.ru
rrrekti.ru
sekretfive.ru
stolimonov.ru
sworo.ru
trio4.ru
update4ever.ru
victorry.ru
vivarino77.ru
vopret.ru
wifipoints.ru

Known to have responded to the same IP (88.212.221.46) in the past, are also the following malicious domains:
liramdelivery.com - Email: carlyle.jeffrey@gmail.com
ffgroupjobs.com - Email: FfGroupJobs@dnsname.info
secretconsumeril.com

Name servers:
ns2.uptusconsulting.net - 92.241.162.58
ns2.sprottcorporate.com92.241.162.58
ns2.sprottweb.com - 92.241.162.58

allianceassetweb.com - Email: martins.allianceam@gmail.com

Surprise, surprise. We've also got the following fraudulent domains, responding to the same name server's IP (92.241.162.58; ns1.oildns.net, ns2.oildns.net) back in 2009.

What's particularly interesting, is the fact, that in 2010, we've also got (92.241.162.58) hosting the following malicious MD5s:
MD5: 8ee5435004ad523f4cbe754b3ecdb86e
MD5: 38f5e6a59716d651915a895c0955e3e6

We've also got ns1.oildns.net responding to (93.174.92.220), with the actual name server, known to have hosted, the following malicious MD5s:
MD5: 5ae4b6235e7ad1bf1e3c173b907def17

Sample detection rate for the malicious certificate:
MD5: ec39239accb0edb5fb923c25ffc81818 - detected by 23 out of 42 antivirus scanners as Gen:Trojan.Heur.SFC.juZ@aC7UB8eib


Sample detection rate for the HOSTS file modifying sample:
MD5: 969001fcc1d8358415911db90135fa84 - detected by 14 out of 42 antivirus scanners as Trojan.Generic.4284920

Once executed, the sample successfully modifies, the HOSTS file on the affected hosts, to block access to:
127.0.0.1 google.com
127.0.0.1 google.co.uk
127.0.0.1 www.google.com
127.0.0.1 www.google.co.uk
127.0.0.1 suckerswanted.blogspot.com
127.0.0.1 ideceive.blogspot.com
127.0.0.1 www.bobbear.co.uk
127.0.0.1 bobbear.co.uk
127.0.0.1 reed.co.uk
127.0.0.1 seek.com.au
127.0.0.1 scam.com
127.0.0.1 scambusters.org
127.0.0.1 www.guardian.co.uk
127.0.0.1 ddanchev.blogspot.com
127.0.0.1 aic.gov.au
127.0.0.1 google.com.au
127.0.0.1 www.reed.co.uk
209.171.44.117 www.sprott.com
209.171.44.117 sprott.com






Sample confirmation email courtesy of Sprott Asset Management:
WORKING PROCESS
During all working process you will process incoming and outgoing transfers from our  clients. Main duties are: send payments, receive payments, making records of billing, making simple management duties, checking e-mail daily. You have to provide us your cell phone for urgent calls from your manager. If you don’t have a cell phone you will need to buy it. You must have basic computer skills to operate main process of job duties.

SALARY
During the trial period (1 month), you will be paid 4,600$ per month while working on average 3hours per day, Monday-Friday, plus 8% commission from every payment received and processed.  The salary will be sent in the form of wire transfer directly to your account or you may take it from received funds directly. After the trial period your base pay salary will go up to 6,950$ per month, plus 10% commission.

FEES & TRANSFERING PROCEDURE
All fees are covered by the company. The fees for transferring are simply deducted from the payments received. Customer will not contact you during initial stage of the trial period. After three weeks of the trial period you will begin to have contact with the customers via email in regards to collection of the payments. For the first three weeks you will simply receive all of the transferring details, and payments, along with step by step guidance from your supervisor. You will be forwarding the received payments through transferring agents such as Western Union, Money Gram, any P2P agents or by wire transferring.

WESTERN UNION & MONEYGRAM
1. As soon as  You receive  money transfers from our clients you are supposed to cash  it in your bank.
2. You will need to pick up the cash physically at the bank, as well as a  transfer to MoneyGram.
3. Please use MoneyGram, located not in your bank, because this providing of anonymosty of our clients.
4. The cashed amounts of money  should be transferred to our clients via MoneyGram/Western Union.
according to our transfer instructions except all the fees. The fees are taken from the amount cashed.
5. Not use online service, only physical presence in an office of bank and Western Union.
6. Just after you have transferred money to our clients, please contact your personal manager via e-mail (confirmation of the transfer)
and let him (her) know all the details of your Western Union transfer: SENDER'S NAME, CONTACT DETAILS, ADRESS, AND A REFERENCE NUMBER,
PLEASE BE VERY CAREFUL WHEN YOU RESEND FUNDS, THERE MUST BE NO MISTAKES, because our client will not be able to withdraw the funds.
7. All procedures have to take 1-2 hours, because we have to provide and verify the safety of our clients` money (we have to inform them about all our actions).

Your manager will support you in any step of application process, if you have any questions you may ask it anytime.


Go through related research regarding money mule recruitment:

    Sunday, August 23, 2015

    Top Ten Webroot Threat Blog Posts

    In a cybercrime ecosystem, dominated by new market entrants, managed services, on demand type of cybercrime-friendly, fraudulent propositions, and risk-forwarding, based type of cybercrime fraudulent models, cybercriminals, are poised to continue achieving a positive ROI (Return on Investment), out of their fraudulent activities.

    In this post, I'll summarize the top ten Webroot Threat Blog posts, throughout 2012/2014.

    01. Affiliate network for mobile malware impersonates Google Play, tricks users into installing premium-rate SMS sending rogue apps
    02. Managed anti-forensics IMEI modification services fuel growth in the non-attributable TDoS market segment
    03. Google’s reCAPTCHA under automatic fire from a newly launched reCAPTCHA-solving/breaking service
    04. Managed TeamViewer based anti-forensics capable virtual machines offered as a service
    05. Fully automated, API-supporting service, undermines Facebook and Google’s ‘SMS/Mobile number activation’ account registration process
    06. New TDoS market segment entrant introduces 96 SIM cards compatible custom GSM module, positions itself as market disruptor
    07. Compromised FTP/SSH account privilege-escalating mass iFrame embedding platform released on the underground marketplace
    08. Cybercriminals release stealthy DIY mass iFrame injecting Apache 2 modules
    09. Newly launched VDS-based cybercrime-friendly hosting provider helps facilitate fraudulent/malicious online activity
    10. A peek inside a Blackhat SEO/cybercrime-friendly doorways management platform

    Enjoy!

    Top Ten ZDNet Zero Day Posts

    Dear blog readers, as it's been quite a long period of time, since I last (publicly) posted my research, I decided to finally get down to work, following the release, of my most comprehensive, publicly obtainable, actionable, insightful, and in-depth, assessment, ever conducted, on the topic of "Assessing The Computer Network Operation (CNO) Capabilities of the Islamic Republic of Iran - Report".

    Having actively performed active cybercrime research, throughout the last couple of years, I will continue performing active research at my personal blog, empowering the community with real-time, actionable, insightful, and most importantly, in-depth threat intelligence analyses and assessments.

    Stay tuned, and as always, feel free to reach me at dancho.danchev@gmail.com

    In this post, I'll summarize the top content from ZDNet's Zero Day posts, throughout 2008/2013.

    01. 5 reasons why the proposed ID scheme for Internet users is a bad idea
    02. The ultimate guide to scareware protection
    03. Coordinated Russia vs Georgia cyber attack in progress
    04. Inside India's CAPTCHA solving economy
    05. Should a targeted country strike back at the cyber attackers?
    06. Attack of the Opt-In Botnets
    07. 10 things you didn't know about the Koobface gang
    08. Seven myths about zero day vulnerabilities debunked
    09. Inside an affiliate spam program for pharmaceuticals
    10. New study details the dynamics of successful phishing

    Enjoy!

    Wednesday, July 29, 2015

    Assessing The Computer Network Operation (CNO) Capabilities of the Islamic Republic of Iran - Report

    UPDATE: MEMRI Cyber Jihad Lab (CJL) has issued an update on the report.

    Dear blog readers, I would like to let you know, of my latest, publicly released report, on the topic of "Assessing The Computer Network Operation (CNO) Capabilities of the Islamic Republic of Iran", a comprehensive, 45 pages, assessment, of Iran's cyber warfare scene, featuring exclusive, never-published before, assessments of the country's cyber warfare doctrine, analysis of the country's academic incubators of the next generation of cyber warriors, featuring, an exclusive, social network analysis (SNA), of Iran's hacking scene.

    The report, answers the following questions:
    • Who's who on Iran's Cyber Warfare Scene - the most comprehensive analysis of Iran's cyber warface scene, ever performed
    • Where do they go to school? - in-depth analysis of Iran's academic incubators of the next generation of cyber warriors
    • Who's buying them books? - in-depth geopolitically relevant analysis of Iran's cyber warfare doctrine
    • How do they own and compromise? - complimentary copies of hacking tools, E-zines, academic papers, SNA (Social Network Analysis) of Iran's Hacking Scene
    An excerpt from the Executive Summary:
    "Today's growing cyber warfare arms race, prompts for systematic, structured, and
    multidisciplinary enriched processes to be utilized, in order to anticipate/neutralize and
    properly attribute an adversary's strategic, tactical and operational Computer Network
    Operation (CNO) capabilities, so that an adequate response can be formulated and
    executed on the basis of a factual research answering some of the most relevant questions
    in the 'fifth domain' of warfare - who are our adversaries, what are they up to, when are
    they going to launch an attack against us, how exactly are they going to launch it, and
    what are they going to target first?

    This qualitative analysis (45 pages) seeks to assess the Computer Network Operations (CNO) of
    Islamic Republic of Iran, through the prism of the adversary's understanding of Tactics,
    Techniques and Procedures (TTP), a structured and geopolitically relevant, enriched
    OSINT assessment of their operations, consisting of interpreted hacking literature, videos
    and custom made hacking tools, extensive SNA (Social Network Analysis) of the
    country's Hacking Ecosystem, real-life personalization of the key individuals behind the
    groups (personally identifiable photos, personal emails, phone numbers, Blogs, Web
    Sites, Social Networking accounts etc.). It's purpose is to ultimately empower
    decision/policy makers, as well as intelligence analysts, with recommendations for
    countering Islamic Republic of Iran's growing understanding and application of CNO
    tactics and strategies."

    You can get the report from here.

    Enjoy!

    Tuesday, October 21, 2014

    Rogue Android Apps Hosting Web Site Exposes Malicious Infrastructure


    With cybercriminals continuing to populate the cybercrime ecosystem with automatically generated and monetized mobile malware variants, we continue to observe a logical shift towards convergence of cybercrime-friendly revenue sharing affiliate networks, and malicious infrastructure providers, on their way to further achieve a posive ROI (return on investment) out of their risk-forwarding fraudulent activities.

    I've recently spotted a legitimately looking, rogue Android apps hosting Web site, directly connected to a market leading DIY API-enabled mobile malware generating/monetizing platform, further exposing related fraudulent operations, performed, while utilizing the malicious infrastructure, which I'll expose in this post.

    Let's assess the campaign, expose the malicious infrastructure behind it, list the cybercrime-friendly premium rate SMS numbers, involved in it, as well as related malicious MD5s, known to have participated in the campaign/have utilized the same malicious infrastructure.

    Sample rogue Android apps hosting URL: hxxp://androidapps.mob.wf - 37.1.206.173

    Responding to the same IP (37.1.206.173) are also the following fraudulent domains:
    hxxp://22-minuty.ru
    hxxp://nygolfpro.com
    hxxp://bloomster.dp.ua
    hxxp://stdstudio.com.ua
    hxxp://autosolnce.ru

    Detection rate for sample rogue Android apps:
    MD5: 4bf349b601fd73c74eafc01ce8ea8be7
    MD5: c4508c127029571e5b6f6b08e5c91415
    MD5: bd296d35bf41b9ae73ed816cc7c4c38b

    Sample redirection chain exposing the fraudulent infrastructure: hxxp://22-minuty.ru -> hxxp://playersharks2.com/player.php/?userid= - 94.242.214.133; 94.242.214.155

    Known to have responded to the same IPs (94.242.214.133; 94.242.214.155) are also the following fraudulent domains, participating in a related revenue-sharing affiliate network based type of monetization scheme:
    hxxp://4books.ru
    hxxp://annoncer.media-bar.ru
    hxxp://booksbutton1.com
    hxxp://film-club.ru
    hxxp://film-popcorn.ru
    hxxp://filmbuttons.ru
    hxxp://filmi-doma.com
    hxxp://filmonika.ru
    hxxp://films.909.su
    hxxp://indiiskie.ru
    hxxp://kinozond.ru
    hxxp://media-bar.ru
    hxxp://playersharks2.com
    hxxp://playersharks4.com
    hxxp://pplayer.ru
    hxxp://sharksplayer2.com
    hxxp://sharksplayer3.ru
    hxxp://sharksreader.ru
    hxxp://tema-info.ru
    hxxp://toppfilms.ru
    hxxp://video-movies.com
    hxxp://video.909.su
    hxxp://videodomm.ru
    hxxp://videozzy.com
    hxxp://videozzzz.ru
    hxxp://websharks.ru
    hxxp://yasmotrju.ru



    Malicious MD5s known to have phoned back to the same IP (94.242.214.133):
    MD5: 9ec8aef6dc0e3db8596ac54318847328
    MD5: 895c38ec4fb1fbee47bfb3b6ee3a170b
    MD5: c4d88b32b605500b7f86de5569a11e22
    MD5: 49861fd4748dd57c192139e8bd5b71e3
    MD5: 8b350f8a32ef4b28267995cf8f0ceae1

    Premium rate SMS numbers involved in the fraudulent scheme:
    7151; 9151; 2855; 3855; 3858; 2858; 8151; 7155; 7255; 3190; 3200; 3170; 3006; 3150; 6150; 4124; 4481; 7781; 5014; 1151; 4125; 1141; 1131; 1350; 3354; 7122; 3353; 7132; 3352; 8355; 8155; 8055; 7515; 1037; 1953; 3968; 5370; 1952; 3652; 5373; 9191; 1005; 7019; 7250; 1951; 7015; 7099; 7030


    Once executed MD5: 9ec8aef6dc0e3db8596ac54318847328 phones back to the following C&C servers, further exposing the malicious infrastructure:
    67.215.246.10:6881
    82.221.103.244:6881
    114.252.58.66:6407
    89.136.77.86:45060
    212.25.54.183:32822
    107.191.223.72:22127
    87.89.149.106:24874
    82.247.154.128:47988
    108.181.68.73:47342
    82.74.179.126:52352
    121.222.168.146:64043
    217.121.30.46:34421
    115.143.245.78:51548
    110.15.205.16:51477
    37.114.69.97:19079
    85.229.206.243:55955
    95.109.112.178:60018
    95.68.195.182:44025
    239.192.152.143:6771
    109.187.54.101:13100
    117.194.5.97:55535
    95.29.112.178:59039
    109.162.133.97:19459
    83.205.112.178:11420
    95.68.3.182:53450
    175.115.103.140:52696
    197.2.133.97:27334
    84.55.8.7:10060
    27.5.132.243:19962
    123.109.176.178:36527
    175.157.176.178:22906
    188.187.147.247:14745
    178.212.133.205:52416
    145.255.1.250:41973
    213.21.32.190:51413
    93.73.165.31:61889
    176.97.214.119:46605
    185.51.127.134:16447
    109.239.42.123:16845
    77.232.158.215:40266
    178.173.37.2:47126
    62.84.24.219:47594
    37.144.87.15:13448
    5.251.28.179:39620
    94.19.66.51:42894
    94.51.242.89:35691
    93.179.102.216:24458
    212.106.62.201:44821
    95.52.69.39:12249
    46.118.64.45:44172
    217.175.33.130:45244
    185.8.126.226:32972
    93.92.200.202:56664
    94.214.220.37:35196
    46.182.132.67:32103
    46.188.123.131:11510
    83.139.188.142:34549
    188.232.124.16:27582
    91.213.23.226:19751
    95.32.142.28:55555
    95.83.188.157:15714
    95.128.244.10:59239
    176.31.240.170:6882
    79.109.88.241:6881
    91.215.90.109:34600
    62.198.229.165:6881
    91.148.118.250:21558
    81.82.210.40:6881
    97.121.23.163:31801
    78.186.155.62:6881
    78.1.158.105:47475
    79.160.62.185:9005
    213.87.123.81:17790
    178.150.154.26:26816
    83.174.247.71:59908
    109.87.175.144:29374
    86.57.186.171:45013
    193.222.140.60:35691
    176.115.158.138:24253
    42.98.191.90:7085
    178.127.152.72:10107
    82.239.74.201:61137
    185.19.22.192:46337
    86.185.92.38:10819
    78.214.194.145:24521
    37.78.85.173:49001
    82.70.112.150:32371
    37.131.212.35:18525
    79.136.156.151:59659
    2.134.48.150:12530
    95.29.164.86:6881
    37.147.16.242:64954
    79.45.36.86:22690
    112.208.182.65:56374
    62.99.29.74:44822
    95.16.12.111:12765
    124.169.69.69:41216
    5.164.83.49:62348
    79.22.73.216:61914
    46.63.131.146:6881
    89.150.119.203:55029
    58.23.49.24:2717
    83.41.5.241:45624
    87.21.80.23:27949
    178.150.176.150:57997
    178.127.195.146:58278
    5.141.236.13:15784
    125.182.35.138:54094
    99.228.23.82:29302
    14.111.131.146:33433
    122.177.90.137:25375
    178.223.195.146:54596
    182.54.112.150:1058
    109.23.145.152:31514
    213.241.204.31:27769
    188.168.58.6:45823
    2.94.4.215:50830
    42.91.39.236:13923
    116.33.113.4:19973
    86.182.170.27:25712
    177.82.206.231:39043
    122.143.152.35:7890
    217.13.219.147:39190
    77.75.13.195:16279
    87.239.5.144:58749
    89.141.116.97:49001
    176.106.11.49:44690
    112.14.110.199:33243
    122.26.6.52:20527
    178.223.195.146:23034
    98.118.85.85:51413
    190.63.131.146:6881
    46.151.242.82:16046
    176.106.19.185:46114
    85.113.157.12:62633
    192.168.0.105:58749
    211.89.227.34:56333
    36.68.16.149:42839
    31.15.80.10:42061
    130.15.95.112:6881
    87.119.245.51:6882
    109.173.101.19:19700
    193.93.187.234:1214
    176.106.18.254:43469
    176.183.137.53:19155
    176.113.168.51:52672
    93.123.60.130:52981
    79.100.9.81:14053
    91.124.125.16:29914
    46.16.228.135:53473
    95.61.55.234:22974
    190.213.101.39:44376
    58.173.158.99:50821
    188.25.108.102:31047
    95.153.175.173:15563
    75.120.194.116:58001
    61.6.218.126:63291
    128.70.19.98:64296
    5.167.193.5:25861
    185.57.73.27:47892
    109.205.249.105:58449
    77.228.235.226:57715
    2.62.49.161:49001
    67.234.161.61:65228
    91.243.100.237:40431
    105.155.1.67:16084
    73.34.178.71:41864
    145.255.169.122:4612
    92.241.241.4:61613
    145.255.21.166:46596
    83.253.71.148:34016
    173.246.26.126:12988
    79.181.115.213:43853
    46.237.69.97:50772
    86.159.67.146:48959
    213.100.105.54:52147
    178.45.129.126:45710
    188.78.232.53:39336
    70.82.20.41:11248
    88.132.82.254:52722
    85.198.154.126:35403
    89.67.245.2:21705
    95.76.128.209:36640
    61.242.114.3:6383
    79.112.156.169:10236
    95.25.111.173:40781
    108.36.82.254:57393
    88.8.84.79:56740
    118.36.49.220:59561
    60.197.149.187:12996
    86.26.224.104:39597
    120.61.161.250:10023
    151.249.239.173:6881
    86.178.212.41:28489
    95.180.244.144:48245
    111.171.83.212:52952
    122.164.99.166:1024
    201.110.110.63:19314
    79.100.52.144:54312
    194.219.103.45:24008
    178.89.171.19:10003
    124.12.192.197:6881
    92.96.186.112:31100
    207.216.138.62:6881
    194.8.234.230:51413
    92.220.24.133:6881
    2.134.203.233:6881
    122.169.237.54:17407
    36.232.153.137:16001
    130.43.123.202:45689
    86.73.45.54:56161
    37.215.93.59:27997
    78.154.164.176:42780
    5.10.134.6:50452
    98.176.222.50:61000
    93.54.90.126:1189
    220.81.46.201:51526
    39.41.111.173:7702
    41.111.41.122:19132
    211.108.64.209:20728
    178.66.212.41:14865
    182.187.103.45:57751
    118.41.230.79:52520
    186.155.231.45:34294
    109.174.113.128:15947
    188.6.88.229:16785
    99.247.58.79:23197
    94.137.237.54:14617
    197.203.129.67:10204
    5.107.65.67:21618
    117.194.114.71:64476
    94.153.45.54:32715
    2.176.158.50:17404
    5.18.178.71:50971
    78.130.212.41:63075
    86.121.45.54:55858
    109.187.1.67:15413
    108.199.125.160:38558
    83.181.18.121:15859
    93.109.242.198:26736
    95.86.220.68:27877
    37.204.22.24:24146
    198.203.28.43:17685

    What's particularly interesting, about this campaign, is the fact, that, the Terms of Service (ToS) presented to gullible and socially engineered end users, refers to a well known Web site (jmobi.net), directly connected with the market leading DIY API-enabled mobile malware generating/monetization platform, extensively profiled in a previously published post.

    As cybercriminals continue to achieve a cybercrime-ecosystem wide standardization, we'll continue to observe an increase in fraudulent activity, with the cybercriminals behind it, continuing to innovate, on their way to achieve efficient monetization schemes, and risk-forwarding centered fraudulent models, further contributing to the adaptive innovation to be applied to the current TTPs (tactics, techniques and procedures) utilized by them.

    This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

    Wednesday, April 09, 2014

    Summarizing Webroot's Threat Blog Posts for March


    The following is a brief summary of all of my posts at Webroot's Threat Blog for March, 2014. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:


    01. Deceptive ads expose users to PUA.InstallBrain/PC Performer PUA (Potentially Unwanted Application)
    02. Managed Web-based 300 GB/s capable DNS amplification enabled malware bot spotted in the wild
    03. Commercial Windows-based compromised Web shells management application spotted in the wild – part two
    04. Multiple spamvertised bogus online casino themed campaigns intercepted in the wild
    05. 5M+ harvested Russian mobile numbers service exposes fraudulent infrastructure
    06. Socks4/Socks5 enabled hosts as a service introduces affiliate network based revenue sharing scheme
    07. A peek inside a modular, Tor C&C enabled, Bitcoin mining malware bot
    08. Managed anti-forensics IMEI modification services fuel growth in the non-attributable TDoS market segment
    09. Commercially available database of 52M+ ccTLD zone transfer domains spotted in the wild
    10. Deceptive ads expose users to the Adware.Linkular/Win32.SpeedUpMyPC.A PUAs (Potentially Unwanted Applications)
    11. DIY automatic cybercrime-friendly ‘redirector generating’ service spotted in the wild – part two
    12. Managed DDoS WordPress-targeting, XML-RPC API abusing service, spotted in the wild 

    This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

    Saturday, March 22, 2014

    Win32.Nixofro Serving, Malicious Infrastructure, Exposes Fraudulent Facebook Social Media Service Provider

    I've recently spotted a malicious, cybercrime-friendly SWF iframe/redirector injecting service, that also exposes a long-run Win32.Nixofro serving malicious infrastructure, currently utilized for the purpose of operating a rogue social media service provider, that's targeting Turkish Facebook users through the ubiquitous social engineering vector, for such type of campaigns, namely, the fake Adobe Flash player.

    Let's profile the service, discuss its relevance in the broader context of the threat landscape, provide actionable/historical threat intelligene on the malicious infrastructure, the rogue domains involved in it, the malicious MD5s served by the cybercriminals behind it, and directly link it to a previously profiled Facebook spreading P2P-Worm.Win32.Palevo serving campaign.

    The managed SWF iframe/redirector service, is a great example of a cybercrime-as-a-service type of underground market proposition, empowering, both, sophisticated and novice cybercriminals with the necessary (malvertising) 'know-how', in an efficient manner, directly intersecting with the commercial availability of sophisticated mass Web site/Web server malicious script embedding platforms.

    The managed SWF iframe/redirector injecting service is currently responding to 108.162.197.62 and 108.162.196.62 Known to have responded to the same IPs (108.162.197.62; 108.162.196.62) is also a key part of the malicious infrastructure that I'll expose in this post, namely hizliservis.pw - Email: furkan@cod.com.

    Known to have phoned back to the same IP (108.162.197.62) are also the following malicious MD5s:
    MD5: 432efe0fa88d2a9e191cb95fa88e7b36
    MD5: 720ecb1cf4f28663f4ab25eedf620341
    MD5: 02691863e9dfb9e69b68f5fca932e729
    MD5: 69ed70a82cb35a454c60c501025415aa
    MD5: cc586a176668ceef14891b15e1b412ab
    MD5: 74291941bddcec131c8c6d531fcb1886
    MD5: 7c27d9ff25fc40119480e4fe2c7ca987
    MD5: 72c030db7163a7a7bf2871a449d4ea3c
    MD5: 432efe0fa88d2a9e191cb95fa88e7b36

    Known to have phoned to the same IP (108.162.196.62) are also the following malicious MD5s:
    MD5: eda3f015204e9565c779e0725915864f
    MD5: effcfe91beaf7a3ed2f4ac79525c5fc5
    MD5: 14acd831691173ced830f4b51a93e1ca
    MD5: 7f93b0c611f7020d28f7a545847b51e0
    MD5: bcfce3a9bf2c87dab806623154d49f10
    MD5: 4c90a89396d4109d8e4e2491c5da4846
    MD5: 289c4f925fdec861c7f765a65b7270af

    Sample redirection chain leading to the fake Adobe Flash Player:
    hxxp://hizliservis.pw/unlu.htm -> hxxp://hizliservis.pw/indir.php -> hxxp://unluvideolari.info -> hxxp://videotr.in/player.swf -> hxxp://izleyelim.s3.amazonaws.com/movie.mp4&skin=newtubedark/NewTubeDark.xml&streamer=lighttpd&image=hqdefault.jpg

    Domain name reconnaissance:
    hizliservis.pw - Email: furkan@cod.com
    videotr.in - Email: tiiknet@yandex.com; snack@log-z.com
    izleyelim.s3.amazonaws.com - 176.32.97.249

    Within hizliservis.pw, we can easily spot yet another part of the same malicious/fraudulent infrastructure, namely, the rogue social media distribution platform's login interface.


    Sample redirection chain leading to a currently active fake Adobe Flash Player (Win32.Nixofro):
    hxxp://socialmediasystem.net/down.php ->  hxxps://profonixback31.googlecode.com/svn/FlashPlayer_Guncelle.exe




    Detection rate for the fake Adobe Flash Player:
    MD5: 28c3c503d398914bdd2c2b3fdc1f9ea4 - detected by 36 out of 50 antivirus scanners as Win32.Nixofro

    Once executed, the sample phones back to profonixuser.net (141.101.117.218)

    Known to have responded to the same IP (141.101.117.218) are also the following malicious MD5s:
    MD5: 53360155012d8e5c648aca277cbde587
    MD5: a66a1c42cc6fb775254cf32c8db7ad5b
    MD5: a051fd83fc8577b00d8d925581af1a3b
    MD5: f47784817a8a04284af4b602c7719cb7
    MD5: 2e5c75318275844ce0ff7028908e8fb4
    MD5: 90205a9740df5825ce80229ca105b9e8

    Domain name reconnaissance for the rogue social media distibution platform:
    socialmediasystem.Net (141.101.118.159; 141.101.118.158) - Email: furkan@cod.com

    Sample redirection chain for the rogue social media distribution platform's core functions:
    hxxp://profonixuser.net/new.php?nocache=1044379803 -> hxxp://sosyalmedyakusu.com/oauth.php (108.162.199.203; 108.162.198.203) Email: furkan@cod.com -> hxxp://hizliservis.pw/face.php -> hxxp://socialhaberler.com/manyak.php -> hxxp://profonixuser.net/new.php -> hxxp://profonixuser.net/amk.php (141.101.117.218) -> hxxp://me.cf/dhtcw (31.170.164.67) -> hxxps://video-players.herokuapp.com/?55517841177 (107.20.187.159) -> hxxp://kingprofonix.net/hxxp://kingprofonix.com (108.162.198.203) the same domain is also known to have responded to 108.162.197.62


    Related MD5s known to have phoned back to the same IP (108.162.198.203) in the past:
    MD5: 505f615f9e1c4fdc03964b36ec877d57

    Sample internal redirectors structure:
    hxxp://profonixuser.net/fb.php -> hxxp://profonixuser.net/manyak.php -> hxxp://molotofcu.com/google/hede.php (199.27.134.199) -> hxxp://profonixuser.net/pp.php -> hxxp://gdriv.es/awalbbmprtbpahpolcdt?jgxebgqjl -> hxxps://googledrive.com/host/0B08vFK4UtN5kdjV2NklHVTVjcTQ -> hxxp://sosyalmedyakusu.com/s3x.php?ref=google
    hxxp://profonixuser.net/user.php -> hxxp://goo.gl/ber2EP -> hxxps://buexe-x.googlecode.com/svn/FlashPlayer%20Setup.exe -> MD5: 60137c1cb77bed9afcbbbc3ad910df3f -> phones back to wjetphp.com (46.105.56.61)

    Secondary sample internal redirectors structure:
    hxxp://profonixuser.net/yarak.txt -> hxxp://profonixuser.net/u.exe -> hxxp://profonixuser.net/yeni.txt -> hxxp://profonixuser.net/yeni.exe -> hxxp://profonixuser.net/recep.html -> hxxp://goo.gl/ber2EP -> hxxp://wjetphp.com/unlu/player.swf -> hxxp://profonixuser.net/kral.txt -> hxxp://likef.in/fate.exe - 108.162.194.123; 108.162.195.123; 108.162.199.107 - known to have phoned back to the same IP is also the following malicious MD5: effcfe91beaf7a3ed2f4ac79525c5fc5 - detected by 35 out of 50 antivirus scanners as Trojan-Ransom.Win32.Foreign.kcme


    Once executed, the sample phones back to likef.biz (176.53.119.195). The same domain is also known to have responded to the following IPs 141.101.116.165; 141.101.117.165.

    Here's comes the interesting part. The fine folks at ExposedBotnets, have already intercepted a malicious Facebook spreading campaign, that's using the already profiled in this post videotr.in.

    Having directly connected the cybercrime-friendly SWF iframe/redirector injecting service, with hizliservis.pw as well as the SocialMediaSystem as being part of the same malicious infrastructure, it's time to profile the fraudulent/malicious adversaries behind the campaigns. The cybercriminals behind these campaigns, appear to be operating a rogue social media service, targeting Facebook Inc.

    Sample screenshots of the social media distribution platform's Web based interface:



    Sample advertisement of the rogue social media distribution platform:




    Skype ID of the rogue company: ProFonixcod
    Secondary company name: ProfMedya - hxxp://profmedya.com - 178.33.42.254; 188.138.9.39; 89.19.20.242 - Email: kayahoca@gmail.com. The same domain, profmedya.com used to respond to 188.138.9.39.

    Domains known to have responded to the same IP (188.138.9.39) are also the following malicious domains:
    facebooook.biz
    worldmedya.net
    fastotoliked.net
    adsmedya.com
    facebookmedya.biz
    fastotolike.com
    fbmedyahizmetleri.com
    fiberbayim.com
    profonixcoder.com
    sansurmedya.biz
    sosyalpaket.com
    takipciniarttir.net
    videomedya.net
    videopackage.biz
    worldmedya.net
    hxxp://www--facebook.net
    hxxp://www.facebook-java.com
    hxxp://www.facemlike.com
    hxxp://www.fastcekim.com
    hxxp://www.fastotolike.com
    hxxp://www.fbmedyahizmetleri.com
    hxxp://www.profmedya.com
    hxxp://www.sansurmedya.com

    Rogue social media distribution platform operator's name: Fatih Konar
    Associated emails: fiberbayimdestek@hotmail.com.tr; nerdenezaman@hotmail.com.tr
    Google+ Account: hxxps://plus.google.com/103847743683129439807/about
    Twitter account: hxxps://twitter.com/ProfonixCodtr

    Domain name reconnaissance:
    profonixcod.com (profonix-cod.com) - 216.119.143.194 - Email: abazafamily_@hotmail.com (related domains known to have been registered with the same email - warningyoutube.com; likebayi.com)
    profonixcod.net

    Updated will be posted as soon as new developments take place.

    This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

    Thursday, March 06, 2014

    Summarizing Webroot's Threat Blog Posts for February


    The following is a brief summary of all of my posts at Webroot's Threat Blog for February, 2014. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:


    01. Cybercriminals release Socks4/Socks5 based Alexa PageRank boosting application
    02. Market leading ‘standardized cybercrime-friendly E-shop’ service brings 2500+ boutique E-shops online
    03. Managed TeamViewer based anti-forensics capable virtual machines offered as a service
    04. Malicious campaign relies on rogue WordPress sites, leads to client-side exploits through the Magnitude exploit kit
    05. ‘Hacking for hire’ teams occupy multiple underground market segments, monetize their malicious ‘know how’
    06. DoubleClick malvertising campaign exposes long-run beneath the radar malvertising infrastructure
    07. Spamvertised ‘Image has been sent’ Evernote themed campaign serves client-side exploits
    08. Spamvertised ‘You received a new message from Skype voicemail service’ themed emails lead to Angler exploit kit

    This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

    Summarizing Webroot's Threat Blog Posts for January


    The following is a brief summary of all of my posts at Webroot's Threat Blog for January, 2014. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:

    01. ‘Adobe License Service Center Order NR’ and ‘Notice to appear in court’ themed malicious spam campaigns intercepted in the wild
    02. New “Windows 8 Home Screen’ themed passwords/game keys stealer spotted in the wild
    03. Vendor of TDoS products resets market life cycle of well known 3G USB modem/GSM/SIM card-based TDoS tool
    04. New TDoS market segment entrant introduces 96 SIM cards compatible custom GSM module, positions itself as market disruptor
    05. DIY Python-based mass insecure WordPress scanning/exploting tool with hundreds of pre-defined exploits spotted in the wild
    06. Google’s reCAPTCHA under automatic fire from a newly launched reCAPTCHA-solving/breaking service
    07. Fully automated, API-supporting service, undermines Facebook and Google’s ‘SMS/Mobile number activation’ account registration process
    08. Newly launched managed ‘compromised/hacked accounts E-shop hosting as service’ standardizes the monetization process
    09. Newly released Web based DDoS/Passwords stealing-capable DIY botnet generating tool spotted in the wild
    10. Cybercriminals release new Web based keylogging system, rely on penetration pricing to gain market share
      
    This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

    Thursday, January 16, 2014

    Facebook Spreading, Amazon AWS/Cloudflare/Google Docs Hosted Campaign, Serves P2P-Worm.Win32.Palevo


    A currently circulating across Facebook, multi-layered monetization tactics utilizing, Turkish users targeting, malicious campaign, is attempting to trick users into thinking that they need to install a fake Adobe Flash Player, displayed on a fake YouTube Video page, ultimately serving P2P-Worm.Win32.Palevo on the hosts of the socially engineered (international) users.

    Let's dissect the campaign, expose its infrastructure in terms of shortened URLs, redirectors, affiliate network IDs, landing pages, pseudo-random Facebook content generation phone back URLs, legitimate infrastructure hosted content, and provide MD5s for the served malicious content.

    Sample redirection chain: hxxp://m3mi.com/10469 -> hxxp://facebookikiziniz.com/yon.html?MYtDmZp4xjbUP9A0OHLj -> hxxp://facebookikiziniz.com/yon.html?MYtDmZp4xjbUP9A0OHLj -> hxxp://facebookikiziniz.com/yon.html?MYtDmZp4xjbUP9A0OHLj


    Internal campaign redirection structure+associated affiliate network IDs+landing URLs:
    hxxp://mobiltrafik.s3.amazonaws.com/mobil.html
    hxxp://mobiltrafik.s3.amazonaws.com/yurtdisi-anroid.html -> hxxp://ad.adrttt.com/aff_c?offer_id=1743&aff_id=3236&source=yurtdisi -> hxxp://ads.glispa.com/sw/49399/CD353/1023a788c68361b710b87b8ed4851a -> hxxps://play.google.com/store/apps/details?id=com.mobogenie.markets
    hxxp://mobiltrafik.s3.amazonaws.com/yurtdisi-ios.html -> hxxp://ad.rdrttt.com/aff_c?offer_id=302&aff_id=1014 -> hxxp://www.freehardcorepassport.com/?t=116216,1,96,0&x=pornfr_tracker=9208KOm00B0193IbJl3yk01BNW00005m
    hxxp://mobiltrafik.s3.amazonaws.com/yurtdisiweb.html -> hxxp://ad.rdrttt.com/aff_c?offer_id=302&aff_id=1014 -> hxxp://ads.polluxnetwork.com/hosted/w2m.php?tid=1023e4f08cae470c2f74aa3d1e2d17&oid=6200&aid=758 -> hxxp://m.pornfr.3013.idhad.com/xtrem/index.wiml
    hxxp://mobiltrafik.s3.amazonaws.com/androidwifi.html -> hxxp://ad.adrttt.com/aff_c?offer_id=1743&aff_id=3236&source=yurtici -> hxxp://ads.glispa.com/sw/49399/CD353/1023a788c68361b710b87b8ed4851a
    hxxp://mobiltrafik.s3.amazonaws.com/iphonewifi.html -> hxxp://ad.adrttt.com/aff_c?offer_id=1705&aff_id=3236 -> hxxps://itunes.apple.com/tr/app/id451786983?mt=8
    hxxp://mobiltrafik.s3.amazonaws.com/turkcell.html -> hxxp://goo.gl/GBKArV
    hxxp://mobiltrafik.s3.amazonaws.com/vodofone.html -> hxxp://ad.adrttt.com/aff_c?offer_id=1785&aff_id=3236 -> hxxp://c.mobpartner.mobi/?s=1007465&a=3578&tid1=102afc4360ecadbed491b5c08f7395
    hxxp://mobiltrafik.s3.amazonaws.com/avea.html -> hxxp://ad.juksr.com/aff_c?offer_id=709&aff_id=3236 -> hxxp://wap.chatwalk.com/landings/?name=yilbasi2&affid=reklamaction&utm_campaign=3236&clk=1025fa187aca81ce57edf8adca7a9c
    hxxp://mobiltrafik.s3.amazonaws.com/trweb.html -> hxxp://ad.adrttt.com/aff_c?offer_id=1689&aff_id=3236&source=yurticidefault -> hxxps://www.matchandtalk.com/splashmobile/10?sid=12&bid=663
    hxxp://s3.amazonaws.com/Yonver/tarayici.html -> hxxp://ad.adrttt.com/aff_c?offer_id=1091&aff_id=3236&source=tarayicidan -> hxxps://www.matchandtalk.com/splash/12?sid=12&bid=651&cid=29
    hxxp://izleyelim.s3.amazonaws.com/unlu.html -> hxxp://goo.gl/XpNHIL (21,512 clicks) -> hxxps://izleyelim.s3.amazonaws.com/indir.html
    hxxps://s3.amazonaws.com/facebookAds/ortaryon.html -> hxxps://www.matchandtalk.com/splash/12?sid=12&bid=651&cid=29


    Malicious/fraudulent domain name reconnaissance:
    facebookikiziniz.com - 108.162.195.103; 108.162.194.103
    ttcomcdn.com - 162.159.241.195; 162.159.242.195 - Email: masallahkilic@hotmail.com
    amentosx.com - 141.101.116.113; 141.101.117.113
    ad.adrttt.com - 54.236.194.194


    The campaign is also mobile device/PC-aware, and is therefore automatically redirecting users to a variety of different locations/affiliate networks. Case in point, the redirection to Google Play's Mobogenie Market App (Windows application detected as Adware.NextLive.2 MD5: 9dd785436752a6126025b549be644e76), and the iOS compatible SK planet's TicToc app.

    Now comes the malicious twist, in the form of Fake Adobe Flash Player, that socially engineered users would have to install, in order to view the non-existent YouTube video content.


    Actual Fake Adobe Flash Player hosting locations within Google Docs:
    hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFcWZlRGY0V1IxNVU
    hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFQVBsdVVOekYyNGs
    hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFaEN2TnE4M0sxWHM
    hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFVXRnbkYtNG5wVDA
    hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFR2NnRXFRUmtNTTQ
    hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFOWFGZnlxMkZWcUE
    hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFcWZZbTljMkJWZ3c
    hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFYkpEdXI4ZGVaaUE
    hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFMUxzY0dQTTJMV00
    hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFNmROSXhMSGdCYUU
    hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFb0RoZVltMmsyRFU
    hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFb2k2MFN4QTY1ZUE
    hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFb1AzZXI4emlGR00
    hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFSDZBRDJ4QjVqdkU
    hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFUXgtZ1VQVU9OdVU
    hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFUll6c0Y0MWxLZW8
    hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFSW55S3R0SWcxdDQ
    hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFMWtxaGJTMnpMVDA
    hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFSk9yUW5ldDVKaUU
    hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFN3pTXzcxcDlObkU
    hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFQ0p3dV9qcC1uOFU
    hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFOFZRcDZwa0ZfcVk
    hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFNkoyNktzQ2dJVlE
    hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFS2xJdTE4Nk04QnM


    Detection rate for the fake Adobe Flash Player:
    MD5: 5bf26bd488503a4b2b74c7393d4136e3 - detected by 3 out of 47 antivirus scanners as P2P-Worm.Win32.Palevo.hexb; PE:Trojan.VBInject!1.6546

    Once executed, the sample also drops:
    MD5: a8234e13f9e3af4c768de6f2d6204b3c

    Once executed, the sample phones back to: akillitelefonburada.com (108.162.196.162).


    Sample pseudo-random bogus Facebook content generation takes place through: hxxp://www.amentosx.com/ext/r.php -> hxxps://s3.amazonaws.com/facebookAds/arkadaj.html -> hxxp://ttcomcdn.com/tw.php

    This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.