Tuesday, October 21, 2014

Rogue Android Apps Hosting Web Site Exposes Malicious Infrastructure

With cybercriminals continuing to populate the cybercrime ecosystem with automatically generated and monetized mobile malware variants, we continue to observe a logical shift towards convergence of cybercrime-friendly revenue sharing affiliate networks, and malicious infrastructure providers, on their way to further achieve a posive ROI (return on investment) out of their risk-forwarding fraudulent activities.

I've recently spotted a legitimately looking, rogue Android apps hosting Web site, directly connected to a market leading DIY API-enabled mobile malware generating/monetizing platform, further exposing related fraudulent operations, performed, while utilizing the malicious infrastructure, which I'll expose in this post.

Let's assess the campaign, expose the malicious infrastructure behind it, list the cybercrime-friendly premium rate SMS numbers, involved in it, as well as related malicious MD5s, known to have participated in the campaign/have utilized the same malicious infrastructure.

Sample rogue Android apps hosting URL: hxxp://androidapps.mob.wf -

Responding to the same IP ( are also the following fraudulent domains:

Detection rate for sample rogue Android apps:
MD5: 4bf349b601fd73c74eafc01ce8ea8be7
MD5: c4508c127029571e5b6f6b08e5c91415
MD5: bd296d35bf41b9ae73ed816cc7c4c38b

Sample redirection chain exposing the fraudulent infrastructure: hxxp://22-minuty.ru -> hxxp://playersharks2.com/player.php/?userid= -;

Known to have responded to the same IPs (; are also the following fraudulent domains, participating in a related revenue-sharing affiliate network based type of monetization scheme:

Malicious MD5s known to have phoned back to the same IP (
MD5: 9ec8aef6dc0e3db8596ac54318847328
MD5: 895c38ec4fb1fbee47bfb3b6ee3a170b
MD5: c4d88b32b605500b7f86de5569a11e22
MD5: 49861fd4748dd57c192139e8bd5b71e3
MD5: 8b350f8a32ef4b28267995cf8f0ceae1

Premium rate SMS numbers involved in the fraudulent scheme:
7151; 9151; 2855; 3855; 3858; 2858; 8151; 7155; 7255; 3190; 3200; 3170; 3006; 3150; 6150; 4124; 4481; 7781; 5014; 1151; 4125; 1141; 1131; 1350; 3354; 7122; 3353; 7132; 3352; 8355; 8155; 8055; 7515; 1037; 1953; 3968; 5370; 1952; 3652; 5373; 9191; 1005; 7019; 7250; 1951; 7015; 7099; 7030

Once executed MD5: 9ec8aef6dc0e3db8596ac54318847328 phones back to the following C&C servers, further exposing the malicious infrastructure:

What's particularly interesting, about this campaign, is the fact, that, the Terms of Service (ToS) presented to gullible and socially engineered end users, refers to a well known Web site (jmobi.net), directly connected with the market leading DIY API-enabled mobile malware generating/monetization platform, extensively profiled in a previously published post.

As cybercriminals continue to achieve a cybercrime-ecosystem wide standardization, we'll continue to observe an increase in fraudulent activity, with the cybercriminals behind it, continuing to innovate, on their way to achieve efficient monetization schemes, and risk-forwarding centered fraudulent models, further contributing to the adaptive innovation to be applied to the current TTPs (tactics, techniques and procedures) utilized by them.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Wednesday, April 09, 2014

Summarizing Webroot's Threat Blog Posts for March

The following is a brief summary of all of my posts at Webroot's Threat Blog for March, 2014. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:

01. Deceptive ads expose users to PUA.InstallBrain/PC Performer PUA (Potentially Unwanted Application)
02. Managed Web-based 300 GB/s capable DNS amplification enabled malware bot spotted in the wild
03. Commercial Windows-based compromised Web shells management application spotted in the wild – part two
04. Multiple spamvertised bogus online casino themed campaigns intercepted in the wild
05. 5M+ harvested Russian mobile numbers service exposes fraudulent infrastructure
06. Socks4/Socks5 enabled hosts as a service introduces affiliate network based revenue sharing scheme
07. A peek inside a modular, Tor C&C enabled, Bitcoin mining malware bot
08. Managed anti-forensics IMEI modification services fuel growth in the non-attributable TDoS market segment
09. Commercially available database of 52M+ ccTLD zone transfer domains spotted in the wild
10. Deceptive ads expose users to the Adware.Linkular/Win32.SpeedUpMyPC.A PUAs (Potentially Unwanted Applications)
11. DIY automatic cybercrime-friendly ‘redirector generating’ service spotted in the wild – part two
12. Managed DDoS WordPress-targeting, XML-RPC API abusing service, spotted in the wild 

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Saturday, April 05, 2014

"Greetings" From Bulgaria


(This post was originally scheduled on 4/3/2014, at 12:24 AM in Bulgaria).

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Saturday, March 22, 2014

Win32.Nixofro Serving, Malicious Infrastructure, Exposes Fraudulent Facebook Social Media Service Provider

I've recently spotted a malicious, cybercrime-friendly SWF iframe/redirector injecting service, that also exposes a long-run Win32.Nixofro serving malicious infrastructure, currently utilized for the purpose of operating a rogue social media service provider, that's targeting Turkish Facebook users through the ubiquitous social engineering vector, for such type of campaigns, namely, the fake Adobe Flash player.

Let's profile the service, discuss its relevance in the broader context of the threat landscape, provide actionable/historical threat intelligene on the malicious infrastructure, the rogue domains involved in it, the malicious MD5s served by the cybercriminals behind it, and directly link it to a previously profiled Facebook spreading P2P-Worm.Win32.Palevo serving campaign.

The managed SWF iframe/redirector service, is a great example of a cybercrime-as-a-service type of underground market proposition, empowering, both, sophisticated and novice cybercriminals with the necessary (malvertising) 'know-how', in an efficient manner, directly intersecting with the commercial availability of sophisticated mass Web site/Web server malicious script embedding platforms.

The managed SWF iframe/redirector injecting service is currently responding to and Known to have responded to the same IPs (; is also a key part of the malicious infrastructure that I'll expose in this post, namely hizliservis.pw - Email: furkan@cod.com.

Known to have phoned back to the same IP ( are also the following malicious MD5s:
MD5: 432efe0fa88d2a9e191cb95fa88e7b36
MD5: 720ecb1cf4f28663f4ab25eedf620341
MD5: 02691863e9dfb9e69b68f5fca932e729
MD5: 69ed70a82cb35a454c60c501025415aa
MD5: cc586a176668ceef14891b15e1b412ab
MD5: 74291941bddcec131c8c6d531fcb1886
MD5: 7c27d9ff25fc40119480e4fe2c7ca987
MD5: 72c030db7163a7a7bf2871a449d4ea3c
MD5: 432efe0fa88d2a9e191cb95fa88e7b36

Known to have phoned to the same IP ( are also the following malicious MD5s:
MD5: eda3f015204e9565c779e0725915864f
MD5: effcfe91beaf7a3ed2f4ac79525c5fc5
MD5: 14acd831691173ced830f4b51a93e1ca
MD5: 7f93b0c611f7020d28f7a545847b51e0
MD5: bcfce3a9bf2c87dab806623154d49f10
MD5: 4c90a89396d4109d8e4e2491c5da4846
MD5: 289c4f925fdec861c7f765a65b7270af

Sample redirection chain leading to the fake Adobe Flash Player:
hxxp://hizliservis.pw/unlu.htm -> hxxp://hizliservis.pw/indir.php -> hxxp://unluvideolari.info -> hxxp://videotr.in/player.swf -> hxxp://izleyelim.s3.amazonaws.com/movie.mp4&skin=newtubedark/NewTubeDark.xml&streamer=lighttpd&image=hqdefault.jpg

Domain name reconnaissance:
hizliservis.pw - Email: furkan@cod.com
videotr.in - Email: tiiknet@yandex.com; snack@log-z.com
izleyelim.s3.amazonaws.com -

Within hizliservis.pw, we can easily spot yet another part of the same malicious/fraudulent infrastructure, namely, the rogue social media distribution platform's login interface.

Sample redirection chain leading to a currently active fake Adobe Flash Player (Win32.Nixofro):
hxxp://socialmediasystem.net/down.php ->  hxxps://profonixback31.googlecode.com/svn/FlashPlayer_Guncelle.exe

Detection rate for the fake Adobe Flash Player:
MD5: 28c3c503d398914bdd2c2b3fdc1f9ea4 - detected by 36 out of 50 antivirus scanners as Win32.Nixofro

Once executed, the sample phones back to profonixuser.net (

Known to have responded to the same IP ( are also the following malicious MD5s:
MD5: 53360155012d8e5c648aca277cbde587
MD5: a66a1c42cc6fb775254cf32c8db7ad5b
MD5: a051fd83fc8577b00d8d925581af1a3b
MD5: f47784817a8a04284af4b602c7719cb7
MD5: 2e5c75318275844ce0ff7028908e8fb4
MD5: 90205a9740df5825ce80229ca105b9e8

Domain name reconnaissance for the rogue social media distibution platform:
socialmediasystem.Net (; - Email: furkan@cod.com

Sample redirection chain for the rogue social media distribution platform's core functions:
hxxp://profonixuser.net/new.php?nocache=1044379803 -> hxxp://sosyalmedyakusu.com/oauth.php (; Email: furkan@cod.com -> hxxp://hizliservis.pw/face.php -> hxxp://socialhaberler.com/manyak.php -> hxxp://profonixuser.net/new.php -> hxxp://profonixuser.net/amk.php ( -> hxxp://me.cf/dhtcw ( -> hxxps://video-players.herokuapp.com/?55517841177 ( -> hxxp://kingprofonix.net/hxxp://kingprofonix.com ( the same domain is also known to have responded to

Related MD5s known to have phoned back to the same IP ( in the past:
MD5: 505f615f9e1c4fdc03964b36ec877d57

Sample internal redirectors structure:
hxxp://profonixuser.net/fb.php -> hxxp://profonixuser.net/manyak.php -> hxxp://molotofcu.com/google/hede.php ( -> hxxp://profonixuser.net/pp.php -> hxxp://gdriv.es/awalbbmprtbpahpolcdt?jgxebgqjl -> hxxps://googledrive.com/host/0B08vFK4UtN5kdjV2NklHVTVjcTQ -> hxxp://sosyalmedyakusu.com/s3x.php?ref=google
hxxp://profonixuser.net/user.php -> hxxp://goo.gl/ber2EP -> hxxps://buexe-x.googlecode.com/svn/FlashPlayer%20Setup.exe -> MD5: 60137c1cb77bed9afcbbbc3ad910df3f -> phones back to wjetphp.com (

Secondary sample internal redirectors structure:
hxxp://profonixuser.net/yarak.txt -> hxxp://profonixuser.net/u.exe -> hxxp://profonixuser.net/yeni.txt -> hxxp://profonixuser.net/yeni.exe -> hxxp://profonixuser.net/recep.html -> hxxp://goo.gl/ber2EP -> hxxp://wjetphp.com/unlu/player.swf -> hxxp://profonixuser.net/kral.txt -> hxxp://likef.in/fate.exe -;; - known to have phoned back to the same IP is also the following malicious MD5: effcfe91beaf7a3ed2f4ac79525c5fc5 - detected by 35 out of 50 antivirus scanners as Trojan-Ransom.Win32.Foreign.kcme

Once executed, the sample phones back to likef.biz ( The same domain is also known to have responded to the following IPs;

Here's comes the interesting part. The fine folks at ExposedBotnets, have already intercepted a malicious Facebook spreading campaign, that's using the already profiled in this post videotr.in.

Having directly connected the cybercrime-friendly SWF iframe/redirector injecting service, with hizliservis.pw as well as the SocialMediaSystem as being part of the same malicious infrastructure, it's time to profile the fraudulent/malicious adversaries behind the campaigns. The cybercriminals behind these campaigns, appear to be operating a rogue social media service, targeting Facebook Inc.

Sample screenshots of the social media distribution platform's Web based interface:

Sample advertisement of the rogue social media distribution platform:

Skype ID of the rogue company: ProFonixcod
Secondary company name: ProfMedya - hxxp://profmedya.com -;; - Email: kayahoca@gmail.com. The same domain, profmedya.com used to respond to

Domains known to have responded to the same IP ( are also the following malicious domains:

Rogue social media distribution platform operator's name: Fatih Konar
Associated emails: fiberbayimdestek@hotmail.com.tr; nerdenezaman@hotmail.com.tr
Google+ Account: hxxps://plus.google.com/103847743683129439807/about
Twitter account: hxxps://twitter.com/ProfonixCodtr

Domain name reconnaissance:
profonixcod.com (profonix-cod.com) - - Email: abazafamily_@hotmail.com (related domains known to have been registered with the same email - warningyoutube.com; likebayi.com)

Updated will be posted as soon as new developments take place.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Thursday, March 06, 2014

Summarizing Webroot's Threat Blog Posts for February

The following is a brief summary of all of my posts at Webroot's Threat Blog for February, 2014. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:

01. Cybercriminals release Socks4/Socks5 based Alexa PageRank boosting application
02. Market leading ‘standardized cybercrime-friendly E-shop’ service brings 2500+ boutique E-shops online
03. Managed TeamViewer based anti-forensics capable virtual machines offered as a service
04. Malicious campaign relies on rogue WordPress sites, leads to client-side exploits through the Magnitude exploit kit
05. ‘Hacking for hire’ teams occupy multiple underground market segments, monetize their malicious ‘know how’
06. DoubleClick malvertising campaign exposes long-run beneath the radar malvertising infrastructure
07. Spamvertised ‘Image has been sent’ Evernote themed campaign serves client-side exploits
08. Spamvertised ‘You received a new message from Skype voicemail service’ themed emails lead to Angler exploit kit

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Summarizing Webroot's Threat Blog Posts for January

The following is a brief summary of all of my posts at Webroot's Threat Blog for January, 2014. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:

01. ‘Adobe License Service Center Order NR’ and ‘Notice to appear in court’ themed malicious spam campaigns intercepted in the wild
02. New “Windows 8 Home Screen’ themed passwords/game keys stealer spotted in the wild
03. Vendor of TDoS products resets market life cycle of well known 3G USB modem/GSM/SIM card-based TDoS tool
04. New TDoS market segment entrant introduces 96 SIM cards compatible custom GSM module, positions itself as market disruptor
05. DIY Python-based mass insecure WordPress scanning/exploting tool with hundreds of pre-defined exploits spotted in the wild
06. Google’s reCAPTCHA under automatic fire from a newly launched reCAPTCHA-solving/breaking service
07. Fully automated, API-supporting service, undermines Facebook and Google’s ‘SMS/Mobile number activation’ account registration process
08. Newly launched managed ‘compromised/hacked accounts E-shop hosting as service’ standardizes the monetization process
09. Newly released Web based DDoS/Passwords stealing-capable DIY botnet generating tool spotted in the wild
10. Cybercriminals release new Web based keylogging system, rely on penetration pricing to gain market share
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Thursday, January 16, 2014

Facebook Spreading, Amazon AWS/Cloudflare/Google Docs Hosted Campaign, Serves P2P-Worm.Win32.Palevo

A currently circulating across Facebook, multi-layered monetization tactics utilizing, Turkish users targeting, malicious campaign, is attempting to trick users into thinking that they need to install a fake Adobe Flash Player, displayed on a fake YouTube Video page, ultimately serving P2P-Worm.Win32.Palevo on the hosts of the socially engineered (international) users.

Let's dissect the campaign, expose its infrastructure in terms of shortened URLs, redirectors, affiliate network IDs, landing pages, pseudo-random Facebook content generation phone back URLs, legitimate infrastructure hosted content, and provide MD5s for the served malicious content.

Sample redirection chain: hxxp://m3mi.com/10469 -> hxxp://facebookikiziniz.com/yon.html?MYtDmZp4xjbUP9A0OHLj -> hxxp://facebookikiziniz.com/yon.html?MYtDmZp4xjbUP9A0OHLj -> hxxp://facebookikiziniz.com/yon.html?MYtDmZp4xjbUP9A0OHLj

Internal campaign redirection structure+associated affiliate network IDs+landing URLs:
hxxp://mobiltrafik.s3.amazonaws.com/yurtdisi-anroid.html -> hxxp://ad.adrttt.com/aff_c?offer_id=1743&aff_id=3236&source=yurtdisi -> hxxp://ads.glispa.com/sw/49399/CD353/1023a788c68361b710b87b8ed4851a -> hxxps://play.google.com/store/apps/details?id=com.mobogenie.markets
hxxp://mobiltrafik.s3.amazonaws.com/yurtdisi-ios.html -> hxxp://ad.rdrttt.com/aff_c?offer_id=302&aff_id=1014 -> hxxp://www.freehardcorepassport.com/?t=116216,1,96,0&x=pornfr_tracker=9208KOm00B0193IbJl3yk01BNW00005m
hxxp://mobiltrafik.s3.amazonaws.com/yurtdisiweb.html -> hxxp://ad.rdrttt.com/aff_c?offer_id=302&aff_id=1014 -> hxxp://ads.polluxnetwork.com/hosted/w2m.php?tid=1023e4f08cae470c2f74aa3d1e2d17&oid=6200&aid=758 -> hxxp://m.pornfr.3013.idhad.com/xtrem/index.wiml
hxxp://mobiltrafik.s3.amazonaws.com/androidwifi.html -> hxxp://ad.adrttt.com/aff_c?offer_id=1743&aff_id=3236&source=yurtici -> hxxp://ads.glispa.com/sw/49399/CD353/1023a788c68361b710b87b8ed4851a
hxxp://mobiltrafik.s3.amazonaws.com/iphonewifi.html -> hxxp://ad.adrttt.com/aff_c?offer_id=1705&aff_id=3236 -> hxxps://itunes.apple.com/tr/app/id451786983?mt=8
hxxp://mobiltrafik.s3.amazonaws.com/turkcell.html -> hxxp://goo.gl/GBKArV
hxxp://mobiltrafik.s3.amazonaws.com/vodofone.html -> hxxp://ad.adrttt.com/aff_c?offer_id=1785&aff_id=3236 -> hxxp://c.mobpartner.mobi/?s=1007465&a=3578&tid1=102afc4360ecadbed491b5c08f7395
hxxp://mobiltrafik.s3.amazonaws.com/avea.html -> hxxp://ad.juksr.com/aff_c?offer_id=709&aff_id=3236 -> hxxp://wap.chatwalk.com/landings/?name=yilbasi2&affid=reklamaction&utm_campaign=3236&clk=1025fa187aca81ce57edf8adca7a9c
hxxp://mobiltrafik.s3.amazonaws.com/trweb.html -> hxxp://ad.adrttt.com/aff_c?offer_id=1689&aff_id=3236&source=yurticidefault -> hxxps://www.matchandtalk.com/splashmobile/10?sid=12&bid=663
hxxp://s3.amazonaws.com/Yonver/tarayici.html -> hxxp://ad.adrttt.com/aff_c?offer_id=1091&aff_id=3236&source=tarayicidan -> hxxps://www.matchandtalk.com/splash/12?sid=12&bid=651&cid=29
hxxp://izleyelim.s3.amazonaws.com/unlu.html -> hxxp://goo.gl/XpNHIL (21,512 clicks) -> hxxps://izleyelim.s3.amazonaws.com/indir.html
hxxps://s3.amazonaws.com/facebookAds/ortaryon.html -> hxxps://www.matchandtalk.com/splash/12?sid=12&bid=651&cid=29

Malicious/fraudulent domain name reconnaissance:
facebookikiziniz.com -;
ttcomcdn.com -; - Email: masallahkilic@hotmail.com
amentosx.com -;
ad.adrttt.com -

The campaign is also mobile device/PC-aware, and is therefore automatically redirecting users to a variety of different locations/affiliate networks. Case in point, the redirection to Google Play's Mobogenie Market App (Windows application detected as Adware.NextLive.2 MD5: 9dd785436752a6126025b549be644e76), and the iOS compatible SK planet's TicToc app.

Now comes the malicious twist, in the form of Fake Adobe Flash Player, that socially engineered users would have to install, in order to view the non-existent YouTube video content.

Actual Fake Adobe Flash Player hosting locations within Google Docs:

Detection rate for the fake Adobe Flash Player:
MD5: 5bf26bd488503a4b2b74c7393d4136e3 - detected by 3 out of 47 antivirus scanners as P2P-Worm.Win32.Palevo.hexb; PE:Trojan.VBInject!1.6546

Once executed, the sample also drops:
MD5: a8234e13f9e3af4c768de6f2d6204b3c

Once executed, the sample phones back to: akillitelefonburada.com (

Sample pseudo-random bogus Facebook content generation takes place through: hxxp://www.amentosx.com/ext/r.php -> hxxps://s3.amazonaws.com/facebookAds/arkadaj.html -> hxxp://ttcomcdn.com/tw.php

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.