Thursday, April 02, 2015

Follow me on Twitter!


Are you on Twitter? If so, consider following me, as well as to subscribe to my RSS feed.

Tuesday, October 21, 2014

Rogue Android Apps Hosting Web Site Exposes Malicious Infrastructure


With cybercriminals continuing to populate the cybercrime ecosystem with automatically generated and monetized mobile malware variants, we continue to observe a logical shift towards convergence of cybercrime-friendly revenue sharing affiliate networks, and malicious infrastructure providers, on their way to further achieve a posive ROI (return on investment) out of their risk-forwarding fraudulent activities.

I've recently spotted a legitimately looking, rogue Android apps hosting Web site, directly connected to a market leading DIY API-enabled mobile malware generating/monetizing platform, further exposing related fraudulent operations, performed, while utilizing the malicious infrastructure, which I'll expose in this post.

Let's assess the campaign, expose the malicious infrastructure behind it, list the cybercrime-friendly premium rate SMS numbers, involved in it, as well as related malicious MD5s, known to have participated in the campaign/have utilized the same malicious infrastructure.

Sample rogue Android apps hosting URL: hxxp://androidapps.mob.wf - 37.1.206.173

Responding to the same IP (37.1.206.173) are also the following fraudulent domains:
hxxp://22-minuty.ru
hxxp://nygolfpro.com
hxxp://bloomster.dp.ua
hxxp://stdstudio.com.ua
hxxp://autosolnce.ru

Detection rate for sample rogue Android apps:
MD5: 4bf349b601fd73c74eafc01ce8ea8be7
MD5: c4508c127029571e5b6f6b08e5c91415
MD5: bd296d35bf41b9ae73ed816cc7c4c38b

Sample redirection chain exposing the fraudulent infrastructure: hxxp://22-minuty.ru -> hxxp://playersharks2.com/player.php/?userid= - 94.242.214.133; 94.242.214.155

Known to have responded to the same IPs (94.242.214.133; 94.242.214.155) are also the following fraudulent domains, participating in a related revenue-sharing affiliate network based type of monetization scheme:
hxxp://4books.ru
hxxp://annoncer.media-bar.ru
hxxp://booksbutton1.com
hxxp://film-club.ru
hxxp://film-popcorn.ru
hxxp://filmbuttons.ru
hxxp://filmi-doma.com
hxxp://filmonika.ru
hxxp://films.909.su
hxxp://indiiskie.ru
hxxp://kinozond.ru
hxxp://media-bar.ru
hxxp://playersharks2.com
hxxp://playersharks4.com
hxxp://pplayer.ru
hxxp://sharksplayer2.com
hxxp://sharksplayer3.ru
hxxp://sharksreader.ru
hxxp://tema-info.ru
hxxp://toppfilms.ru
hxxp://video-movies.com
hxxp://video.909.su
hxxp://videodomm.ru
hxxp://videozzy.com
hxxp://videozzzz.ru
hxxp://websharks.ru
hxxp://yasmotrju.ru



Malicious MD5s known to have phoned back to the same IP (94.242.214.133):
MD5: 9ec8aef6dc0e3db8596ac54318847328
MD5: 895c38ec4fb1fbee47bfb3b6ee3a170b
MD5: c4d88b32b605500b7f86de5569a11e22
MD5: 49861fd4748dd57c192139e8bd5b71e3
MD5: 8b350f8a32ef4b28267995cf8f0ceae1

Premium rate SMS numbers involved in the fraudulent scheme:
7151; 9151; 2855; 3855; 3858; 2858; 8151; 7155; 7255; 3190; 3200; 3170; 3006; 3150; 6150; 4124; 4481; 7781; 5014; 1151; 4125; 1141; 1131; 1350; 3354; 7122; 3353; 7132; 3352; 8355; 8155; 8055; 7515; 1037; 1953; 3968; 5370; 1952; 3652; 5373; 9191; 1005; 7019; 7250; 1951; 7015; 7099; 7030


Once executed MD5: 9ec8aef6dc0e3db8596ac54318847328 phones back to the following C&C servers, further exposing the malicious infrastructure:
67.215.246.10:6881
82.221.103.244:6881
114.252.58.66:6407
89.136.77.86:45060
212.25.54.183:32822
107.191.223.72:22127
87.89.149.106:24874
82.247.154.128:47988
108.181.68.73:47342
82.74.179.126:52352
121.222.168.146:64043
217.121.30.46:34421
115.143.245.78:51548
110.15.205.16:51477
37.114.69.97:19079
85.229.206.243:55955
95.109.112.178:60018
95.68.195.182:44025
239.192.152.143:6771
109.187.54.101:13100
117.194.5.97:55535
95.29.112.178:59039
109.162.133.97:19459
83.205.112.178:11420
95.68.3.182:53450
175.115.103.140:52696
197.2.133.97:27334
84.55.8.7:10060
27.5.132.243:19962
123.109.176.178:36527
175.157.176.178:22906
188.187.147.247:14745
178.212.133.205:52416
145.255.1.250:41973
213.21.32.190:51413
93.73.165.31:61889
176.97.214.119:46605
185.51.127.134:16447
109.239.42.123:16845
77.232.158.215:40266
178.173.37.2:47126
62.84.24.219:47594
37.144.87.15:13448
5.251.28.179:39620
94.19.66.51:42894
94.51.242.89:35691
93.179.102.216:24458
212.106.62.201:44821
95.52.69.39:12249
46.118.64.45:44172
217.175.33.130:45244
185.8.126.226:32972
93.92.200.202:56664
94.214.220.37:35196
46.182.132.67:32103
46.188.123.131:11510
83.139.188.142:34549
188.232.124.16:27582
91.213.23.226:19751
95.32.142.28:55555
95.83.188.157:15714
95.128.244.10:59239
176.31.240.170:6882
79.109.88.241:6881
91.215.90.109:34600
62.198.229.165:6881
91.148.118.250:21558
81.82.210.40:6881
97.121.23.163:31801
78.186.155.62:6881
78.1.158.105:47475
79.160.62.185:9005
213.87.123.81:17790
178.150.154.26:26816
83.174.247.71:59908
109.87.175.144:29374
86.57.186.171:45013
193.222.140.60:35691
176.115.158.138:24253
42.98.191.90:7085
178.127.152.72:10107
82.239.74.201:61137
185.19.22.192:46337
86.185.92.38:10819
78.214.194.145:24521
37.78.85.173:49001
82.70.112.150:32371
37.131.212.35:18525
79.136.156.151:59659
2.134.48.150:12530
95.29.164.86:6881
37.147.16.242:64954
79.45.36.86:22690
112.208.182.65:56374
62.99.29.74:44822
95.16.12.111:12765
124.169.69.69:41216
5.164.83.49:62348
79.22.73.216:61914
46.63.131.146:6881
89.150.119.203:55029
58.23.49.24:2717
83.41.5.241:45624
87.21.80.23:27949
178.150.176.150:57997
178.127.195.146:58278
5.141.236.13:15784
125.182.35.138:54094
99.228.23.82:29302
14.111.131.146:33433
122.177.90.137:25375
178.223.195.146:54596
182.54.112.150:1058
109.23.145.152:31514
213.241.204.31:27769
188.168.58.6:45823
2.94.4.215:50830
42.91.39.236:13923
116.33.113.4:19973
86.182.170.27:25712
177.82.206.231:39043
122.143.152.35:7890
217.13.219.147:39190
77.75.13.195:16279
87.239.5.144:58749
89.141.116.97:49001
176.106.11.49:44690
112.14.110.199:33243
122.26.6.52:20527
178.223.195.146:23034
98.118.85.85:51413
190.63.131.146:6881
46.151.242.82:16046
176.106.19.185:46114
85.113.157.12:62633
192.168.0.105:58749
211.89.227.34:56333
36.68.16.149:42839
31.15.80.10:42061
130.15.95.112:6881
87.119.245.51:6882
109.173.101.19:19700
193.93.187.234:1214
176.106.18.254:43469
176.183.137.53:19155
176.113.168.51:52672
93.123.60.130:52981
79.100.9.81:14053
91.124.125.16:29914
46.16.228.135:53473
95.61.55.234:22974
190.213.101.39:44376
58.173.158.99:50821
188.25.108.102:31047
95.153.175.173:15563
75.120.194.116:58001
61.6.218.126:63291
128.70.19.98:64296
5.167.193.5:25861
185.57.73.27:47892
109.205.249.105:58449
77.228.235.226:57715
2.62.49.161:49001
67.234.161.61:65228
91.243.100.237:40431
105.155.1.67:16084
73.34.178.71:41864
145.255.169.122:4612
92.241.241.4:61613
145.255.21.166:46596
83.253.71.148:34016
173.246.26.126:12988
79.181.115.213:43853
46.237.69.97:50772
86.159.67.146:48959
213.100.105.54:52147
178.45.129.126:45710
188.78.232.53:39336
70.82.20.41:11248
88.132.82.254:52722
85.198.154.126:35403
89.67.245.2:21705
95.76.128.209:36640
61.242.114.3:6383
79.112.156.169:10236
95.25.111.173:40781
108.36.82.254:57393
88.8.84.79:56740
118.36.49.220:59561
60.197.149.187:12996
86.26.224.104:39597
120.61.161.250:10023
151.249.239.173:6881
86.178.212.41:28489
95.180.244.144:48245
111.171.83.212:52952
122.164.99.166:1024
201.110.110.63:19314
79.100.52.144:54312
194.219.103.45:24008
178.89.171.19:10003
124.12.192.197:6881
92.96.186.112:31100
207.216.138.62:6881
194.8.234.230:51413
92.220.24.133:6881
2.134.203.233:6881
122.169.237.54:17407
36.232.153.137:16001
130.43.123.202:45689
86.73.45.54:56161
37.215.93.59:27997
78.154.164.176:42780
5.10.134.6:50452
98.176.222.50:61000
93.54.90.126:1189
220.81.46.201:51526
39.41.111.173:7702
41.111.41.122:19132
211.108.64.209:20728
178.66.212.41:14865
182.187.103.45:57751
118.41.230.79:52520
186.155.231.45:34294
109.174.113.128:15947
188.6.88.229:16785
99.247.58.79:23197
94.137.237.54:14617
197.203.129.67:10204
5.107.65.67:21618
117.194.114.71:64476
94.153.45.54:32715
2.176.158.50:17404
5.18.178.71:50971
78.130.212.41:63075
86.121.45.54:55858
109.187.1.67:15413
108.199.125.160:38558
83.181.18.121:15859
93.109.242.198:26736
95.86.220.68:27877
37.204.22.24:24146
198.203.28.43:17685

What's particularly interesting, about this campaign, is the fact, that, the Terms of Service (ToS) presented to gullible and socially engineered end users, refers to a well known Web site (jmobi.net), directly connected with the market leading DIY API-enabled mobile malware generating/monetization platform, extensively profiled in a previously published post.

As cybercriminals continue to achieve a cybercrime-ecosystem wide standardization, we'll continue to observe an increase in fraudulent activity, with the cybercriminals behind it, continuing to innovate, on their way to achieve efficient monetization schemes, and risk-forwarding centered fraudulent models, further contributing to the adaptive innovation to be applied to the current TTPs (tactics, techniques and procedures) utilized by them.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Wednesday, April 09, 2014

Summarizing Webroot's Threat Blog Posts for March


The following is a brief summary of all of my posts at Webroot's Threat Blog for March, 2014. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:


01. Deceptive ads expose users to PUA.InstallBrain/PC Performer PUA (Potentially Unwanted Application)
02. Managed Web-based 300 GB/s capable DNS amplification enabled malware bot spotted in the wild
03. Commercial Windows-based compromised Web shells management application spotted in the wild – part two
04. Multiple spamvertised bogus online casino themed campaigns intercepted in the wild
05. 5M+ harvested Russian mobile numbers service exposes fraudulent infrastructure
06. Socks4/Socks5 enabled hosts as a service introduces affiliate network based revenue sharing scheme
07. A peek inside a modular, Tor C&C enabled, Bitcoin mining malware bot
08. Managed anti-forensics IMEI modification services fuel growth in the non-attributable TDoS market segment
09. Commercially available database of 52M+ ccTLD zone transfer domains spotted in the wild
10. Deceptive ads expose users to the Adware.Linkular/Win32.SpeedUpMyPC.A PUAs (Potentially Unwanted Applications)
11. DIY automatic cybercrime-friendly ‘redirector generating’ service spotted in the wild – part two
12. Managed DDoS WordPress-targeting, XML-RPC API abusing service, spotted in the wild 

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Saturday, March 22, 2014

Win32.Nixofro Serving, Malicious Infrastructure, Exposes Fraudulent Facebook Social Media Service Provider

I've recently spotted a malicious, cybercrime-friendly SWF iframe/redirector injecting service, that also exposes a long-run Win32.Nixofro serving malicious infrastructure, currently utilized for the purpose of operating a rogue social media service provider, that's targeting Turkish Facebook users through the ubiquitous social engineering vector, for such type of campaigns, namely, the fake Adobe Flash player.

Let's profile the service, discuss its relevance in the broader context of the threat landscape, provide actionable/historical threat intelligene on the malicious infrastructure, the rogue domains involved in it, the malicious MD5s served by the cybercriminals behind it, and directly link it to a previously profiled Facebook spreading P2P-Worm.Win32.Palevo serving campaign.

The managed SWF iframe/redirector service, is a great example of a cybercrime-as-a-service type of underground market proposition, empowering, both, sophisticated and novice cybercriminals with the necessary (malvertising) 'know-how', in an efficient manner, directly intersecting with the commercial availability of sophisticated mass Web site/Web server malicious script embedding platforms.

The managed SWF iframe/redirector injecting service is currently responding to 108.162.197.62 and 108.162.196.62 Known to have responded to the same IPs (108.162.197.62; 108.162.196.62) is also a key part of the malicious infrastructure that I'll expose in this post, namely hizliservis.pw - Email: furkan@cod.com.

Known to have phoned back to the same IP (108.162.197.62) are also the following malicious MD5s:
MD5: 432efe0fa88d2a9e191cb95fa88e7b36
MD5: 720ecb1cf4f28663f4ab25eedf620341
MD5: 02691863e9dfb9e69b68f5fca932e729
MD5: 69ed70a82cb35a454c60c501025415aa
MD5: cc586a176668ceef14891b15e1b412ab
MD5: 74291941bddcec131c8c6d531fcb1886
MD5: 7c27d9ff25fc40119480e4fe2c7ca987
MD5: 72c030db7163a7a7bf2871a449d4ea3c
MD5: 432efe0fa88d2a9e191cb95fa88e7b36

Known to have phoned to the same IP (108.162.196.62) are also the following malicious MD5s:
MD5: eda3f015204e9565c779e0725915864f
MD5: effcfe91beaf7a3ed2f4ac79525c5fc5
MD5: 14acd831691173ced830f4b51a93e1ca
MD5: 7f93b0c611f7020d28f7a545847b51e0
MD5: bcfce3a9bf2c87dab806623154d49f10
MD5: 4c90a89396d4109d8e4e2491c5da4846
MD5: 289c4f925fdec861c7f765a65b7270af

Sample redirection chain leading to the fake Adobe Flash Player:
hxxp://hizliservis.pw/unlu.htm -> hxxp://hizliservis.pw/indir.php -> hxxp://unluvideolari.info -> hxxp://videotr.in/player.swf -> hxxp://izleyelim.s3.amazonaws.com/movie.mp4&skin=newtubedark/NewTubeDark.xml&streamer=lighttpd&image=hqdefault.jpg

Domain name reconnaissance:
hizliservis.pw - Email: furkan@cod.com
videotr.in - Email: tiiknet@yandex.com; snack@log-z.com
izleyelim.s3.amazonaws.com - 176.32.97.249

Within hizliservis.pw, we can easily spot yet another part of the same malicious/fraudulent infrastructure, namely, the rogue social media distribution platform's login interface.


Sample redirection chain leading to a currently active fake Adobe Flash Player (Win32.Nixofro):
hxxp://socialmediasystem.net/down.php ->  hxxps://profonixback31.googlecode.com/svn/FlashPlayer_Guncelle.exe




Detection rate for the fake Adobe Flash Player:
MD5: 28c3c503d398914bdd2c2b3fdc1f9ea4 - detected by 36 out of 50 antivirus scanners as Win32.Nixofro

Once executed, the sample phones back to profonixuser.net (141.101.117.218)

Known to have responded to the same IP (141.101.117.218) are also the following malicious MD5s:
MD5: 53360155012d8e5c648aca277cbde587
MD5: a66a1c42cc6fb775254cf32c8db7ad5b
MD5: a051fd83fc8577b00d8d925581af1a3b
MD5: f47784817a8a04284af4b602c7719cb7
MD5: 2e5c75318275844ce0ff7028908e8fb4
MD5: 90205a9740df5825ce80229ca105b9e8

Domain name reconnaissance for the rogue social media distibution platform:
socialmediasystem.Net (141.101.118.159; 141.101.118.158) - Email: furkan@cod.com

Sample redirection chain for the rogue social media distribution platform's core functions:
hxxp://profonixuser.net/new.php?nocache=1044379803 -> hxxp://sosyalmedyakusu.com/oauth.php (108.162.199.203; 108.162.198.203) Email: furkan@cod.com -> hxxp://hizliservis.pw/face.php -> hxxp://socialhaberler.com/manyak.php -> hxxp://profonixuser.net/new.php -> hxxp://profonixuser.net/amk.php (141.101.117.218) -> hxxp://me.cf/dhtcw (31.170.164.67) -> hxxps://video-players.herokuapp.com/?55517841177 (107.20.187.159) -> hxxp://kingprofonix.net/hxxp://kingprofonix.com (108.162.198.203) the same domain is also known to have responded to 108.162.197.62


Related MD5s known to have phoned back to the same IP (108.162.198.203) in the past:
MD5: 505f615f9e1c4fdc03964b36ec877d57

Sample internal redirectors structure:
hxxp://profonixuser.net/fb.php -> hxxp://profonixuser.net/manyak.php -> hxxp://molotofcu.com/google/hede.php (199.27.134.199) -> hxxp://profonixuser.net/pp.php -> hxxp://gdriv.es/awalbbmprtbpahpolcdt?jgxebgqjl -> hxxps://googledrive.com/host/0B08vFK4UtN5kdjV2NklHVTVjcTQ -> hxxp://sosyalmedyakusu.com/s3x.php?ref=google
hxxp://profonixuser.net/user.php -> hxxp://goo.gl/ber2EP -> hxxps://buexe-x.googlecode.com/svn/FlashPlayer%20Setup.exe -> MD5: 60137c1cb77bed9afcbbbc3ad910df3f -> phones back to wjetphp.com (46.105.56.61)

Secondary sample internal redirectors structure:
hxxp://profonixuser.net/yarak.txt -> hxxp://profonixuser.net/u.exe -> hxxp://profonixuser.net/yeni.txt -> hxxp://profonixuser.net/yeni.exe -> hxxp://profonixuser.net/recep.html -> hxxp://goo.gl/ber2EP -> hxxp://wjetphp.com/unlu/player.swf -> hxxp://profonixuser.net/kral.txt -> hxxp://likef.in/fate.exe - 108.162.194.123; 108.162.195.123; 108.162.199.107 - known to have phoned back to the same IP is also the following malicious MD5: effcfe91beaf7a3ed2f4ac79525c5fc5 - detected by 35 out of 50 antivirus scanners as Trojan-Ransom.Win32.Foreign.kcme


Once executed, the sample phones back to likef.biz (176.53.119.195). The same domain is also known to have responded to the following IPs 141.101.116.165; 141.101.117.165.

Here's comes the interesting part. The fine folks at ExposedBotnets, have already intercepted a malicious Facebook spreading campaign, that's using the already profiled in this post videotr.in.

Having directly connected the cybercrime-friendly SWF iframe/redirector injecting service, with hizliservis.pw as well as the SocialMediaSystem as being part of the same malicious infrastructure, it's time to profile the fraudulent/malicious adversaries behind the campaigns. The cybercriminals behind these campaigns, appear to be operating a rogue social media service, targeting Facebook Inc.

Sample screenshots of the social media distribution platform's Web based interface:



Sample advertisement of the rogue social media distribution platform:




Skype ID of the rogue company: ProFonixcod
Secondary company name: ProfMedya - hxxp://profmedya.com - 178.33.42.254; 188.138.9.39; 89.19.20.242 - Email: kayahoca@gmail.com. The same domain, profmedya.com used to respond to 188.138.9.39.

Domains known to have responded to the same IP (188.138.9.39) are also the following malicious domains:
facebooook.biz
worldmedya.net
fastotoliked.net
adsmedya.com
facebookmedya.biz
fastotolike.com
fbmedyahizmetleri.com
fiberbayim.com
profonixcoder.com
sansurmedya.biz
sosyalpaket.com
takipciniarttir.net
videomedya.net
videopackage.biz
worldmedya.net
hxxp://www--facebook.net
hxxp://www.facebook-java.com
hxxp://www.facemlike.com
hxxp://www.fastcekim.com
hxxp://www.fastotolike.com
hxxp://www.fbmedyahizmetleri.com
hxxp://www.profmedya.com
hxxp://www.sansurmedya.com

Rogue social media distribution platform operator's name: Fatih Konar
Associated emails: fiberbayimdestek@hotmail.com.tr; nerdenezaman@hotmail.com.tr
Google+ Account: hxxps://plus.google.com/103847743683129439807/about
Twitter account: hxxps://twitter.com/ProfonixCodtr

Domain name reconnaissance:
profonixcod.com (profonix-cod.com) - 216.119.143.194 - Email: abazafamily_@hotmail.com (related domains known to have been registered with the same email - warningyoutube.com; likebayi.com)
profonixcod.net

Updated will be posted as soon as new developments take place.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Thursday, March 06, 2014

Summarizing Webroot's Threat Blog Posts for February


The following is a brief summary of all of my posts at Webroot's Threat Blog for February, 2014. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:


01. Cybercriminals release Socks4/Socks5 based Alexa PageRank boosting application
02. Market leading ‘standardized cybercrime-friendly E-shop’ service brings 2500+ boutique E-shops online
03. Managed TeamViewer based anti-forensics capable virtual machines offered as a service
04. Malicious campaign relies on rogue WordPress sites, leads to client-side exploits through the Magnitude exploit kit
05. ‘Hacking for hire’ teams occupy multiple underground market segments, monetize their malicious ‘know how’
06. DoubleClick malvertising campaign exposes long-run beneath the radar malvertising infrastructure
07. Spamvertised ‘Image has been sent’ Evernote themed campaign serves client-side exploits
08. Spamvertised ‘You received a new message from Skype voicemail service’ themed emails lead to Angler exploit kit

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Summarizing Webroot's Threat Blog Posts for January


The following is a brief summary of all of my posts at Webroot's Threat Blog for January, 2014. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:

01. ‘Adobe License Service Center Order NR’ and ‘Notice to appear in court’ themed malicious spam campaigns intercepted in the wild
02. New “Windows 8 Home Screen’ themed passwords/game keys stealer spotted in the wild
03. Vendor of TDoS products resets market life cycle of well known 3G USB modem/GSM/SIM card-based TDoS tool
04. New TDoS market segment entrant introduces 96 SIM cards compatible custom GSM module, positions itself as market disruptor
05. DIY Python-based mass insecure WordPress scanning/exploting tool with hundreds of pre-defined exploits spotted in the wild
06. Google’s reCAPTCHA under automatic fire from a newly launched reCAPTCHA-solving/breaking service
07. Fully automated, API-supporting service, undermines Facebook and Google’s ‘SMS/Mobile number activation’ account registration process
08. Newly launched managed ‘compromised/hacked accounts E-shop hosting as service’ standardizes the monetization process
09. Newly released Web based DDoS/Passwords stealing-capable DIY botnet generating tool spotted in the wild
10. Cybercriminals release new Web based keylogging system, rely on penetration pricing to gain market share
  
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Thursday, January 16, 2014

Facebook Spreading, Amazon AWS/Cloudflare/Google Docs Hosted Campaign, Serves P2P-Worm.Win32.Palevo


A currently circulating across Facebook, multi-layered monetization tactics utilizing, Turkish users targeting, malicious campaign, is attempting to trick users into thinking that they need to install a fake Adobe Flash Player, displayed on a fake YouTube Video page, ultimately serving P2P-Worm.Win32.Palevo on the hosts of the socially engineered (international) users.

Let's dissect the campaign, expose its infrastructure in terms of shortened URLs, redirectors, affiliate network IDs, landing pages, pseudo-random Facebook content generation phone back URLs, legitimate infrastructure hosted content, and provide MD5s for the served malicious content.

Sample redirection chain: hxxp://m3mi.com/10469 -> hxxp://facebookikiziniz.com/yon.html?MYtDmZp4xjbUP9A0OHLj -> hxxp://facebookikiziniz.com/yon.html?MYtDmZp4xjbUP9A0OHLj -> hxxp://facebookikiziniz.com/yon.html?MYtDmZp4xjbUP9A0OHLj


Internal campaign redirection structure+associated affiliate network IDs+landing URLs:
hxxp://mobiltrafik.s3.amazonaws.com/mobil.html
hxxp://mobiltrafik.s3.amazonaws.com/yurtdisi-anroid.html -> hxxp://ad.adrttt.com/aff_c?offer_id=1743&aff_id=3236&source=yurtdisi -> hxxp://ads.glispa.com/sw/49399/CD353/1023a788c68361b710b87b8ed4851a -> hxxps://play.google.com/store/apps/details?id=com.mobogenie.markets
hxxp://mobiltrafik.s3.amazonaws.com/yurtdisi-ios.html -> hxxp://ad.rdrttt.com/aff_c?offer_id=302&aff_id=1014 -> hxxp://www.freehardcorepassport.com/?t=116216,1,96,0&x=pornfr_tracker=9208KOm00B0193IbJl3yk01BNW00005m
hxxp://mobiltrafik.s3.amazonaws.com/yurtdisiweb.html -> hxxp://ad.rdrttt.com/aff_c?offer_id=302&aff_id=1014 -> hxxp://ads.polluxnetwork.com/hosted/w2m.php?tid=1023e4f08cae470c2f74aa3d1e2d17&oid=6200&aid=758 -> hxxp://m.pornfr.3013.idhad.com/xtrem/index.wiml
hxxp://mobiltrafik.s3.amazonaws.com/androidwifi.html -> hxxp://ad.adrttt.com/aff_c?offer_id=1743&aff_id=3236&source=yurtici -> hxxp://ads.glispa.com/sw/49399/CD353/1023a788c68361b710b87b8ed4851a
hxxp://mobiltrafik.s3.amazonaws.com/iphonewifi.html -> hxxp://ad.adrttt.com/aff_c?offer_id=1705&aff_id=3236 -> hxxps://itunes.apple.com/tr/app/id451786983?mt=8
hxxp://mobiltrafik.s3.amazonaws.com/turkcell.html -> hxxp://goo.gl/GBKArV
hxxp://mobiltrafik.s3.amazonaws.com/vodofone.html -> hxxp://ad.adrttt.com/aff_c?offer_id=1785&aff_id=3236 -> hxxp://c.mobpartner.mobi/?s=1007465&a=3578&tid1=102afc4360ecadbed491b5c08f7395
hxxp://mobiltrafik.s3.amazonaws.com/avea.html -> hxxp://ad.juksr.com/aff_c?offer_id=709&aff_id=3236 -> hxxp://wap.chatwalk.com/landings/?name=yilbasi2&affid=reklamaction&utm_campaign=3236&clk=1025fa187aca81ce57edf8adca7a9c
hxxp://mobiltrafik.s3.amazonaws.com/trweb.html -> hxxp://ad.adrttt.com/aff_c?offer_id=1689&aff_id=3236&source=yurticidefault -> hxxps://www.matchandtalk.com/splashmobile/10?sid=12&bid=663
hxxp://s3.amazonaws.com/Yonver/tarayici.html -> hxxp://ad.adrttt.com/aff_c?offer_id=1091&aff_id=3236&source=tarayicidan -> hxxps://www.matchandtalk.com/splash/12?sid=12&bid=651&cid=29
hxxp://izleyelim.s3.amazonaws.com/unlu.html -> hxxp://goo.gl/XpNHIL (21,512 clicks) -> hxxps://izleyelim.s3.amazonaws.com/indir.html
hxxps://s3.amazonaws.com/facebookAds/ortaryon.html -> hxxps://www.matchandtalk.com/splash/12?sid=12&bid=651&cid=29


Malicious/fraudulent domain name reconnaissance:
facebookikiziniz.com - 108.162.195.103; 108.162.194.103
ttcomcdn.com - 162.159.241.195; 162.159.242.195 - Email: masallahkilic@hotmail.com
amentosx.com - 141.101.116.113; 141.101.117.113
ad.adrttt.com - 54.236.194.194


The campaign is also mobile device/PC-aware, and is therefore automatically redirecting users to a variety of different locations/affiliate networks. Case in point, the redirection to Google Play's Mobogenie Market App (Windows application detected as Adware.NextLive.2 MD5: 9dd785436752a6126025b549be644e76), and the iOS compatible SK planet's TicToc app.

Now comes the malicious twist, in the form of Fake Adobe Flash Player, that socially engineered users would have to install, in order to view the non-existent YouTube video content.


Actual Fake Adobe Flash Player hosting locations within Google Docs:
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFcWZlRGY0V1IxNVU
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFQVBsdVVOekYyNGs
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFaEN2TnE4M0sxWHM
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFVXRnbkYtNG5wVDA
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFR2NnRXFRUmtNTTQ
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFOWFGZnlxMkZWcUE
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFcWZZbTljMkJWZ3c
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFYkpEdXI4ZGVaaUE
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFMUxzY0dQTTJMV00
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFNmROSXhMSGdCYUU
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFb0RoZVltMmsyRFU
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFb2k2MFN4QTY1ZUE
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFb1AzZXI4emlGR00
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFSDZBRDJ4QjVqdkU
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFUXgtZ1VQVU9OdVU
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFUll6c0Y0MWxLZW8
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFSW55S3R0SWcxdDQ
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFMWtxaGJTMnpMVDA
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFSk9yUW5ldDVKaUU
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFN3pTXzcxcDlObkU
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFQ0p3dV9qcC1uOFU
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFOFZRcDZwa0ZfcVk
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFNkoyNktzQ2dJVlE
hxxps://docs.google.com//uc?authuser=0&id=0B9oVyH_w8BCFS2xJdTE4Nk04QnM


Detection rate for the fake Adobe Flash Player:
MD5: 5bf26bd488503a4b2b74c7393d4136e3 - detected by 3 out of 47 antivirus scanners as P2P-Worm.Win32.Palevo.hexb; PE:Trojan.VBInject!1.6546

Once executed, the sample also drops:
MD5: a8234e13f9e3af4c768de6f2d6204b3c

Once executed, the sample phones back to: akillitelefonburada.com (108.162.196.162).


Sample pseudo-random bogus Facebook content generation takes place through: hxxp://www.amentosx.com/ext/r.php -> hxxps://s3.amazonaws.com/facebookAds/arkadaj.html -> hxxp://ttcomcdn.com/tw.php

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Thursday, January 09, 2014

Dissecting the Ongoing Febipos/Carfekab Rogue Chrome/Firefox Extensions Dropping, Facebook Circulating Malicious Campaign


And, (not surprisingly) they're back! The cybercriminal(s) behind the 1 million+ clicks strong Febipos/Carfekab rogue Chrome/Firefox extensions dropping malicious campaign, continue utilizing the already infected 'population' for the purpose of disseminating the newly packed/modified extensions/samples across Facebook, with yet another campaign that I'll dissect in this post.

Catch up with previous research dissecting the previous campaigns:

Redirection chain: hxxp://GXOMZRC.tk/?74604844 (93.170.52.34) -> hxxp://wqeuijlks.igg.biz/?asdjas22222222222222 (88.198.132.3) -> hxxp://prostats.vf1.us/s.htm -> hxxp://vidsvines.com/d/ -> hxxp://vidsvines.com/d/firefox ->
hxxp://vidsvines.com/d/ch/ -> hxxp://vidsvines.com/d/ch/profile2.html (192.157.201.42)

First GA Account ID: UA-23441223-3
Second GA Account ID: UA-25941572-1


Actual malicious content hosting locations (legitimate infrastructure again):
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqVFgyZzFzR1o3YTQ&export=download
hxxps://dl.dropboxusercontent.com/s/tj9n05qhjvnkg4s/whoviewsfam.xpi


Detection rates for the served rogue Chrome/Firefox extensions:
MD5: 0ee44443c73bd9b072c7f1dbb6b7b591
MD5: c4953f63ab46c796e23388f9c1cfa273
MD5: 5bcec283594e863f5dd238e2d22446c7


Once executed, MD5: 5bcec283594e863f5dd238e2d22446c7 drops MD5: deb483270b9ed5da7fcf1d01a6fde8a7 and MD5: 90b77a477d815c771559d08ea80cc0c8 it then phones back to 212.117.32.20.


Related malicious MD5s known to have phoned back to the same IP:
MD5: 33408f35623dc5bb4a3bde09fa45f86b
MD5: 56a54a700ae5700c3cd3da9c2ad226cf
MD5: f86812305039156b1da8fc29bdddebb7
MD5: ede8f20d78a81c7da76ad7def37ebbdd

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Tuesday, January 07, 2014

Fake Adobe Flash Player Serving Campaign Utilizes Google Hosting/Redirection Infrastructure, Spreads Across Facebook

What "better" time to spread malicious "joy", then during the Holidays? Cybercriminals are still busy maintaining a fake Adobe Flash Player serving, Facebook spreading campaign, which I originally intercepted during the Holidays, utilizing Google redirectors/hosting services. Despite the modest -- naturally conservative estimate -- click-through rate (45,000 clicks) compared to that of the most recently profiled similar Febipos spreading campaign, which resulted in over 1 million clicks, the campaign remains active, and continues tricking users into installing the rogue Adobe Flash Player, resulting in the continued spread of the campaign, on the Facebook Walls of socially engineered users.


Let's dissect the campaign, expose its infrastructure/command and control servers, and provide MD5s of the served malware.

Spamvertised Facebook URL+redirection chain: hxxp://goo.gl/QeshtO; hxxp://goo.gl/vVbrHp; hxxp://goo.gl/0oSJ7z; hxxp://goo.gl/38qIq8; hxxp://goo.gl/QNQhc5 -> hxxps://9dvme0lk2r0osqg3qb3rlk95z.storage.googleapis.com/q1fwum32gld35iab9d2u4o35bjsvhjhu309.html?ref=12 -> hxxp://goo.gl/wKXme1 -> hxxp://www.i-justice.org/g-o-27312-gooenn.html
(94.23.166.27) -> hxxp://f3c47a0d01f3ec343f57-2ba5bba9317af81ae21c42000295a455.r9.cf4.rackcdn.com/24471bmbqv07595?ref=27312&aff_sub=27312&sub_id=27312 -> hxxp://www.eklentidunyasi.com/dl.php (176.31.2.155) or hxxp://www.agentofex.com/dl.php (176.227.218.99; www.puee.in) ->
hxxp://docs.google.com/uc?export=download&id=0B6DFdqpSFDAlSmpsTkZkT2hvN28 or hxxps://doc-0g-4o-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/7fbm9gn67t8t18r8etd00juf0rvmrrmh/1387836000000/16300082901287672546/*/0BzU3dARQGry0TlMxN3F2STN0Z3M

GA Account ID: UA-36486228-1


Detection rate for the served malware: MD5: 30118bec581f80de46445aef79e6cf10 - detected by 33 out of 48 antivirus scanners as Trojan-Ransom.Win32.Blocker.dbud.

Once executed, the sample phones back to:
hxxp://176.31.2.155/extFiles/control8.txt
hxxp://176.31.2.155/extFiles/NewFile0008.exe
hxxp://176.31.2.155/extFiles/version.txt
hxxp://176.31.2.155/extFiles/list.txt
hxxp://176.31.2.155/extFiles/list.txt
hxxp://176.31.2.155/extFiles/buflash.xpi
hxxp://176.31.2.155/extFiles/bune10.zip
hxxp://176.31.2.155/extFiles/private/sandbox_status.php
hxxp://176.31.2.155/extFiles/extFiles/yok.txt


The files were offline in time of processing of the sample.

Related MD5s for the same served fake Adobe Flash Player:
MD5: 61f5af5d0067ea8d10f0764ff3c82066
MD5: 80b9ef43183abdd5b22482bc1cea7b36
MD5: 2da7cb838234eebbca3115fcafd6f513
MD5: 40ae8d901102ee3951c241b394eb94e9
MD5: 30118bec581f80de46445aef79e6cf10
MD5: 2de9865032e997d59c03bfd8435f1ada
MD5: fce013bec7b3651c100b6887c0a12eee


Once executed, MD5: fce013bec7b3651c100b6887c0a12eee phones back to:
hxxp://176.227.218.99/extFiles/control17.txt
hxxp://176.227.218.99/extFiles/NewFile00017.exe
hxxp://46.163.100.240/NewFile00017.exe
hxxp://176.227.218.99/NewFile00017.exe
hxxp://176.227.218.99/extFiles/extFiles/version.txt
hxxp://176.227.218.99/extFiles/extFiles/list.txt
hxxp://176.227.218.99/extFiles/extFiles/buflash.xpi
hxxp://176.227.218.99/extFiles/extFiles/bune10.zip

Files remain offline in the time of processing of the sample.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Monday, January 06, 2014

Wednesday, December 11, 2013

Continuing Facebook "Who's Viewed Your Profile" Campaign Affects Another 190k+ Users, Exposes Malicious Cybercrime Ecosystem


Last week, immediately after I published the initial analysis detailing a massive privacy-violating "Who's Viewed Your Profile" campaign, that was circulating across Facebook, the cybercriminals behind it, supposedly took it offline, with one of the main redirectors now pointing to 127.0.0.1.

Not surprisingly, the primary campaign has multiple sub-campaigns still in circulation, which based on the latest statistics -- embedded within the campaign on the same day they supposedly shut it down -- has already exposed another 190,000+ of the social network's users -- the original campaign appears to have been launched in 2011 having already exposed 800,000+ users -- to more rogue, privacy violating apps -- JS.Febipos, Mindspark Interactive Network's MyImageConverter and Trojan-Ransomer.CLE, in this particular case.

Let's dissect the still circulating campaign, expose the entire infrastructure supporting it, establish direct connections with it to related malicious campaigns, indicating that someone's either multi-tasking, or that their malicious/fraudulent activities share the same infrastructure, provide MD5s for the currently served privacy-violating apps, as well as list the actual -- currently live -- hosting locations.


Sample redirection chain:
hxxp://NXJXBMQ.tk/?12358289 - 93.170.52.21; 93.170.52.33 -> hxxp://p2r0f3rviewer9890.co.nf/?sdk222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222222222222222222222
222222222222222222222222222222222222222222222222222222222222222222222222222ajsklfjasl
fkjasfklja -> hxxp://prostats.vf1.us - 192.157.201.42 -> hxxp://whoviewsfb.uni.me/ch/profile.html - 82.208.40.11

Redirection chain domain name reconnaissance:
NXJXBMQ.tk - 93.170.52.21; 93.170.52.33
p2r0f3rviewer9890.co.nf - 83.125.22.192
whoviewsfb.uni.me - 82.208.40.11
prostats.vf1.us - 192.157.201.42
wh0stalks.uni.me - 192.157.201.42
cracks4free.info - 192.157.201.42

Known to have responded to 93.170.52.21 are also the following fraudulent domains:
0.facebook.com.fpama.tk
001200133184123129811.tk
00wwebhost.tk
01203313441.tk
01prof86841.tk
029m821t9fs.4ieiii.tk
031601.tk
0333.tk
0571baidu.tk
05pr0f1le21200.tk
05pr0file214741.tk
060uty80w.tk
06emu.tk
0886.tk
0akleycityn.tk
0ao0grecu.tk
0fcf7.chantaljltaste.tk
0lod1lmt1.tk
0love.tk

The following malicious MD5s are also known to have phoned back to 93.170.52.21 in the past:
MD5: ee78fe57ad8dbac96b31f41f77eb5877
MD5: bed006372fc76ec261dc9b223b178438
MD5: 58f9cbec80d1dc3a5afbb7339d200e66
MD5: fd0c6b284f7700d59199c55fdcd5bd8a
MD5: 4bfeb3c882d816d37c3e6cbb749e44af
MD5: 97ec866ac26e961976e050591f49fec3
MD5: aba1720b1a6747de5d5345b5893ba2f5
MD5: de5e1f6f137ecb903a018976fc04e110
MD5: a9669b65cabd6b25a32352ccf6c6c09a
MD5: 003f4d9dafba9ee6e358b97b8026e354
MD5: bab313e031b0c54d50fd82d221f7defc
MD5: e6b766f627b91fd420bd93fab4bc323f
MD5: d63656d9b051bf762203b0c4ac728231
MD5: 935440d970ee5a6640418574f4569dab
MD5: 2524e3b4ed3663f5650563c1e431b05c
MD5: f726646a41f95b12ec26cf01f1c89cf9
MD5: a5af6c04d28fcea476827437caf4c681
MD5: c7346327f86298fa5dad160366a0cf26
MD5: 912ed9ef063ae5b6b860fd34f3e8b83a
MD5: b33aaa98ad706ced23d7c64aed0fcad6

Known to have responded to 93.170.52.33 are also the following fraudulent domains:
0lwwa.tk
0msms.tk
122.72.0.7sierra-web-www.szjlc-pcb.tk
1z8dz.tk
4f1wz8.ga
777898.ga
888234.ml
8eld7.tk
abmomre.tk
accountupdateinformation.tk
ahram-org-eg.tk
alex-fotos.tk
allycam.tk
amerdz.ml
angelsmov.tk
apis-drives-google.tk
apis-googledrive.tk
apple-idss.tk
appleid.apple.com.cgi-bin.myappleid.woa.apple-idss.tk
avtoshina.tk

The following malicious MD5s are also known to have phoned back to 93.170.52.33 in the past:
MD5: 2d951e649a8bbcbfa468f7916e188f9f
MD5: dbe2c0788e74916eba251194ef783452
MD5: 4bfeb3c882d816d37c3e6cbb749e44af
MD5: dc01c1db51e26b585678701a64c94437
MD5: 61cc3de4e9a9865e0d239759ed3c7d5a
MD5: 64505b7ca1ce3c1c0c4892abe8d86321
MD5: 0b98356395b2463ea0f339572b9c95ef
MD5: 9e87c189d3cbf2fc2414934bef6e661b
MD5: 48964a66bdc81b48f2fe7a31088c041b
MD5: f81c85bea0e2251655b7112b352f302e

The following MD5s are also known to have phoned back to 83.125.22.192 in the past:
MD5: 3935b6efa7e5ee995f410f4ef1e613ab
MD5: 64c1496e1ba2b7cb5c54a33c20be3e95
MD5: 08f76a1ed5996d7dfdcf8226fe3f66b9
MD5: f508d8034223c4ce233f1bdbed265a3a

Known to have responded to 82.208.40.11 are the following fraudulent domains:
000e0062fb44cd5b277591349e070277.cz.cc
003bc1b16c548efbc4f30790e0bc17be.cz.cc
0057ab88a8febe310f94107137731424.cz.cc
008447a58c242b52cb69fe7dceea9a0b.cz.cc
00a47e5e57323f23c66f2c2d5bc1debc.cz.cc
00a9a591d1e7aaf65639781bc73199d4.cz.cc
00ad3353e0ba865a521da380ba4e0cc4.cz.cc
00d55beb792962f7a04c66b85f2c6082.cz.cc
00e3b9ece447187da3f43f98ab619a28.cz.cc
00eb52dbc4331a64e4fd96fdca890d9c.cz.cc
00f59cfa33cd097e943a38a8f2e343ee.cz.cc
00fbdb49398f0e5fd9d5572044d8934e.cz.cc
010ab81241856dfca44dd9ade4489fbc.cz.cc
011622fb7752328ebb60bd2c075f1fe6.cz.cc
011fbf88cff1c18e05c2afb53d6e5ffd.cz.cc
0133147433aeef23bbe60df0cbc4eac9.cz.cc
013f98b7157ae3754d463e9d2346a549.cz.cc
013fa3e9db6e476282b8e9f1bac6d68e.cz.cc
017c2bd33744c2d423a2a7598a0c0a4e.cz.cc
019368b1f3b364c0d3ec412680638f04.cz.cc

The following malicious MD5s are also known to have phoned back to 82.208.40.11 in the past:
MD5: 2c89dfc1706b31ba7de1c14e229279e5
MD5: 6719d3e8606d91734cde25b8dfc4156f
MD5: 61dcea6fbf15b68be831bff8c5eb0c1d
MD5: 3875fa91f060d02bddd43ff8e0046588
MD5: 929b72813bae47f78125ec30c58f3165
MD5: 96fa2ea6db2e4e9f00605032723e1777
MD5: c46968386138739c81e219da6fb3ead5
MD5: 3d627e0dbc5ac51761fa7cc7b202ec49
MD5: d9714a0f7f881d3643125aa0461a30be
MD5: 81171015a95073748994e463142ddcc7

Known to have responded to 192.157.201.42 are also the following fraudulent domains:
cracks4free.info
pr0lotra.p9.org
prostats.vf1.us
wh0prof.uni.me
cracks4free.info

Time to provide the actual, currently live, hosting locations for the served privacy-violating content.


Mindspark Interactive Network's MyImageConverter served URL:
hxxp://download.myimageconverter.com/index.jhtml?partner=^AZ0^xdm081

Google Store served URLs:
hxxps://chrome.google.com/webstore/detail/miapmjacmjonmofofflhnbafpbmfapac - currently active
hxxps://chrome.google.com/webstore/detail/dllaajjfgpigkeblmlbamflggfjkgbej

Dropbox Accounts serving the Android app (offline due to heavy usage), and the Firefox extension:
hxxps://dl.dropboxusercontent.com/s/rueyn3owrrpsbw4/whoviews5.xpi - currently online
hxxps://dl.dropboxusercontent.com/s/so3vm50w298qkto/WhoViewsYourProfile.apk

Facebook App URL:
hxxp://apps.facebook.com/dislike___button/

Google Docs served privacy-violating apps:
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqVFljUDBnTjFHdVE&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqRXBMLWZ4cVZJV2s&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqOXlyNko0VFBOdnM&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqZm5yeUFudFhqclU&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqbWpfNW5FalJmRGM&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqS3V1ZkZBQjJGbjQ&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqX2xXbEJLbEY0Q3M&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqMU5RVkJSWURxME0&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqVFljUDBnTjFHdVE&export=download

GA Account IDs: UA-23441223-3; UA-12798017-1
MyImageConverter Affiliate Network ID: ^AZ0^xdm081

Detection rate for the served apps/extensions:
MD5: 30cf98d7dc97cae57f8d72487966d20b - detected by 19 out of 49 antivirus scanners as Trojan-Ransomer.CLE; Troj/Mdrop-FNZ
MD5: 88dd376527c18639d3f8bf23f77b480e - detected by 8 out of 49 antivirus scanners as JS:Febipos-N [Trj]; JS/Febipos

Once executed, MD5: 30cf98d7dc97cae57f8d72487966d20b also drops MD5: 106320fc1282421f8f6cf5eb0206abee and MD5: 43b20dc1b437e0e3af5ae7b9965e0392 on the affected hosts. It then phones back to 195.167.11.4:

Two more MD5s from different malware campaigns, are known to have phoned back to 195.167.11.4:
MD5: 8192c574b8e96605438753c49510cd97
MD5: d55de5e9ec25a80ddfecfb34d417b098


The Privacy Policy (hxxp://prostats.vf1.us/firefox/pp.html) and the EULA (hxxp://prostats.vf1.us/firefox/eula.html) point to hxxp://dislikeIt.com - 176.74.176.179. Not surprisingly, multiple malicious MD5s are also known to have previously interacted with the same IP:
MD5: d366088e4823829798bd59a4d456a3df
MD5: 3c73db8202d084f33ab32069f40f58c8
MD5: d7fce1ec777c917f72530f79363fc6d3
MD5: 83568d744ab226a0642233b93bfc7de6
MD5: c84b1bd7c2063f34900bbc9712d66e0f
MD5: 58baa919900656dacaf39927bb614cf1
MD5: a86e97246a98206869be78fd451029a0
MD5: 70a0894397ac6f65c64693f1606f1231
MD5: f9166237199133b24cd866b61d0f6cca
MD5: 0f24ad046790ee863fd03d19dbba7ea5


Based on the latest performance metrics for the campaign, over 190,000 users have already interacted with this sub-campaign, since 4th of December, when I initially analyzed the primary campaign.


Monitoring of the campaign is naturally in progress. Updates will be posted as soon as new developments take place.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Wednesday, December 04, 2013

Facebook Circulating 'Who's Viewed Your Profile' Campaign Exposes 800k+ Users to CrossRider PUA/Rogue Firefox Add-ons/Android Adware AirPush

A massive privacy-violating, Facebook circulating "Who's Viewed Your Profile" campaign, has been operating beneath the radar, exposing over 800,000 users internationally, to a cocktail of PUAs (Potentially Unwanted Applications), rogue Firefox Add-ons impersonating Adobe's Flash Player, as well as the Android based adware AirPush.

Relying on a proven social engineering tactic of "offering what's not being offered in general", next to hosting the rogue files on legitimate service providers -- Google Docs and Dropbox in this particular case -- the campaign is a great example that the ubiquitous for the social network social engineering scheme, continues to trick gullible and uninformed users into installing privacy-violating applications on their hosts/mobile devices.

Let's dissect the campaign, expose its infrastructure, (conservatively) assess the damage, and provide fresh MD5s for the currently served privacy-violating PUAs, Firefox add-ons, and Android adware.

Primary spamvertised Facebook URL: FCOSYUC.tk/?15796422
Redirection chain: p2r0f3rviewer9890.co.nf -> bit.ly/1bZCeNv?vsdvc -> wh0prof.uni.me/?sdvsjka -> wh0prof.uni.me/ch/
Rogue Google Store Extension URL (currently offline): hxxps://chrome.google.com/webstore/detail/dllaajjfgpigkeblmlbamflggfjkgbej
Campaign's GA Account ID: UA-12798017-1


Domain name reconnaissance:
wh0prof.uni.me - 192.157.201.42

Known to have responded to the same IP are also the following domains:
cracks4free.info
pr0lotra.p9.org


Google Docs Hosted PUA URLs:
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqVFljUDBnTjFHdVE&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqRXBMLWZ4cVZJV2s&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqUjllLWc4MVFRQUk&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqOXlyNko0VFBOdnM&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqZm5yeUFudFhqclU&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqbWpfNW5FalJmRGM&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqS3V1ZkZBQjJGbjQ&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqX2xXbEJLbEY0Q3M&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqMU5RVkJSWURxME0&export=download
hxxps://docs.google.com/uc?authuser=0&id=0BziH-mKCuQwqVFljUDBnTjFHdVE&export=download


Dropbox Firefox Add-on/Android APK Hosted URLs:
hxxps://dl.dropboxusercontent.com/s/so3vm50w298qkto/WhoViewsYourProfile.apk
hxxps://dl.dropboxusercontent.com/s/kor9c2mqv49esva/kkadobe-ff.xpi



Detection rate for the served PUAs, the Android adware and the rogue Firefox Add-on:
MD5: c7fcf7078597ea752b8d54e406c266a7 - detected by 5 out of 48 antivirus scanners as PUP.Optional.CrossRider
MD5: 30cf98d7dc97cae57f8d72487966d20b - detected by 6 out of 48 antivirus scanners as Trojan.Dropper.FB
MD5: f2459b6bde1d662399a3df725bf8891b - detected by 13 out of 48 antivirus scanners as Adware/AirPush!Android; Android Airpush; Adware/ANDR.Airpush.G.Gen
MD5: 3fb95e1ed77d1b545cf7385b4521b9ae - detected by 18 out of 48 antivirus scanners as JS/TrojanClicker.Agent.NDL

Once executed MD5: 30cf98d7dc97cae57f8d72487966d20b phones back to 195.167.11.4.

Time to (conservatively) assess the campaign's damage over the year(s):





The click-through rate should be considered conservative, and it remains unknown whether the URL shortening service was used by the cybercriminal(s) since day one of the campaign.




The campaign remains active, and is just the tip of the iceberg in terms of similar campaigns tricking Facebook's users into thinking that they can eventually see who's viewed their profile. Facebook users who stumble across such campaigns on their own, or their friends' Walls, are advised to consider reporting the campaign back to Facebook, immediately.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.