Friday, August 28, 2015

Historical OSINT - How TROYAK-AS Utillized BGP-over-VPN to Serve the Avalance Botnet

Historical OSINT is a crucial part of an intelligence analyst's mindset, further positioning a growing or an emerging trend, as a critical long term early warning system indicator, highlighting the importance, of current and emerging trends.


In this post, I'll discuss Troyak-AS, a well-known cybercrime-friendly hosting provider, that represented, the growing factor, for the highest percentage of malicious and fraudulent activity online, throughout 2010, its upstream provider NetAssist LLC, and most importantly, a malicious innovation applied by cybercriminals, at the time, namely the introduction of malicious netblocks and ISPs, within the RIPE registry, relying on OPSEC (Operational Security) and basic evasive practices.

According to RSA, the Ukrainian based ISP NetAssist LLC is listed as a legitimate ISP,  one whose services haven't been abused in any particular cybercrime-friendly way. 

This analysis, will not only prove, otherwise, namely, that NetAssist LLC's involvement in introducing a dozen of cybercrime friendly networks – including TROYAK-AS – has been taking place for purely commercial reasons, with the ISP charging thousands of euros for the process, but also, expose a malicious innovation applied on behalf of opportunistic cybercriminals, at the time, namely, the introduction of innovative bulletproof hosting tactics, techniques and procedures.

Domain name reconnaissance:
troyak.org - 74.208.21.227 (AS8560); 195.93.184.1 (AS44310) - Email: staruy.rom@troyak.org; staruy.rom@inbox.ru
smallshopkz.org - 195.78.123.1 (AS12570)


Name servers:
ns.troyak.org - 195.93.184.1 - (AS44307) ALYANSHIMIYA
ns.bgpvpn.kz - 91.213.93.10


ns.smallshopkz.org (195.78.123.1) is also known to have offered DNS services, to prombd.net (AS44107) PROMBUDDETAL (AS50215 Troyak-as at the time responding to ctlan.net) - 91.201.30.1, and vesteh.net (AS47560) VESTEH-NET 91.200.164.1

Domain name reconnaissance:
bgpvpn.kz
Organization Using Domain Name
Name...................: Mykola Tabakov
Organization Name......: Mykola Tabakov
Street Address.........: office 211, ul. Pushkina, dom 166
City...................: Astana
State..................: Astana
Postal Code............: 010000
Country................: KZ

Administrative Contact/Agent
NIC Handle.............: CA537455-RT
Name...................: Mykola Tabakov
Phone Number...........: +7.7022065468
Fax Number.............: +7.7022065468
Email Address..........: tabanet@mail.ru

Nameserver in listed order:
Primary server.........: ns.bgpvpn.kz
Primary ip address.....: 91.213.93.10



Domain name reconnaissance:
smallshopz.biz
Domain Name:SMALLSHOPKZ.ORG
Created On:30-Oct-2009 13:42:14 UTC
Last Updated On:19-Mar-2010 14:39:19 UTC
Expiration Date:30-Oct-2010 13:42:14 UTC
Sponsoring Registrar:Directi Internet Solutions Pvt. Ltd. d/b/a PublicDomainRegistry.com (R27-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:DI_10606443
Registrant Name:Vladimir Vladimirovich Stebluk
Registrant Organization:N/A
Registrant Street1:off. 306, Bulvar Mira, 16
Registrant Street2:
Registrant Street3:
Registrant City:Karaganda
Registrant State/Province:Qaraghandyoblysy
Registrant Postal Code:100008
Registrant Country:KZ
Registrant Phone:+7.7012032605
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:vladcrazy@smallshopkz.org



NetAssist LLC (netassist.ua) (AS29632) reconnaissance:
inetnum:        62.205.128.0 - 62.205.159.255
netname:        UA-NETASSIST-20080201
descr:          NetAssist LLC
country:        UA
org:            ORG-NL64-RIPE
admin-c:        MT6561-RIPE
admin-c:        AVI27-RIPE
tech-c:         MT6561-RIPE
tech-c:         APP18-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      MEREZHA-MNT
mnt-routes:     MEREZHA-MNT
mnt-domains:    MEREZHA-MNT
source:         RIPE # Filtered



organisation:  ORG-NL64-RIPE
org-name:      NetAssist LLC
org-type:       LIR
address:        NetAssist LLC
Max Tulyev
GEROEV STALINGRADA AVE  APP 57  BUILD 54
04213 Kiev
UKRAINE
phone:          +380 44 5855265
fax-no:         +380 44 2721514
e-mail:         info@netassist.kiev.ua
admin-c:      AT4266-RIPE
admin-c:      KS3536-RIPE
admin-c:      MT6561-RIPE
mnt-ref:       RIPE-NCC-HM-MNT
mnt-ref:       MEREZHA-MNT
mnt-by:       RIPE-NCC-HM-MNT
source:        RIPE # Filtered




person:         Max Tulyev
address:        off. 32, 12 Artema str.,
address:        Kiev, Ukraine
remarks:        Office phones
phone:          +380 44 2398999
phone:          +7 495 7256396
phone:          +1 347 3414023
phone:          +420 226020344
remarks:        GSM mobile phones, SMS supported
phone:          +7 916 6929474
phone:          +380 50 7775633
remarks:        Fax is in auto-answer mode
fax-no:         +380 44 2726209
remarks:        The phone below is for emergency only
remarks:        You can also send SMS to this phone
phone:          +88216 583 00392
remarks:
remarks:      Jabber ID mt6561@jabber.kiev.ua
remarks:      SIP 7002@195.214.211.129
e-mail:         maxtul@netassist.ua
e-mail:         president@ukraine.su
nic-hdl:        MT6561-RIPE
mnt-by:        MEREZHA-MNT
source:         RIPE # Filtered

person:         Alexander V Ivanov
address:        14-28 Lazoreviy pr
address:        Moscow, Russia
address:        129323
phone:          +7 095 7251401
fax-no:         +7 095 7251401
e-mail:         ivanov077@gmail.com
nic-hdl:        AVI27-RIPE
mnt-by:         MEREZHA-MNT
source:         RIPE # Filtered


person:         Alexey P Panyushev
address:        8-142, Panferova street
address:        Moscow, Russia
address:        117261
phone:          +7 903 6101520
fax-no:         +7 903 6101520
e-mail:         panyushev@gmail.com
nic-hdl:        APP18-RIPE
mnt-by:         MEREZHA-MNT
source:         RIPE # Filtered

Is NetAssist LLC, on purposely offering its services, for the purpose of orchestrating cybercrime-friendly campaigns, in a typical bulletproof cybercrime friendly fashion, or has it been abused, by an opportunistic cybercriminals, earning fraudulently obtained revenues in the process? Based on the analysis in this post, and the fact, that the company, continues offering IPv4 RIPE announcing services, I believe, that on the majority of occasions, the company has had its services abused, throughout 2010, leading to the rise of the Avalance bothet.

I expect to continue observing such type of abuse, however, in a cybercrime ecosystem, dominated, by the abuse of legitimate services, I believe that cybercriminals will continue efficiently bypassing defensive measures in place, through the abuse and compromise of legitimate infrastructure.

This post has been reproduced from Dancho Danchev's blog.

Thursday, August 27, 2015

Historical OSINT: OPSEC-Aware Sprott Asset Management Money Mule Recruiters Recruit, Serve Crimeware, And Malvertisements

Cybercriminals continue multitasking, on their way to take advantage of well proven fraudulent revenue sources, further, positioning themselves as opportunistic market participants, generating fraudulent revenues, standardizing and innovating within the context of OPSEC (Operational Security) while enjoying a decent market share within the cybercrime ecosystem.


In this post, I'll profile a money mule recruitment campaign, featuring a custom fake certificate, successfully blocking access to bobbear.co.uk as well as my personal blog, further exposing a malicious infrastructure, that I'll profile in this post.

Let's assess the campaign, and expose the malicious infrastructure behind it.

The fake Sprott Asset Management sites, entices end users into installing the, the fake, malicious certificate, as a prerequisite, to being working with them, with hosting courtesy of ALFAHOSTNET (AS50793), a well known cybercrime-friendly malicious hosting provider, known, to have been involved in a variety of malvertising campaigns, including related malicious campaigns, that I'll expose in this post.


Domain name reconnaissance for the malicious hosting provider:
alfa-host.net - (AS50793) - Email: alitalaghat@gmail.com; Name: Mohmmad Ali Talaghat (webalfa.net - 78.47.156.245 also registered with the same email)
Name Server: NS1.ALFA-HOST.NET
Name Server: NS2.ALFA-HOST.NET

Alfa-host LLP - (AS50793)
person: Romanov Artem Alekseevich
phone: +75.332211183
address: Kazakhstan, Karagandinskaya obl, Karaganda, ul. Erubaeva 57, 14

Upstream provider reconnaissance:
LLC TC "Interzvyazok"
Hvoiki 15/15
04080 Kiev
UKRAINE
phone: +380 44 238 6333
fax: +380 44 238 6333
e-mail: dz (at) intersv (dot) com

The same upstream provider (Interzvyazok; intersv.com) is also known to have offered services to yet another bulletproof hosting provider in 2011.


Domain name reconnaissance:
sprottcareers.com - 193.105.207.105; 88.212.221.46
sprottcorporate.com - 193.105.207.105; 88.212.221.46
sprottcorporate.com - 92.241.162.58
sprottweb.com - 193.105.207.105; 88.212.221.46



Domain name reconnaissance:
allianceassetonline.com - 92.241.162.58
allianceassetweb.com - 88.212.221.41
uptusconsulting.net - Email: terrizziboris@googlemail.com - 92.241.162.58

Known to have responded to the same IP (193.105.207.105) are also the following malicious domains:auditthere.ru
maccrack.ru
nissanmoto.ru
megatuz.ru
basicasco.ru
megatuz.ru
foreks999.ru
monitod.ru
peeeeee.ru
fra8888.ru
inkognittto.ru
lavandas.ru

Related MD5s known to have phoned back to the same IP (193.105.207.105):MD5: a9442b894c61d13acbac6c59adc67774
MD5:7fd31163fe7d29c61767437b2b1234cd
MD5:d90de03caa80506307fc05a0667246ef
MD5:09241426aac7a4aae12743788ce4cff4
MD5:cb74fb88f36b667e26f41671de8e1841
MD5:8efd31e0f3c251a3c7ef63b377edbf9c
MD5:a750359c72de3fc38d2af2670fd1a343
MD5:f0cbef01f5bd1c075274533f164bb06f
MD5:398b06590179be83306b59cea9da79e5

Related malicious domains known to have been active within (AS50793), ALFAHOSTNET:34real.ru
3pulenepro.net
3weselchak.net
analizes.ru
appppa1.ru
arbuz777.ru
arsenalik.ru
assolo.ru
astramani.ru
basicasco.ru
bits4ever.ru
bonokur.ru
boska7.ru
chudachok9.ru
cosavnos.ru
dermidom44.ru
drtyyyt.ru
dvestekkk.ru
ferdinandi.ru
ferzipersoviy.ru
foreks999.ru
fra8888.ru
globus-trio.ru
google-stats.ru
horonili.ru
inkognittto.ru
karlito777.ru
lavandas.ru
ma456.ru
medriop56.ru
megatuz.ru
mnobabla.ru
monitod.ru
offshoreglobal.ru
okrison.com
opitee.ru
otrijek.ru
peeeeee.ru
pohmaroz44.ru
postmetoday.ru
reklamen6.ru
reklamen7.ru
rrrekti.ru
sekretfive.ru
stolimonov.ru
sworo.ru
trio4.ru
update4ever.ru
victorry.ru
vivarino77.ru
vopret.ru
wifipoints.ru

Known to have responded to the same IP (88.212.221.46) in the past, are also the following malicious domains:
liramdelivery.com - Email: carlyle.jeffrey@gmail.com
ffgroupjobs.com - Email: FfGroupJobs@dnsname.info
secretconsumeril.com

Name servers:
ns2.uptusconsulting.net - 92.241.162.58
ns2.sprottcorporate.com92.241.162.58
ns2.sprottweb.com - 92.241.162.58

allianceassetweb.com - Email: martins.allianceam@gmail.com

Surprise, surprise. We've also got the following fraudulent domains, responding to the same name server's IP (92.241.162.58; ns1.oildns.net, ns2.oildns.net) back in 2009.

What's particularly interesting, is the fact, that in 2010, we've also got (92.241.162.58) hosting the following malicious MD5s:
MD5: 8ee5435004ad523f4cbe754b3ecdb86e
MD5: 38f5e6a59716d651915a895c0955e3e6

We've also got ns1.oildns.net responding to (93.174.92.220), with the actual name server, known to have hosted, the following malicious MD5s:
MD5: 5ae4b6235e7ad1bf1e3c173b907def17

Sample detection rate for the malicious certificate:
MD5: ec39239accb0edb5fb923c25ffc81818 - detected by 23 out of 42 antivirus scanners as Gen:Trojan.Heur.SFC.juZ@aC7UB8eib


Sample detection rate for the HOSTS file modifying sample:
MD5: 969001fcc1d8358415911db90135fa84 - detected by 14 out of 42 antivirus scanners as Trojan.Generic.4284920

Once executed, the sample successfully modifies, the HOSTS file on the affected hosts, to block access to:
127.0.0.1 google.com
127.0.0.1 google.co.uk
127.0.0.1 www.google.com
127.0.0.1 www.google.co.uk
127.0.0.1 suckerswanted.blogspot.com
127.0.0.1 ideceive.blogspot.com
127.0.0.1 www.bobbear.co.uk
127.0.0.1 bobbear.co.uk
127.0.0.1 reed.co.uk
127.0.0.1 seek.com.au
127.0.0.1 scam.com
127.0.0.1 scambusters.org
127.0.0.1 www.guardian.co.uk
127.0.0.1 ddanchev.blogspot.com
127.0.0.1 aic.gov.au
127.0.0.1 google.com.au
127.0.0.1 www.reed.co.uk
209.171.44.117 www.sprott.com
209.171.44.117 sprott.com






Sample confirmation email courtesy of Sprott Asset Management:
WORKING PROCESS
During all working process you will process incoming and outgoing transfers from our  clients. Main duties are: send payments, receive payments, making records of billing, making simple management duties, checking e-mail daily. You have to provide us your cell phone for urgent calls from your manager. If you don’t have a cell phone you will need to buy it. You must have basic computer skills to operate main process of job duties.

SALARY
During the trial period (1 month), you will be paid 4,600$ per month while working on average 3hours per day, Monday-Friday, plus 8% commission from every payment received and processed.  The salary will be sent in the form of wire transfer directly to your account or you may take it from received funds directly. After the trial period your base pay salary will go up to 6,950$ per month, plus 10% commission.

FEES & TRANSFERING PROCEDURE
All fees are covered by the company. The fees for transferring are simply deducted from the payments received. Customer will not contact you during initial stage of the trial period. After three weeks of the trial period you will begin to have contact with the customers via email in regards to collection of the payments. For the first three weeks you will simply receive all of the transferring details, and payments, along with step by step guidance from your supervisor. You will be forwarding the received payments through transferring agents such as Western Union, Money Gram, any P2P agents or by wire transferring.

WESTERN UNION & MONEYGRAM
1. As soon as  You receive  money transfers from our clients you are supposed to cash  it in your bank.
2. You will need to pick up the cash physically at the bank, as well as a  transfer to MoneyGram.
3. Please use MoneyGram, located not in your bank, because this providing of anonymosty of our clients.
4. The cashed amounts of money  should be transferred to our clients via MoneyGram/Western Union.
according to our transfer instructions except all the fees. The fees are taken from the amount cashed.
5. Not use online service, only physical presence in an office of bank and Western Union.
6. Just after you have transferred money to our clients, please contact your personal manager via e-mail (confirmation of the transfer)
and let him (her) know all the details of your Western Union transfer: SENDER'S NAME, CONTACT DETAILS, ADRESS, AND A REFERENCE NUMBER,
PLEASE BE VERY CAREFUL WHEN YOU RESEND FUNDS, THERE MUST BE NO MISTAKES, because our client will not be able to withdraw the funds.
7. All procedures have to take 1-2 hours, because we have to provide and verify the safety of our clients` money (we have to inform them about all our actions).

Your manager will support you in any step of application process, if you have any questions you may ask it anytime.


Go through related research regarding money mule recruitment: