Friday, December 23, 2016

Historical OSINT - Haiti-themed Blackhat SEO Campaign Serving Scareware Spotted in the Wild

In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercriminals, continue, actively, spreading, malicious, software, largely, relying, on, a, pre-defined, set, of, compromised, hosts, for, the, purpose, of, spreading, malicious, software, further, expanding, a, specific, botnet's, infected, population, further, earning, fraudulent, revenue, in, the, process, of, monetizing, the, access, to, the, infected, hosts, largely, relying, on, an, affiliate-based, type, of, monetizing, scheme.

In, this, post, we'll, profile, a, currently, circulating, malicious, black, hat, SEO (search engine optimization), campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Sample, portfolio, of, affected, Web, sites:
hxxp://austinluce.co.uk
hxxp://naukatanca.co.uk
hxxp://truenorthinnovation.co.uk
hxxp://robsonsofwolsingham.co.uk
hxxp://daviddewphotography.co.uk

Sample, URL, redirection, chain:
hxxp://sciencefirst.com/?red=haiti-earthquake-donate
    - hxxp://otsosute.freehostia.com/c.html
        - hxxp://scan-now24.com/go.php?id=2022&key=4c69e59ac&d=1

Sample, URL, redirection, chain:
hxxp://lipsticpi.ru/sm/r.php
    - hxxp://uscaau.com/back.php
        - hxxp://sekuritylistsite.com/hitin.php?land=20&affid=94801
            - hxxp://mypremiumantyspywarepill.com/hitin.php?land=20&affid=94801
                - hxxp://mypremiumantyspywarepill.com/index.php?affid=94801

Sample, detection, rate, for, a, sample, malicious, executable:
MD5: ebc956abadefdac794ebcd1898ea07cf

Sample, detection, rate, for, a, sample, malicious, executable:
MD5: d65a5d1ab98bd690dccd07cb6eebcba3

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://mypremiumantyspywarepill.com/in.php?affid=94801
hxxp://greatnorthwill.com/?mod=vv&i=1&id=11-18

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://getholidaypresent0.com - 204.12.225.83
hxxp://getholidaypresent2.com
hxxp://getholidaypresent3.com
hxxp://scan-now22.com
hxxp://scan-now23.com
hxxp://scan-now24.com
hxxp://santaclaus4.com
hxxp://getholidaypresent5.com
hxxp://getholidaypresent7.com

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://freeantyviruspillblog.com - 213.163.91.240
hxxp://newgoodantyspywarepill.com
hxxp://mypremiumantyspywarepill.com
hxxp://freegoodantyviruspill.com
hxxp://freeantyspywarepillshop.com
hxxp://thevirustoolbox.com

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place.