Blog.malwaremustdie.org

Blackhole NOW served Cridex combo with Ransomware rotated with GeoIP - Changes in credential crime scheme (powered by NA...

2013-02-20

Background

This is more than just a malware analysis blog post. Morelike a threat report or updates of a cyber crime group activity that continuing their malicious operation and distribution method, that we think people who use internet must aware about.

The spam driven credentials/PWS stealer group we track, that is known for infecting trojan to steal credential via Blackhole Exploit Exploit Kit, that is responsible to the infection of recent fake FedEx, fake Amazon ticket, fake BBB, fake American Express spams and so on, is recently making a brand new new campaign through the below "real" malware infector domains:

Currently (see the NEW tagged domains) are active for infecting:

and so on..
(c)MalwareMustDie, the NPO - malicious domain monitoring scheme..

UPDATE: 2013, March 01
Latest domains used by this Bad Actor:

This group is continuing their criminal operation under NAUNET(Russia) rogue registrar,
registering & activated malicious domains with rogue registration (see marked words below)

They are keep on updating domains for their crime operation in daily basis,
as per pasted evidence here -->>[HERE] ←see the "Last updated" part (=today)
We marked NAUNET(RU) as a wellknown malware affiliate registrar.
They are starting new infection campaign with the new M.O. as per below details:

Callback IPs..

Credential stealed with below POSTED formats: (note: grabbed ftp/http/pop3/internet explorer/firefox/macromedia used)

Supporting the stealing method/commands:

Also supporting the file-sending method:

With sending information to the remote malicious servers/panels below:

IMPORTANT! The GeoIP scheme used to rotate request is matched with the below :
http://ondailybasis.com/blog/?p=1483 by @it4sec

Research Materials
Samples Collected -->>[HERE]We recorded PCAP up to 1700+ sec of a last infection-->>[HERE]

Just block this now: 84.23.66.74195.210.47.208210.71.250.131 < new IP for： emmmhhh.ru | errriiiijjjj.ru | ejjiipprr.ru | eiiiioovvv.ru

— Malware Crusaders (@MalwareMustDie) February 20, 2013

Additional: Thu Feb 21 18:33:41 JST 2013 The PWS Stealer (Cridex drops Fareit) distributed via BHEK, VT: 6ba7598df3a3111c4304f2c565ecc8307ecef504e0413c230e87ff6d845076daLanding page: h00p://faneroomk.ru:8080/forum/links/column.php IP: 77.120.103.221, 84.23.66.74, 210.71.250.131 Landing page + PDF infector PoC http://urlquery.net/report.php?id=1057467Payload Url: h00p://faneroomk.ru:8080/forum/links/column.php?gf=30:1n:1i:1i:33&re=2v:1k:1m:32:33:1k:1k:31:1j Payload PoC: http://urlquery.net/report.php?id=1057662*) thanks to @PhysicalDrive0 for landing page urlquery info.
The below crusaders is supporting this investigation: @Hulk_Crusader. @it4sec, @RazorEQX, @unixfreaxjp, @PhysicalDrive0
#MalwareMustDie, the NPO, Feb 2013.