Low Quality Assurance (QA) iframe campaign linked to May’s Indian government Web site compromise spotted in the wild

by

Share this news now.

We’ve intercepted a currently trending malicious iframe campaign, affecting hundreds of legitimate Web sites, that’s interestingly part of the very same infrastructure from May, 2013′s analysis of the compromise of an Indian government Web site. The good news? Not only have we got you proactively covered, but also, the iframe domain is currently redirecting to a client-side exploit serving URL that’s offline. Let’s provide some actionable intelligence on the malicious activity that is known to have originated from the same iframe campaign in the past month, indicating that the cybercriminal(s) behind it are actively multi-tasking on multiple fronts.

iframe URL: karenbrowntx.com – 98.124.198.1

Client-side exploits serving redirector: hxxp://ww2.taylorgram.com/main.php?page=3081100e9fdaf127 – known to have responded to 31.171.133.163 and most recently to 184.168.221.20

The same URL is also known to have been dropping malicious software on the hosts of affected PCs on 2012-06-12, in particular MD5: 923324a0282dd92c383f8043cec96d2d

Known to have responded to the same IP (98.124.198.1) are also the following malicious domains:
00ridgeroad.com
0703fdsf.info
09woman.com
100chaparralbv.com
100chaparralbvmartensville.com
10269ruefrederick-olmsted.com
1066sunrisedrive.com
1069colquittavenue.com
110010thavregina.com
1127alexandria.com
1143gladstone.com
114rmerganser.com
1176andrade.com
1180englishtownrd.com
11910route28.com
120-waterstone.com
120riverbank.com
121stationstreet.com
1266mainst.com
1397goyeau4sale.com

We’re also aware of the following malicious MD5s that have used the same IP as C&C server during October, 2013:
MD5: b26c30b512471590cfd2481bceea1b86
MD5: 6e4d7c9e1d935b18340064cabe60ee59
MD5: d0a76dd2bb62c54791a90453884aaeb4
MD5: 5c4b38b7e7bba69eafca7508dea8a940
MD5: 5b057c5838794fe7314ead6cb8ab7a08
MD5: b17279f38e0c2ab76ed6ef929385bd6b
MD5: d5bd9375e2693f5d6f48653c5d98960c
MD5: d181371ce3456363c0ae9628e0366569
MD5: 1e5eca486655233da67081d495e599d2
MD5: dfe79429195841e8819e845535220ac7
MD5: ad48514853d7a07f61b21a7729f2256d

Known to have responded to the same IP (184.168.221.20) are also the following malicious domains:
100crowns.net
12inchskinz.com
17tidalshore.com
1800truckad.com
1pel.com
2000golfcart.com
2013snipefd.com
2174saturn.com
24498pescadero.com
2951central306.info
2getloan.net
30minutesaweek.us
365ing.com
3psillc.com
400kmmm.com
40hourmonth.com
4159alameda.info
4kpublisher.com
4kx2k.org
6005nkimball402.info

We’re also aware of the following malicious MD5s that have phoned back to the same IP:
MD5: 1776790a93de6cdb273c4d43e751ea60
MD5: f7a6f099db2e38ddfefd33700e413477
MD5: f4a56cc617de5a502c89ad616d90239c
MD5: f0ea6bacdc21c909ae253dc028ac3b81
MD5: ef35106c249da0b44b11e514b7279c0a
MD5: e8dad0602a29670397c4d12ee14c11d0
MD5: e6cfa22910624ed26e1269a88cfa21ea
MD5: e6b79746a444b1ad3d6c006f812c756e
MD5: e4fbe5f7471acdba51f8e78c66e62f06
MD5: e2995b8ce1ec3ac62c72dd5a6a76e992
MD5: dc292733ea7a3e22edd86091a1f25a90
MD5: d3b802d899fe7a6be78f90e1526590a4
MD5: d3c02d615e3996def378956b24363e51
MD5: d2f98464214fca25e0e2892192642171
MD5: d282ef4d97993dae7c131fe654ca5466

Webroot SecureAnywhere users are proactively protected from this threats.


Share this news now.