Cybercriminals continue diversifying their portfolios of standardized fraudulent services, in an attempt to efficiently monetize their malicious ‘know-how’, further contributing to the growth of the cybercrime ecosystem. In a series of blog posts highlighting the emergence of the boutique cybercrime-friendly E-shops, we’ve been emphasizing on the over-supply of compromised/stolen accounting data, efficiently aggregated through the TTPs (tactics, techniques and procedures) described in our “Cybercrime Trends – 2013” observations.
We’ve recently spotted a newly launched all-in-one cybercrime-friendly E-shop, offering a diversified portfolio of managed/DIY services/products, exposing a malicious infrastructure worth keeping an eye on. Let’s take a peek inside the E-shop’s inventory and expose the fraudulent infrastructure behind it.
Sample screenshots of the all-in-one cybercrime-friendly E-shop:
The E-shop’s inventory currently consists of a DIY Word exploit generating tool, a malicious form grabbing tool, an SSH brute-forcing tool, as well as a managed cybercrime-friendly bulletproof hosting service. Let’s take a peek inside the actual malicious infrastructure.
Malicious MD5s known to have phoned back to the same C&C server (18.104.22.168) as the original hosting location:
Once executed MD5: 941a48eaad0fc20444005bb2a5ffa81f phones back to the following C&C servers:
Known to have phoned back to the same C&C server (22.214.171.124) are also the following malicious MD5s:
Malicious MD5s known to have phoned back to the same C&C server (126.96.36.199):
Webroot SecureAnywhere users are proactively protected from these threats.