Cybercriminals continue adapting to the exponential penetration of mobile devices through the systematic release of DIY (do-it-yourself) mobile number harvesting tools, successfully setting up the foundations for commercial managed/on demand mobile phone number harvesting services, ultimately leading to an influx of mobile malware/spam campaigns. In addition to boutique based DIY operations, sophisticated, ‘innovation’ and market development-oriented cybercriminals are actively working on the development of commercially available Android-based botnet generating tools, further fueling growth into the market segment.
In a series of blog posts, we’ve been profiling multiple cybercrime-friendly services/malicious Android-based underground market releases, further highlighting the professionalization of the market segment in terms of sophistication and QA (Quality Assurance).
We’ve recently spotted a service offering 5M+ harvested and segmented Russian mobile phone numbers on a per business status/gender/driving license basis. What’s particularly interesting about this service is the fact that it exposes a long-run fraudulent Win32:SMSSend serving infrastructure (SEVAHOST-AS Seva-Host Ltd (AS49313), segmented harvested mobile phone numbers of Sochi citizens, a fake (paid) medical leave/absence service targeting Sochi citizens, and a portfolio of rogue mobile apps leading to the exposure of a mobile botnet, surprisingly relying on an identical hardware/bot ID.
Sample screenshot of the 5M+ harvested mobile phone numbers service:
The service’s main URL responds to 22.214.171.124.
Parked on the same IP (126.96.36.199) are also the following fraudulent/cybercrime-friendly domains:
Related rogue game MD5s known to have been (historically) hosted at the same IP (188.8.131.52):
The following malicious MD5s are also known to have phoned back to the same IP (184.108.40.206):
The existence of the secondary services (segmented mobile phone numbers belonging to Sochi citizens/paid medical leave services), parked on the same IP as the original 5M+ harvested mobile phone numbers offering service, is a decent example of market segmentation in the context of an event-based type of underground market offering targeting the Sochi Olympics. Not surprisingly, cybercriminals have already taken advantage of this segment, and in a true fraudulent/malicious nature, have launched social engineering driven Android-based malware serving SMS spam campaigns (MD5: 361e92c344294d8b4fce0c302f61716a).
Sample screenshot of the fraudulent Instagram site parked on the same IP (220.127.116.11):
Redirection chain for the rogue Instagram app site:
hxxp://instagramm-registration.ru/ -> hxxp://domainusers.biz/?page=lending&type=soft&size=1&ext=rar&link=http://tds-link-asg.biz/?tds=1275&page=search&parent=similar&key=Instagram_registration_(soft).zip&key=programma_instagram_register_PC ->
Redirectors domain name reconnaissance:
domainusers.biz – 18.104.22.168
tds-link-asg.biz – 22.214.171.124
Name server reconnaissance for the redirectors:
NS11.LIMONBUCKS.COM – 126.96.36.199 – Email: email@example.com – SEVAHOST-AS Seva-Host Ltd (AS49313)
NS12.LIMONBUCKS.COM – 188.8.131.52 – Email: firstname.lastname@example.org
Name servers resonnaissance of the rogue/fraudulent mobile apps serving rogue affiliate network operating the redirectors:
ns1.sevadns.com – 184.108.40.206 – hxxp://sevadns.com -> hxxp://seva-hosting.com (220.127.116.11)
ns1.sevadns.com – 18.104.22.168
A peek inside sample statistics from the rogue mobile apps serving affiliate network:
Known to have phoned back to (22.214.171.124; tds-link-asg.biz) is also the following malicious MD5: bf0074d6e2745925ec8ef3225a2052e1. Known C&C – hxxp://126.96.36.199/showthread.php?j6m=452416&nmhn=401c4ab9717ac07af8449176f3b07cfb&o=8,f4aacf34b635ccbe03dcc87bc52e7c49. Responding to the same IP, is also the Web site of the mobile traffic/rogue apps serving affiliate network.
Known C&C domain responding to the same IP: majdong.ru (188.8.131.52)
Related DNS requests performed by the sample (MD5: bf0074d6e2745925ec8ef3225a2052e1):
Name servers reconnaissance:
Name server: ns1.zippro.ru – 184.108.40.206
Name server: ns2.zippro.ru – 220.127.116.11
Known to have phoned back to the same C&C server majdong.ru (18.104.22.168) are also the following malicious MD5s:
Known to have been downloaded from the same IP (ns1.zippro.ru – 22.214.171.124) are also the following malicious MD5s:
Known to have phoned back to (ns1.zippro.ru – 126.96.36.199) are also the following malicious MD5s:
Known to have been downloaded from the same IP (ns2.zippro.ru – 188.8.131.52) are also the following malicious MD5s:
Known to have phoned back to (ns2.zippro.ru – 184.108.40.206) are also the following malicious MD5s:
Based on our analysis, we were able to successfully identify an identical pseudo-random hardware ID/bot ID, that we were also able to connect to related W32.SMSSend campaigns, further confirming that cybercriminals continue to actively multi-task in 2014.
Related W32.SMSSend hardware ID/bot ID campaigns using the same pseudo-random ID: 401c4ab9717ac07af8449176f3b07cfb
Sample fraudulent W32.SMSSend MD5s relying on the same pseudo-random ID known to have phoned back to 220.127.116.11/18.104.22.168:
Webroot SecureAnywhere users are proactively protected from these threats.