Cybercriminals continue diversifying their portfolios of standardized fraudulent services, in an attempt to efficiently monetize their malicious ‘know-how’, further contributing to the growth of the cybercrime ecosystem. In a series of blog posts highlighting the emergence of the boutique cybercrime-friendly E-shops, we’ve been emphasizing on the over-supply of compromised/stolen accounting data, efficiently aggregated through the TTPs (tactics, techniques and procedures) described in our “Cybercrime Trends – 2013” observations.

We’ve recently spotted a newly launched all-in-one cybercrime-friendly E-shop, offering a diversified portfolio of managed/DIY services/products, exposing a malicious infrastructure worth keeping an eye on. Let’s take a peek inside the E-shop’s inventory and expose the fraudulent infrastructure behind it.

More details:

Sample screenshots of the all-in-one cybercrime-friendly E-shop:

Cybercrime_Managed_Service_Boutique_EShop_DIY_Bulletproof_Botnet_Hosting

Cybercrime_Managed_Service_Boutique_EShop_DIY_Bulletproof_Botnet_Hosting_01

Cybercrime_Managed_Service_Boutique_EShop_DIY_Bulletproof_Botnet_Hosting_02

Cybercrime_Managed_Service_Boutique_EShop_DIY_Bulletproof_Botnet_Hosting_03

The E-shop’s inventory currently consists of a DIY Word exploit generating tool, a malicious form grabbing tool, an SSH brute-forcing tool, as well as a managed cybercrime-friendly bulletproof hosting service. Let’s take a peek inside the actual malicious infrastructure.

Malicious MD5s known to have phoned back to the same C&C server (108.162.198.142) as the original hosting location:
MD5: 941a48eaad0fc20444005bb2a5ffa81f
MD5: b4c5b5e5c5e00dcf78bb5027af03766f
MD5: 42d83b9a5bbb142a7dc5bc27ee4f9933
MD5: 455645aad075326e93091861a3a370f3
MD5: 33d59790d4d3544afd6451254ec798b1
MD5: 5b62cc102f082cf442e49f09025b4188

Once executed MD5: 941a48eaad0fc20444005bb2a5ffa81f phones back to the following C&C servers:
162.159.242.119
193.36.43.104
198.41.184.67
141.101.113.135
185.11.125.93
173.194.41.120
162.159.247.204
144.76.86.115
162.159.249.242
173.194.41.115

Known to have phoned back to the same C&C server (162.159.242.119) are also the following malicious MD5s:
MD5: 941a48eaad0fc20444005bb2a5ffa81f
MD5: 43108272d3d5385bdee35017faef3e66
MD5: a0fdd6c0f47a3e11c7ff6ef733899285
MD5: 5ff93e6c88bd04c83350b9ce8190bcea
MD5: 0ebe5ca385d08d4e62206a7a04332d1d
MD5: 9926b031c7e7dcd2a35786aa78534be8

Malicious MD5s known to have phoned back to the same C&C server (108.162.199.142):
MD5: 24bb74c9625f3ae55ae17b68a3dc7d66
MD5: 43108272d3d5385bdee35017faef3e66
MD5: a0fdd6c0f47a3e11c7ff6ef733899285
MD5: 5ff93e6c88bd04c83350b9ce8190bcea
MD5: 49da13654fe67013ad67d4ba07327347
MD5: b1e7b397e266b826233567b881ae7e88

Webroot SecureAnywhere users are proactively protected from these threats.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This