In a cybercrime ecosystem dominated by DIY (do-it-yourself) malware/botnet generating releases, populating multiple market segments on a systematic basis, cybercriminals continue seeking new ways to acquire and efficiently monetize fraudulently obtained accounting data, for the purpose of achieving a positive ROI (Return on Investment) on their fraudulent operations. In a series of blog posts, we’ve been detailing the existence of commercially available server-based malicious script/iframe injecting/embedding releases/platforms utilizing legitimate infrastructure for the purpose of hijacking legitimate traffic, ultimately infecting tens of thousands of legitimate users.

We’ve recently spotted a long-run Web-based managed malicious/iframe injecting/embedding service relying on compromised accounting data for legitimate traffic acquisition purposes. Let’s discuss the managed service, its features, and take a peek inside the (still running) malicious infrastructure behind it.

More details:

In terms of Q&A (Quality Assurance), the key differentiation features of the service include: automatic URL AV/blacklist detection through a third-party managed service, (compromised) legitimate Web site page rank checker, metrics based statistical system, IM notifications, as well as (compromised) login validation.

Affected CMS platforms:
Joomla.Site
WordPress
DataLife Engine
Drupal
cmsimple
BBpress
phpBB
postnuke
e107
PHP-NUKE
PunBB
Simple Machines Forum (SMF)
MODX Revolution
FluxBB
cmsmadesimple
nucleus
Contao Open Source CMS
slaed

The managed service is currently priced at $250 on a monthly basis, $1,500 for six months, and $2,500 for one year subscription. It’s capable of maintaining up to 500 simultaneous threads. Let’s take a peek inside the fraudulent infrastructure behind it.

Cybercrime_Managed_Service_Malware_Malicious_Software_Malicious_Script_iframe

Known to have responded to the same IP (209.99.40.222; 209.99.40.223) as the original hosting location are also the following fraudulent/typosquatted domains:
hxxp://11si0s8.t3.d.googleadservice.net
hxxp://11si0se.t3.d.googleadservice.net
hxxp://11si0u9.t3.d.googleadservice.net
hxxp://11si0vh.t3.d.googleadservice.net
hxxp://11si0vo.t3.d.googleadservice.net
hxxp://11si0vu.t3.d.googleadservice.net
hxxp://11sl2nr.t3.d.googleadservice.net
hxxp://11sl9jv.t3.d.googleadservice.net
hxxp://11sl9k0.t3.d.googleadservice.net

Known to have phoned back to the same IP (209.99.40.222) as also the following malicious MD5s:
MD5: 35908d4fb26949b2431849d3d8165740
MD5: 1e47a4a9744fff22b54077bfbb588aed
MD5: 4d9cc9ff385732f9f61ca926acb5ff1d
MD5: aa4057d07e1fcf258779be5d26ce99cb
MD5: 5f9b815eb20c49b57a7cc7fa8d144e00
MD5: 015208aa2fc88b176be1281fdaac6d24
MD5: 175c12348d05d8bfdeaae607db2cd0a9
MD5: cb0699ecf69598e822e8f8d68b13817d
MD5: b4c5b5e5c5e00dcf78bb5027af03766f

Once executed MD5: 35908d4fb26949b2431849d3d8165740 phones back to:
31.170.179.179
209.99.40.222
208.91.196.252
208.91.196.4
144.76.167.153
31.170.178.179
148.251.97.163
69.195.129.70
195.22.26.252
200.98.255.192

Related malicious MD5s known to have phoned back to the same C&C server (31.170.179.179):
MD5: 35908d4fb26949b2431849d3d8165740
MD5: c358eab15a24b50769f31130d82f81ad
MD5: 757661a1ebfec599bbbff8e7eb9ef36f
MD5: 64eadeaf41536d3db4abd65fb7efa4c0
MD5: ca1219813e7a190f310a3c599adb3031

Known to have phoned back to the same IP (209.99.40.223) as the original hosting location are also the following fraudulent domains:
MD5: 655cbf254d476fa1b5ac8e8b8f8d1300
MD5: 2c4d569539a3732a5e37b2f01305c87b
MD5: 6271df03b4074daf92a9ae75fd572c70
MD5: 559c4869c327726ff7d2566874569a46
MD5: 65f189242a45493c162b375bd4d1446f

Webroot SecureAnywhere users are proactively protected from these threats.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This