{"id":11169,"date":"2013-05-24T00:00:58","date_gmt":"2013-05-24T07:00:58","guid":{"rendered":"http:\/\/blog.webroot.com\/?p=11169"},"modified":"2018-10-05T12:41:32","modified_gmt":"2018-10-05T18:41:32","slug":"compromised-indian-government-web-site-leads-to-black-hole-exploit-kit","status":"publish","type":"post","link":"https://www.webroot.com/blog/2013\/05\/24\/compromised-indian-government-web-site-leads-to-black-hole-exploit-kit\/","title":{"rendered":"Compromised Indian government Web site leads to Black Hole Exploit Kit"},"content":{"rendered":"

By Dancho\u00a0Danchev<\/strong><\/p>\n

Our sensors recently picked up a Web site infection, affecting the Web site of the\u00a0Ministry of Micro And Medium Enterprises (MSME DI Jaipur). And although the Black Hole Exploit Kit<\/strong><\/a> serving URL is currently not accepting any connections, it’s known to have been used in previous client-side exploit serving campaigns.<\/p>\n

Let’s profile the campaign, list the malicious URLs, associate them with previously launched malicious campaigns, and provide actual MD5s\u00a0for historical OSINT preservation\/attribution purposes.<\/p>\n

More details: <\/p>\n

Sample screenshot of the affected Web site:<\/strong><\/p>\n

\"Indian_Government_Web_Site_Hacked_Compromised_Black_Hole_Exploit_Kit_01\"<\/a><\/p>\n

Sample screenshot of the malicious script detected on the Indian government Web site:<\/strong><\/p>\n

\"Indian_Government_Web_Site_Hacked_Compromised_Black_Hole_Exploit_Kit\"<\/a><\/p>\n

Sample compromised URLs:<\/strong>
\nhxxp:\/\/sisijaipur.gov.in\/cluster_developement.html<\/em>
\nhxxp:\/\/msmedijaipur.gov.in\/cluster_developement.html<\/em><\/p>\n

Detection rate for the malicious script: MD5: 44a8c0b8d281f17b7218a0fe09840ce9<\/strong><\/a> – detected by 24 out of 47 antivirus scanners as Trojan:JS\/BlacoleRef.W; Trojan-Downloader.JS.Iframe.czf.<\/p>\n

Malicious domain names\/redirectors reconnaissance:<\/strong>
\n888-move-stuff.com<\/em> – 50.63.202.21 – Email: van2move@yahoo.com
\n888movestuff.com<\/em> – 208.109.181.190 – Email: van2move@yahoo.com
\njobbelts.com (redirector\/C&C)<\/em> – 98.124.198.1 – Email: aanelli@yahoo.com<\/p>\n

More malicious domains are known to have been responding to the same IP in the past (98.124.198.1):<\/strong>
\nadventure-holiday-specials.com<\/em>
\nappraisingla.com<\/em>
\narc-res.com<\/em>
\na-to-z-of-barbados.com<\/em>
\nbookmarkingdemonx.com<\/em>
\nceointerns.com<\/em>
\ncharityairsupport.org<\/em>
\ncsepros.com<\/em>
\ndominateseowithwordpress.com<\/em>
\nenum365.com<\/em>
\njobbelts.com<\/em>
\nkarenbrowntx.com<\/em>
\nrankbuilder2.net<\/em>
\nseopressors.org<\/em>
\nstopchasingmoney.com<\/em>
\nthefamily4life.org<\/em>
\nventergy.com<\/em><\/p>\n

The following MD5s\u00a0are also known to have phoned back to the same (redirector\/C&C) IP (98.124.198.1) in the past:<\/strong>
\nMD5: f2d01514d0d2794ed78876d01e0e04db<\/em>
\nMD5: 799134d350b8842af52fe5d60de2912b<\/em>
\nMD5: 8b9f907c1e4e2554f53e31847873fd39<\/em>
\nMD5: f7217bb8839e81e912aa0f90da009381<\/em>
\nMD5: fc25c21aeb34b8044a50b705a7f3196c<\/em>
\nMD5: 4d7b516d5e9fcded471d3d90b8d81ee8<\/em>
\nMD5: d185e2e05a9fdea22273c34509f705cc<\/em>
\nMD5: 93d796d5a99c36a3e85d308198c1633e<\/em>
\nMD5: 25d77181324ccabe860a43178cbdabc9<\/em>
\nMD5: f3c1a408991d1677bf18b53ef8dc9694<\/em>
\nMD5: e5e893be23ac2e08fc2e7ac66f019b10<\/em>
\nMD5: 092382c436b32eba275c07777c40a9a0<\/em>
\nMD5: ca64138f14218b983bf26454855578f6<\/em>
\nMD5: 88ddb2d8b49bd83ecafe224f94f34fd6<\/em>
\nMD5: 858e08cf6941e51a095dcf353efc631c<\/em>
\nMD5: 48ea9ba54a567ec83980ed33f0a6f443<\/em>
\nMD5: af4ebdb68cfff1a740128d9267722842<\/em>
\nMD5: d4d2d0d4786862441437bad647cbbe33<\/em>
\nMD5: 5ac3fbf4117f20e6fe044e775fdf093d<\/em>
\nMD5: 5ac4ae6eaa0e0c2902493161bbcc19b2<\/em>
\nMD5: 42c6545a6d47ebe2e82d5de82acfd1e9<\/em>
\nMD5: 221c235bc70586ce4f4def9a147b8735<\/em>
\nMD5: 52bad082f4832c5ae5a55a1bcbcd9e85<\/em>
\nMD5: 2ceeadcad588907a6e15432919bc4034<\/em>
\nMD5: 4b3297a1160535a2c0daf12b18c98b24<\/em>
\nMD5: 8a2ae3d73915066ab17602d3030d5210<\/em>
\nMD5: 6721e76f1e3d2115bdc9f80b19ea2559<\/em>
\nMD5: d610ee9403d278fd5e1f73b4f84c09ef<\/em>
\nMD5: 3ab818111067dfa92f0127ffdcc35023<\/em>
\nMD5: 76134ec61934a3e6a902321ea3cf1f4e<\/em>
\nMD5: 6392e74b4089434e37a8057abd1c3412<\/em>
\nMD5: 1b0939a3c6949889beb8cb76b166cbbf<\/em>
\nMD5: b34fbe260547ec3b0b8fb459fcf30771<\/em>
\nMD5: cd0f1f5f7bebbfc789dac4d5557ff863<\/em>
\nMD5: d45390bac7ee591fef142dcd5c52b904<\/em>
\nMD5: ffd80b49d09f9c5eaa73cf8f4fa7c32b<\/em>
\nMD5: 35880e82794d19468089e80d906ec39a<\/em>
\nMD5: 91de2d4993680d0daa3e511b1641a175<\/em>
\nMD5: 4655088575b11b204a06acd39f7b5630<\/em>
\nMD5: e9e8c72208fcaabcec7562b6e1676af6<\/em>
\nMD5: 490c91d8c16c8d6c73734ce11c444593<\/em>
\nMD5: ff0a9c71518e2278cb8dad27881465b3<\/em>
\nMD5: a0a9617cdd0bf84dd5d07add2deabf40<\/em>
\nMD5: 4e6d21171b58826dfb0bd3476482c5ac<\/em>
\nMD5: e5c0574f3c9e48fe85f544bf9c39937a<\/em>
\nMD5: fb25f19c93fe035391f195a52ae07971<\/em>
\nMD5: 77bb37ad859d4c433bbb217e5d6a41f7<\/em>
\nMD5: 47810e1cbd0ca2bbeed4c02edeaa9b4c<\/em>
\nMD5: fd90feeed1cf8e7c0d65a544cb4a3e35<\/em>
\nMD5: f545e564afb8716a7666e094b14b0468<\/em>
\nMD5: e751dd91e840c107edf70f29ef691b0a<\/em>
\nMD5: 6f78620dbb70ffac24b9527f10e77902<\/em>
\nMD5: 17c9528ea10a6ccc8057cb2cd2dbbe29<\/em>
\nMD5: 59bae82ba7a09511b99e3675bc03a3f7<\/em>
\nMD5: e4a01de23165ea57cf48746eadba3673<\/em>
\nMD5: a3922f61be14c531afb12bfc11a0b44b<\/em>
\nMD5: b046b9bed7785956fa3e1558e0afd471<\/em>
\nMD5: 0140f83cff8d68440b08c1b32315c3a8<\/em>
\nMD5: 7d9f5b6361b0699a291d34bd2bbd1ef1<\/em>
\nMD5: 2035b5fb2e7ebbabc6d3d45c02a5deba<\/em>
\nMD5: 0a7dd5ff56918b12d75f3d8eabf564d6<\/em>
\nMD5: aef3b6defe975d62a8dd35a9cee86903<\/em>
\nMD5: ce2caa00f0a84dbeef6d14ba21f266b7<\/em>
\nMD5: 0e6024ad1bf070e50358a69db2591638<\/em>
\nMD5: 6fc253744ee4c906ea918f86fc1f48e3<\/em>
\nMD5: 1b38047c2ea9116cb0c1e6d2abce87ea<\/em>
\nMD5: 3072ca7490c113770a71b9061618e72c<\/em>
\nMD5: 6cbf399be3d49c7b8cc978f7438872fe<\/em>
\nMD5: 3e457718647cf0c710828c95ea28a25c<\/em>
\nMD5: 57c4e7d1710cba165c3e60f3fdea599e<\/em>
\nMD5: feabf100e09c7c7b66f7c372dad9cb8a<\/em>
\nMD5: f2cac6034a9083b40664e9214667c753<\/em>
\nMD5: 3b16066f9253cc108b0471e8b09503a7<\/em>
\nMD5: 34ced03f0c3526c40a7672c05a51dd7b<\/em>
\nMD5: be6eff934e37d870fabe2a0e032b35a0<\/em>
\nMD5: 76a3a098aeac3cd23c4658bd99b05b22<\/em>
\nMD5: 4fee26033634100542d341140211ae62<\/em>
\nMD5: a5e501121d9c77b1c5e3e8a3fdb90059<\/em>
\nMD5: 4bf55b2dfc381304e4a5072e5b6a40b6<\/em>
\nMD5: d8d3d43384ef8176c7b9be23c805fde9<\/em>
\nMD5: 3a76404ad87c2650b1a5637fea02d50e<\/em>
\nMD5: 3874e390bd8722988b4e531fc08f8e75<\/em>
\nMD5: 8669106885799a18b5cf0b7f363f9f80<\/em>
\nMD5: 3aafd629a67984b68fde3ee1933e905b<\/em>
\nMD5: d27d37c01df70f2f045503ebfc6414a0<\/em>
\nMD5: a4bb145882cda7dd6239394ece66f484<\/em>
\nMD5: 36d9c2510d0181c52012c0f74f3a83be<\/em>
\nMD5: e90fd0e9a481611c9f2c5441d724c77f<\/em>
\nMD5: 1b1da73836cb7a92dc859e3c8a9dc9a9<\/em>
\nMD5: 412d768b9a8825b59e0e156e12d97178<\/em>
\nMD5: d038be577445db7a903c7ab5c6b30940<\/em>
\nMD5: 2b91cfd5c51d0fa3ef87a15fa1b9df82<\/em>
\nMD5: 3156619047726ed0aa1847382f533c61<\/em><\/p>\n

The Black Hole Exploit Kit redirecting URL that’s currently embedded at the Indian government Web site is currently not accepting any connections. However, we know that on\u00a02012-07-03 08:04:36, it was responding, and was indeed served malicious content.<\/p>\n

Sample redirection chain:<\/strong>
\nhxxp:\/\/wwww.888-move-stuff.com\/main.php?page=3081100e9fdaf127<\/em> -> hxxp:\/\/wwww.888movestuff.com\/data\/ap2.php<\/em> -> hxxp:\/\/wwww.888movestuff.com\/w.php?f=97d19&e=1<\/em><\/p>\n

Upon successful client-side exploitation back then, it dropped\u00a0MD5: 770cc2e2a184eaad0d79716f0baf9e48<\/strong> <\/a>– detected by 40 out of 46 antivirus scanners as Trojan-Ransom.Win32.Birele.vjr; PWS:Win32\/Fareit.gen!C.<\/p>\n

Once executed, the sample created the following Registry Key on the affected hosts:<\/strong>
\nHKEY_CURRENT_USERSoftwareWinRAR<\/em><\/p>\n

As well as the following Registry Value:<\/strong>
\n[HKEY_CURRENT_USERSoftwareWinRAR] -> HWID\u00a0= 7B\u00a042 37 36 33 44 31 31 31 2D 41 45 45 37 2D 34 30 46 36 2D 41 38 41 31 2D 35 36 33 44 46 41 32 37 41 32 34 37 7D<\/em><\/p>\n

It then downloaded additional malware from:<\/strong>
\nhxxp:\/\/euxtoncorinthiansfc.co.uk\/pd.exe<\/em>
\nhxxp:\/\/euxtoncorinthiansfc.co.uk\/1689.exe<\/em><\/p>\n

MD5: 34AC3D1AB72E67DF7D60B3BD11604B02<\/strong><\/a>
\nMD5: 76B2A3832CE39F81887FC3375AF60FC5<\/strong><\/a><\/p>\n

With the samples back then, phoning back to vnclimitedrun.in:443 (199.59.166.86).<\/strong>\u00a0In 2012,\u00a0<\/strong>the same IP was also seen in a malvertising campaign<\/a>.<\/strong><\/p>\n

Webroot\u00a0SecureAnywhere<\/a><\/strong>\u00a0users are proactively protected from these threats.<\/p>\n

You can find more about Dancho\u00a0Danchev at his\u00a0LinkedIn Profile<\/strong><\/a>. You can also\u00a0follow him on Twitter<\/strong><\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

By Dancho\u00a0Danchev Our sensors recently picked up a Web site infection, affecting the Web site of the\u00a0Ministry of Micro And Medium Enterprises (MSME DI Jaipur). And although the Black Hole Exploit Kit serving URL is currently not accepting any connections, it’s known to have been used in previous client-side exploit serving campaigns. Let’s profile the […]<\/p>\n","protected":false},"author":65,"featured_media":17048,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[14609,14607,14599,3871,11341,6187,6177,5735,14605,4911,14603,14597,11343,6189,14601,14595,14593,5961,5605,4621],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/11169"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=11169"}],"version-history":[{"count":2,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/11169\/revisions"}],"predecessor-version":[{"id":25681,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/11169\/revisions\/25681"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17048"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=11169"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=11169"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=11169"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=11169"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}