{"id":15024,"date":"2013-11-08T00:00:22","date_gmt":"2013-11-08T07:00:22","guid":{"rendered":"https://www.webroot.com/blog/?p=15024"},"modified":"2018-10-05T13:02:31","modified_gmt":"2018-10-05T19:02:31","slug":"low-quality-assurance-qa-iframe-campaign-linked-mays-india-government-web-site-compromise-spotted-wild","status":"publish","type":"post","link":"https://www.webroot.com/blog/2013\/11\/08\/low-quality-assurance-qa-iframe-campaign-linked-mays-india-government-web-site-compromise-spotted-wild\/","title":{"rendered":"Low Quality Assurance (QA) iframe campaign linked to May&#8217;s Indian government Web site compromise spotted in the wild"},"content":{"rendered":"<p>We&#8217;ve intercepted a currently trending malicious iframe campaign, affecting hundreds of legitimate Web sites, that&#8217;s interestingly part of the very same infrastructure from\u00a0<strong><a href=\"https://www.webroot.com/blog/2013\/05\/24\/compromised-indian-government-web-site-leads-to-black-hole-exploit-kit\/\">May, 2013&#8217;s analysis of the compromise of an Indian government Web site<\/a><\/strong>. The good news? Not only have we got you proactively covered, but also, the iframe domain is currently redirecting to a client-side exploit serving URL that&#8217;s offline. Let&#8217;s provide some actionable intelligence on the malicious activity that is known to have originated from the same iframe campaign in the past month, indicating that the cybercriminal(s) behind it are actively multi-tasking on multiple fronts.<\/p>\n<p><!--more--><\/p>\n<p><strong>iframe URL:<\/strong> karenbrowntx.com &#8211; 98.124.198.1<\/p>\n<p><strong>Client-side exploits serving redirector:<\/strong> hxxp:\/\/ww2.taylorgram.com\/main.php?page=3081100e9fdaf127 &#8211; known to have responded to 31.171.133.163 and most recently to 184.168.221.20<\/p>\n<p>The same URL is also known to have been dropping malicious software on the hosts of affected PCs on 2012-06-12, in particular <a href=\"https:\/\/www.virustotal.com\/en\/file\/c09afd6672e29e6788a63f405395fd8c143884b57d6a3e2b6b7a06d8508e59bd\/analysis\/\"><strong>MD5: 923324a0282dd92c383f8043cec96d2d<\/strong><\/a><\/p>\n<p><strong>Known to have responded to the same IP (98.124.198.1) are also the following malicious domains:<\/strong><br \/>\n00ridgeroad.com<br \/>\n0703fdsf.info<br \/>\n09woman.com<br \/>\n100chaparralbv.com<br \/>\n100chaparralbvmartensville.com<br \/>\n10269ruefrederick-olmsted.com<br \/>\n1066sunrisedrive.com<br \/>\n1069colquittavenue.com<br \/>\n110010thavregina.com<br \/>\n1127alexandria.com<br \/>\n1143gladstone.com<br \/>\n114rmerganser.com<br \/>\n1176andrade.com<br \/>\n1180englishtownrd.com<br \/>\n11910route28.com<br \/>\n120-waterstone.com<br \/>\n120riverbank.com<br \/>\n121stationstreet.com<br \/>\n1266mainst.com<br \/>\n1397goyeau4sale.com<\/p>\n<p><strong>We&#8217;re also aware of the following malicious MD5s that have used the same IP as C&amp;C server during October, 2013:<\/strong><br \/>\nMD5: b26c30b512471590cfd2481bceea1b86<br \/>\nMD5: 6e4d7c9e1d935b18340064cabe60ee59<br \/>\nMD5: d0a76dd2bb62c54791a90453884aaeb4<br \/>\nMD5: 5c4b38b7e7bba69eafca7508dea8a940<br \/>\nMD5: 5b057c5838794fe7314ead6cb8ab7a08<br \/>\nMD5: b17279f38e0c2ab76ed6ef929385bd6b<br \/>\nMD5: d5bd9375e2693f5d6f48653c5d98960c<br \/>\nMD5: d181371ce3456363c0ae9628e0366569<br \/>\nMD5: 1e5eca486655233da67081d495e599d2<br \/>\nMD5: dfe79429195841e8819e845535220ac7<br \/>\nMD5: ad48514853d7a07f61b21a7729f2256d<\/p>\n<p><strong>Known to have responded to the same IP (184.168.221.20) are also the following malicious domains:<\/strong><br \/>\n100crowns.net<br \/>\n12inchskinz.com<br \/>\n17tidalshore.com<br \/>\n1800truckad.com<br \/>\n1pel.com<br \/>\n2000golfcart.com<br \/>\n2013snipefd.com<br \/>\n2174saturn.com<br \/>\n24498pescadero.com<br \/>\n2951central306.info<br \/>\n2getloan.net<br \/>\n30minutesaweek.us<br \/>\n365ing.com<br \/>\n3psillc.com<br \/>\n400kmmm.com<br \/>\n40hourmonth.com<br \/>\n4159alameda.info<br \/>\n4kpublisher.com<br \/>\n4kx2k.org<br \/>\n6005nkimball402.info<\/p>\n<p><strong>We&#8217;re also aware of the following malicious MD5s that have phoned back to the same IP:<\/strong><br \/>\nMD5: 1776790a93de6cdb273c4d43e751ea60<br \/>\nMD5: f7a6f099db2e38ddfefd33700e413477<br \/>\nMD5: f4a56cc617de5a502c89ad616d90239c<br \/>\nMD5: f0ea6bacdc21c909ae253dc028ac3b81<br \/>\nMD5: ef35106c249da0b44b11e514b7279c0a<br \/>\nMD5: e8dad0602a29670397c4d12ee14c11d0<br \/>\nMD5: e6cfa22910624ed26e1269a88cfa21ea<br \/>\nMD5: e6b79746a444b1ad3d6c006f812c756e<br \/>\nMD5: e4fbe5f7471acdba51f8e78c66e62f06<br \/>\nMD5: e2995b8ce1ec3ac62c72dd5a6a76e992<br \/>\nMD5: dc292733ea7a3e22edd86091a1f25a90<br \/>\nMD5: d3b802d899fe7a6be78f90e1526590a4<br \/>\nMD5: d3c02d615e3996def378956b24363e51<br \/>\nMD5: d2f98464214fca25e0e2892192642171<br \/>\nMD5: d282ef4d97993dae7c131fe654ca5466<\/p>\n<p><strong><a href=\"https:\/\/www.webroot.com\/us\/en\/home\/products\/complete\">Webroot\u00a0SecureAnywhere<\/a><\/strong>\u00a0users are proactively protected from this threats.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We&#8217;ve intercepted a currently trending malicious iframe campaign, affecting hundreds of legitimate Web sites, that&#8217;s interestingly part of the very same infrastructure from\u00a0May, 2013&#8217;s analysis of the compromise of an Indian government Web site. The good news? Not only have we got you proactively covered, but also, the iframe domain is currently redirecting to a [&hellip;]<\/p>\n","protected":false},"author":65,"featured_media":17048,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[3881,14603,14597,7397,16409,14601,14595,14593,4043,4047,4065,5727,15475,4019,4029,5265,3471,4161,4313,4621],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/15024"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=15024"}],"version-history":[{"count":10,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/15024\/revisions"}],"predecessor-version":[{"id":25751,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/15024\/revisions\/25751"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17048"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=15024"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=15024"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=15024"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=15024"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}