Breaking News

Historical OSINT - Spamvertised Client-Side Exploits Serving Adult Content Themed Campaign

There's no such thing as free porn, unless there are client-side, exploits, served.

We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, enticing, end, users, into, clicking, on, malware-serving, client-side, exploits, embedded, content, for, the, purpose, of, affecting, a, socially, engineered, user''s, host, further, monetizing, access, by, participating, in, a, rogue, affiliate-network, based, type, of, monetizing, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it.

Sample, malicious, URL, known, to, have, participated, in, the, campaign:
hxxp://jfkweb.chez.com/HytucztXRs.html? -> hxxp://aboutg.dothome.co.kr/bbs/theme_1_1_1.php -> http://aboutg.dothome.co.kr/bbs/theme_1_1_1.php?s=hvqCgoLEI&id=6 -> http://aboutg.dothome.co.kr/bbs/theme_1_1_1.php?s=hvqCgoLEI&id=14 -> hxxp://meganxoxo.com - 74.222.13.2 - associated, name, servers: ns1.tube310.info; ns2.tube310.info - 74.222.13.24

Parked there (74.222.13.2) are also:
hxxp://e-leaderz.com - Email: seoproinc@gmail.com
hxxp://babes4you.info - 74.222.13.25
hxxp://tubexxxx.info
hxxp://my-daddy.info - 74.222.13.25

Related, malicious, URLs, known, to, have, participated, in, the, campaign:
hxxp://eroticahaeven.info
hxxp://freehotbabes.info
hxxp://freepornportal.info
hxxp://hot-babez.info
hxxp://sex-sexo.info
hxxp://tube310.info
hxxp://tube323.info

The exploitation structure is as follows:
hxxp://meganxoxo.com/xox/go.php?sid=6 -> hxxp://kibristkd.org.tr/hasan-ikizer/index01.php -> hxxp://fd1a234sa.com/js - 79.135.152.26 -> hxxp://asf356ydc.com/qual/index.php - CVE-2008-2992; CVE-2009-0927; CVE-2010-0886 -> hxxp://asf356ydc.com/qual/52472f502b9688d3326a32ed5ddd5d2c.js ->  hxxp://asf356ydc.com/qual/abe9c321312b206bffa798ef9d5b6a9b.php?uid=206369 -> hxxp://188.243.231.39/public/qual.jar ->  hxxp://asf356ydc.com/qual/load.php/0a3584217553d6fccbd74cfb73e954b6?forum=thread_id -> hxxp://asf356ydc.com/download/stat.php -> hxxp://asf356ydc.com/download/load/load.exe

Related, malicious, URLs, known, to, have, participated, in, the, campaign:
hxxp://jfkweb.chez.com/frank4.html - CVE-2010-0886
    - hxxp://jfkweb.chez.com/bud2.html
        - hxxp://jfkweb.chez.com/4.html
            - hxxp://wemhkr3t4z.com/qual/load/myexebr.exe
                - hxxp://asf356ydc.com/download/index.php
                    - hxxp://89.248.111.71/qual/load.php?forum=jxp&ql
                        - hxxp://asf356ydc.com/qual/index.php

Related, malicious, URls, known, to, have, participated, in, the, campaign:
hxxp://qual/10964108e3afab081ed1986cde437202.js
hxxp://qual/768a83ea36dbd09f995a97c99780d63e.php?spn=2&uid=213393&
hxxp://qual/index.php?browser_version=6.0&uid=213393&browser=MSIE&spn=2

Related, malicious, URLs, known, to, have, participated, in, the, campaign:
hxxp://download/banner.php?spl=javat
hxxp://download/j1_ke.jar
hxxp://download/j2_93.jar

parked on 89.248.111.71, AS45001, Interdominios_ono Grupo Interdominios S.A.
wemhkr3t4z.com - Email: fole@fox.net - MD5: 3b375fc53207e1f54504d4b038d9fe6b

Related, malicious, MD5s, known, to, have, participated, in, the, campaign:
hxxp://alhatester.com/cp/file.exe - 204.11.56.48; 204.11.56.45; 8.5.1.46; 208.73.211.230; 208.73.211.247; 208.73.211.249; 208.73.211.246; 208.73.211.233; 208.73.211.238; 208.73.211.208

Known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs, are, also, the, following, malicious, MD5s:
MD5: 89fb419120d1443e86d37190c8f42ae8
MD5: 3194e6282b2e51ed4ef186ce6125ed73
MD5: 7f42da8b0f8542a55e5560e86c4df407
MD5: f8bdc841214ae680a755b2654995895e
MD5: ed8062e152ccbe14541d50210f035299

Once, executed, a, sample, malware (MD5: 89fb419120d1443e86d37190c8f42ae8), phones, back, to, the, following, C&C, server, IPs:
hxxp://gremser.eu
hxxp://bibliotecacenamec.org.ve
hxxp://fbpeintures.com
hxxp://postgil.com
hxxp://verum1.home.pl
hxxp://przedwislocze.internetdsl.pl
hxxp://iskurders.webkursu.net
hxxp://pennthaicafe.com.au
hxxp://motherengineering.com
hxxp://krupoonsak.com

Once, executed, a, sample, malware (MD5: 3194e6282b2e51ed4ef186ce6125ed73), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://get.enomenalco.club
hxxp://promos-back.peerdlgo.info
hxxp://get.cdzhugashvili.bid
hxxp://doap.ctagonallygran.bid
hxxp://get.gunnightmar.club
hxxp://huh.adowableunco.bid
hxxp://slibby.ineddramatiseo.bid

Once, executed, a, sample, malware (MD5: 7f42da8b0f8542a55e5560e86c4df407), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://acemoglusucuklari.com.tr
hxxp://a-bring.com
hxxp://tn69abi.com
hxxp://gim8.pl
hxxp://sso.anbtr.com

Once, executed, a, sample, malware (MD5: f8bdc841214ae680a755b2654995895e), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://dtrack.secdls.com
hxxp://api.v2.secdls.com
hxxp://api.v2.sslsecure1.com
hxxp://api.v2.sslsecure2.com
hxxp://api.v2.sslsecure3.com
hxxp://api.v2.sslsecure4.com
hxxp://api.v2.sslsecure5.com
hxxp://api.v2.sslsecure6.com
hxxp://api.v2.sslsecure7.com
hxxp://api.v2.sslsecure8.com

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://v00d00.org/nod32/grabber.exe - - 67.215.238.77; 67.215.255.139; 184.168.221.87

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, C&C, server, IPs (67.215.238.77):
MD5: 1233c86d3ab0081b69977dbc92f238d0

Known, to, have, responded, to, the, same, malicious, IPs, are, also, the, following, malicious, domains:
hxxp://blog.symantecservice37.com
hxxp://agoogle.in
hxxp://adv.antivirup.com
hxxp://cdind.antivirup.com

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
hxxp://v00d00.org/nod32/update.php

Known, to, have, responded, to, the, same, malicious, IPs (67.215.255.139), are, also, the, following, malicious, domains:
hxxp://lenovoserve.trickip.net
hxxp://proxy.wikaba.com
hxxp://think.jkub.com
hxxp://upgrate.freeddns.com
hxxp://webproxy.sendsmtp.com
hxxp://yote.dellyou.com
hxxp://lostself.dyndns.info
hxxp://dellyou.com
hxxp://mtftp.freetcp.com
hxxp://ftp.adobe.acmetoy.com
hxxp://timeout.myvnc.com
hxxp://fashion.servehalflife.com

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (67.215.255.139):
MD5: e76aa56b5ba3474dda78bf31ebf1e6c0
MD5: 4de5540e450e3e18a057f95d20e3d6f6
MD5: 346a605c60557e22bf3f29a61df7cd21
MD5: ae9fefda2c6d39bc1cec36cdf6c1e6c4
MD5: da84f1d6c021b55b25ead22aae79f599

Known, to, have, responded, to, the, same, malicious, C&C, server, IPs (184.168.221.87), are, also, the, following, malicious, domains:
hxxp://teltrucking.com
hxxp://capecoraldining.org
hxxp://carsforsaletoronto.com
hxxp://joeyboca.com
hxxp://meeraamacids.com
hxxp://orangepotus.com
hxxp://palmerhardware.com
hxxp://railroadtohell.com

Related, malicious, MD5s, known, to, have, phoned, back, the, same, malicious, C&C, server, IPs (184.168.221.87):MD5: 037f8120323f2ddff3c806185512538c
MD5: 44f0e8fe53a3b489cb5204701fa1773d
MD5: 8a053e8d3e2eafc27be9738674d4d5b0
MD5: 9efc79cd75d23070735da219c331fe4d
MD5: ed81b9f1b72e31df1040ccaf9ed4393f

Once, executed, a, sample, malware (MD5: 037f8120323f2ddff3c806185512538c), phones, back, to, the, following, C&C, server, IPs:
hxxp://porno-kuba.net/emo/ld.php?v=1&rs=1819847107&n=1&uid=1

Once, executed, a, sample, malware, (MD5: 44f0e8fe53a3b489cb5204701fa1773d), phones, back, to, the, following, C&C, server, IPs:
hxxp://mhc.ir
hxxp://naphooclub.com
hxxp://mdesigner.ir
hxxp://nazarcafe.com
hxxp://meandlove.com
hxxp://nakhonsawangames.com
hxxp://mevlanacicek.com
hxxp://meeraprabhu.com
hxxp://micr.ae
hxxp://myhyderabadads.com
hxxp://cup-muangsuang.net

Sample, malicious, URLs, known, to, have, participated, in, the, campaign:
hxxp://portinilwo.com/nhjq/n09230945.asp
    - hxxp://portinilwo.com/botpanel/sell2.jpg
        - hxxp://portinilwo.com/boty.dat
            - hxxp://91.188.60.161/botpanel/sell2.jpg
                - hxxp://91.188.60.161/botpanel/ip.php

Once, executed, a, sample, malware, phones, back, to, the, following, C&C, server, IPs:
asf356ydc.com - MD5: 3b375fc53207e1f54504d4b038d9fe6b

Related, malicious, domains, known, to, have, participated, in, the, campaign:
asf356ydc.co
kaljv63s.com
sadkajt357.com

We'll, continue, monitoring, the, fraudulent, infrastructure, and, post, updates, as, soon, as, new, developments, take, place.
Share:

Featured Security Image

Featured Security Image
The Heart of KOOBFACE. C&C and Social Network Propagation

Featured Cyber Intelligence Service

Featured Cyber Intelligence Service
DDanchev is for Hire!

Featured Cyber Intelligence Project

Featured Cyber Intelligence Project
Project Proposal - Cybercrime Research - Seeking Investment

Featured Threat Intelligence Project

Featured Threat Intelligence Project
Dancho Danchev's Mind Streams of Information Security Knowledge - The World's Most Comprehensive Threats Database

Featured Threat Intelligence Consultancy

Featured Threat Intelligence Consultancy
Threat Intelligence - An Adaptive Approach to Information Security - Free Consultation Available

Featured Hacking Project

Featured Hacking Project
Book Proposal - Seeking Sponsorship - Publisher Contact

Popular Posts

Featured Privacy Service

Featured Privacy Service
Pi-hole Privacy Blocking

Featured Video

Recent Posts

Featured Service

Featured Service
SurfWatch Threat Analyst

Featured Video

Featured Privacy Tool

Featured Privacy Tool
DNSCrypt

Featured Product

Featured Product
Sentinel Visualizer

Unordered List

  • Lorem ipsum dolor sit amet, consectetuer adipiscing elit.
  • Aliquam tincidunt mauris eu risus.
  • Vestibulum auctor dapibus neque.

Featured Privacy Tool

Featured Privacy Tool
OnionShare