The current report is a fast and successful suspension process, as a good coordination between members who spotted, analyzed & reported the threat, to our PiCs in Tango Team (thank's to @S with @CL for the hard work) and the related registrars who help us with the GREAT cooperation for the swift follows and banning further registration procedure process (blacklist) accordingly. We have a much better pace in suspending process (less than 18hrs), even right before weekend, as a good lead time reference for future cases.
Following is the report detail, with noted: is not aiming for the analysis details (we have a lot of similar case analysis in our blog already) but more to be a cybercrime-evidence purpose, with all of the materials posted are to be utilized for following legal process.
Verdict of Crime
We detected the very dangerous exploit kit landing page of malware infection via browser's vulnerability exploitation pointed to the below IP/NETWORK:
"80.78.247.114 / AS43146 Agava Ltd.(Russia Federation)"Initially caught in the act using Blackhole Exploit Kit the "/closest/" version operated under below URL:
"h00p://toagreements.net/closest/i9jfuhioejskveohnuojfir.php h00p://terminalspervasive.biz/closest/i9jfuhioejskveohnuojfir.php h00p://detectedflights.org/closest/i9jfuhioejskveohnuojfir.php h00p://samenamedpremium.biz/closest/i9jfuhioejskveohnuojfir.php h00p://recentlyusedclings.com/closest/i9jfuhioejskveohnuojfir.php h00p://explanationanonymized.in/closest/i9jfuhioejskveohnuojfir.php :"Furthermore the activity also recorded in Virus total pDNS report:
URL: https://www.virustotal.com/en/ip-address/80.78.247.114/information/
"2013-06-28 18:30:12 h00p://datapadsinspecifically.net/closest/i9jfuhioejskveohnuojfir.php 2013-06-28 18:26:43 h00p://detectedflights.org/closest/ 2013-06-27 21:33:13 h00p://terminalspervasive.biz/ 2013-06-27 19:52:24 h00p://datapadsinspecifically.net/closest/i9jfuhioejskveohnuojfir.php?jnlp=0c443e4262 2013-06-27 19:08:09 h00p://terminalspervasive.biz/closest/i9jfuhioejskveohnuojfir.php 2013-06-27 16:37:32 h00p://detectedflights.org/closest/i9jfuhioejskveohnuojfir.php 2013-06-27 15:38:34 h00p://recentlyusedclings.com/closest/i9jfuhioejskveohnuojfir.php 2013-06-27 15:33:21 h00p://samenamedpremium.biz/closest/i9jfuhioejskveohnuojfir.php 2013-06-26 19:28:27 h00p://toagreements.net/closest/i9jfuhioejskveohnuojfir.php 2013-06-26 00:16:13 h00p://explanationanonymized.in/closest/i9jfuhioejskveohnuojfir.php 2013-06-25 22:15:47 h00p://platformvillains.in/closest/hospital-worker.php 2013-06-25 21:40:54 h00p://platformvillains.in/ 2013-06-25 21:40:35 h00p://platformvillains.in/closest/i9jfuhioejskveohnuojfir.php "And also monitored in the URLQuery:
URL: http://urlquery.net/search.php?q=80.78.247.114&type=string&start=2013-05-01&end=2013-06-29&max=400
"2013-06-28 21:20:51 1 / 0 h00p://datapadsinspecifically.net/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114 2013-06-28 16:05:21 0 / 0 h00p://detectedflights.org/closest/ [Russian Federation] 80.78.247.114 2013-06-28 11:20:30 1 / 0 h00p://detectedflights.org/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114 2013-06-28 11:19:03 1 / 0 h00p://recentlyusedclings.com/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114 2013-06-27 23:33:26 0 / 2 h00p://datapadsinspecifically.net/closest/i9jfuhioejskveohnuojfir.php?jnlp=0c443e4262 [Russian Federation] 80.78.247.114 2013-06-27 23:15:52 1 / 0 h00p://terminalspervasive.biz/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114 2013-06-27 21:49:41 0 / 2 h00p://datapadsinspecifically.net/closest/i9jfuhioejskveohnuojfir.php?jnlp=0c443e4262 [Russian Federation] 80.78.247.114 2013-06-27 20:40:27 2 / 13 h00p://detectedflights.org/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114 2013-06-27 19:43:31 2 / 6 h00p://recentlyusedclings.com/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114 2013-06-27 19:39:28 2 / 21 h00p://samenamedpremium.biz/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114 2013-06-27 19:26:24 2 / 15 h00p://terminalspervasive.biz/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114 2013-06-27 18:49:18 2 / 14 h00p://datapadsinspecifically.net/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114 2013-06-27 15:10:13 2 / 11 h00p://detectedflights.org/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114 2013-06-27 15:01:50 2 / 9 h00p://terminalspervasive.biz/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114 2013-06-27 14:53:14 2 / 14 h00p://samenamedpremium.biz/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114 2013-06-27 14:11:13 2 / 49 h00p://samenamedpremium.biz/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114 2013-06-27 14:05:27 2 / 54 h00p://samenamedpremium.biz/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114 2013-06-27 13:08:19 2 / 26 h00p://recentlyusedclings.com/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114 2013-06-27 10:35:34 2 / 7 h00p://terminalspervasive.biz/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114 2013-06-27 09:50:03 2 / 7 h00p://terminalspervasive.biz/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114 2013-06-27 07:08:47 2 / 47 h00p://recentlyusedclings.com/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114 2013-06-27 01:58:39 2 / 26 h00p://toagreements.net/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114 2013-06-26 22:00:39 0 / 0 h00p://samenamedpremium.biz [Russian Federation] 80.78.247.114 2013-06-26 21:28:24 2 / 24 h00p://toagreements.net/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114 2013-06-26 20:50:53 0 / 2 h00p://samenamedpremium.biz/closest/i9jfuhioejskveohnuojfir.php?jnlp=0c443e4262 [Russian Federation] 80.78.247.114 2013-06-26 13:57:32 0 / 0 h00p://samenamedpremium.biz [Russian Federation] 80.78.247.114 2013-06-26 13:56:00 0 / 0 h00p://80.78.247.114 [Russian Federation] 80.78.247.114 2013-06-26 04:38:23 0 / 0 h00p://80.78.247.114 [Russian Federation] 80.78.247.114 2013-06-26 04:00:06 2 / 50 h00p://explanationanonymized.in/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114 2013-06-26 03:08:24 2 / 24 h00p://explanationanonymized.in/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114 2013-06-26 00:21:59 2 / 10 h00p://platformvillains.in/closest/hospital-worker.php [Russian Federation] 80.78.247.114 2013-06-25 23:52:36 2 / 14 h00p://platformvillains.in/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114 2013-06-25 23:44:57 2 / 23 h00p://platformvillains.in/closest/hospital-worker.php [Russian Federation] 80.78.247.114 2013-06-25 23:28:58 2 / 25 h00p://platformvillains.in/closest/hospital-worker.php [Russian Federation] 80.78.247.114 2013-06-25 22:00:33 2 / 7 h00p://platformvillains.in/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114 2013-06-25 21:29:13 2 / 9 h00p://platformvillains.in/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114 2013-06-25 21:27:52 1 / 0 h00p://platformvillains.in/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114 2013-06-25 18:14:20 2 / 11 h00p://appsandfundamentals.in/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114 2013-06-25 18:02:07 1 / 0 h00p://appsandfundamentals.in/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114 "
Exploit Attack Evidence
Some snapshots of the exploit infector used:
is an evidence as per recorded in URLQuery records below:
"http://urlquery.net/report.php?id=3356618 http://urlquery.net/report.php?id=3356579 http://urlquery.net/report.php?id=3355901 http://urlquery.net/report.php?id=3352167 http://urlquery.net/report.php?id=3332078 :"
Tango Information
Dismantling detail is, although was spotted 150+ domains under various conditions registered by the same bad actor behind this scheme, we sorted to the 61 unique domains listed below which will be enough to put the related infection out of internet. Sorting was proceed by eliminating the double records, usage of sub-domains, not clearly related/in-verdicted domains. These domains is confirmed down by June 28th, 2013, 23:59(pm) GMT+9. The registrant's used individual ID/credentials is marked and spread to all registrars as blacklist for the further threat's blocking, and also passed to the regional authority for the further legal process.
The suspended malware related domain list is as per below:
"anotherfactory.biz artificialwind.asia automatedpersonal.biz balloonmansards.biz blissfullyshare.biz builtinscrupulous.net campgroundstexts.biz challengingprobably.biz cokelendino.biz conceptuallynetra.biz coveringtelex.org crypticallyhits.biz delacruse.biz directorybasedvibration.biz discontiguousnds.asia enterprisespumpkin.biz eulaschalk.biz examplefeatures.biz expressionssentrybay.biz extensivemymagicjackcom.org fingertipsync.biz flagsreimagining.biz forgotperson.biz fourthdvst.org garbleddesigns.net hoodselectable.biz hourswebdav.biz humorannouncement.biz illustrateredeemed.net joliclouddestructive.net klockspell.biz laptophandextremely.biz lookyouthful.biz massacrehighesttiered.biz mediumsizedacdsees.biz metadataconverse.net muckinghighres.net normov.biz ntjobs.biz nutsprerelease.biz obamanizererouting.biz perdevicecategoryyoursphere.net pkielements.biz prohibitedhill.biz ridspayback.asia scriptedbecome.biz smugmugextras.biz snapfishletnarrator.biz sparesaddressmanually.biz specialtyinterpreted.biz squirrelspremade.biz staffsenjoyment.biz subsystemgandhi.biz subtractionipvcertified.biz summarysomeplace.biz technologiesblipping.biz votingkasperskyequipped.biz vsmounting.org webcastingtyping.biz webworkzoneibm.biz withinstyrofoam.biz"
Public announcement by #MalwareMustDie.NPO.,All rights reserved.
Anti CyberCrime Research Group - malwaremustdie.org
