Blackhole NOW served Cridex combo with Ransomware rotated with GeoIP - Changes in credential crime scheme (powered by NAUNET.RU)

Background


This is more than just a malware analysis blog post. Morelike a threat report or updates of a cyber crime group activity that continuing their malicious operation and distribution method, that we think people who use internet must aware about.

The spam driven credentials/PWS stealer group we track, that is known for infecting trojan to steal credential via Blackhole Exploit Exploit Kit, that is responsible to the infection of recent fake FedEx, fake Amazon ticket, fake BBB, fake American Express spams and so on, is recently making a brand new new campaign through the below "real" malware infector domains:

fuigadosi.ru (NEW)
faneroomk.ru (NEW)
fzukungda.ru (NEW)
famagatra.ru (NEW)
fulinaohps.ru (NEW)
finalions.ru (NEW)
emmmhhh.ru (NEW)
errriiiijjjj.ru (NEW)
ejjiipprr.ru (NEW)
eiiiioovvv.ru (NEW)

"previous infector used historically:"
emaianem.ru
enakinukia.ru
exibonapa.ru
esigbsoahd.ru
egihurinak.ru
exiansik.ru
emaianem.ru
estipaindo.ru
epilarikko.ru
eminakotpr.ru
ewinhdutik.ru
efjjdopkam.ru
eipuonam.ru
epionkalom.ru
ejiposhhgio.ru
emalenoko.ru
eminakotpr.ru
:
Currently (see the NEW tagged domains) are active for infecting:
Tracing to fzukungda.ru[a] via a.root-servers.net., maximum of 1 retries
a.root-servers.net. (198.41.0.4)
|\___ e.dns.ripn.net [ru] (2001:0678:0015:0000:0193:0232:0142:0017) Not queried
|\___ e.dns.ripn.net [ru] (193.232.142.17)
| |\___ ns2.fzukungda.ru [fzukungda.ru] (110.164.58.250) Got authoritative answer
| |\___ ns4.fzukungda.ru [fzukungda.ru] (203.171.234.53) Got authoritative answer
| |\___ ns3.fzukungda.ru [fzukungda.ru] (210.71.250.131) Got authoritative answer
| |\___ ns5.fzukungda.ru [fzukungda.ru] (184.106.195.200) *
| \___ ns1.fzukungda.ru [fzukungda.ru] (41.168.5.140) Got authoritative answer
|\___ a.dns.ripn.net [ru] (2001:0678:0017:0000:0193:0232:0128:0006) Not queried
|\___ a.dns.ripn.net [ru] (193.232.128.6)
| |\___ ns1.fzukungda.ru [fzukungda.ru] (41.168.5.140) (cached)
| |\___ ns3.fzukungda.ru [fzukungda.ru] (210.71.250.131) (cached)
| |\___ ns4.fzukungda.ru [fzukungda.ru] (203.171.234.53) (cached)
| |\___ ns2.fzukungda.ru [fzukungda.ru] (110.164.58.250) (cached)
| \___ ns5.fzukungda.ru [fzukungda.ru] (184.106.195.200) *
: :
Tracing to famagatra.ru[a] via a.root-servers.net., maximum of 1 retries
a.root-servers.net. (198.41.0.4)
|\___ b.dns.ripn.net [ru] (2001:0678:0016:0000:0194:0085:0252:0062) Not queried
|\___ b.dns.ripn.net [ru] (194.85.252.62)
| |\___ ns4.famagatra.ru [famagatra.ru] (203.171.234.53) Got authoritative answer
| |\___ ns1.famagatra.ru [famagatra.ru] (41.168.5.140) Got authoritative answer
| |\___ ns5.famagatra.ru [famagatra.ru] (184.106.195.200) *
| |\___ ns2.famagatra.ru [famagatra.ru] (110.164.58.250) Got authoritative answer
| \___ ns3.famagatra.ru [famagatra.ru] (210.71.250.131) Got authoritative answer
|\___ f.dns.ripn.net [ru] (2001:0678:0014:0000:0193:0232:0156:0017) Not queried
|\___ f.dns.ripn.net [ru] (193.232.156.17)
| |\___ ns2.famagatra.ru [famagatra.ru] (110.164.58.250) (cached)
| |\___ ns5.famagatra.ru [famagatra.ru] (184.106.195.200) *
| |\___ ns1.famagatra.ru [famagatra.ru] (41.168.5.140) (cached)
| |\___ ns4.famagatra.ru [famagatra.ru] (203.171.234.53) (cached)
| \___ ns3.famagatra.ru [famagatra.ru] (210.71.250.131) (cached)
: :
Tracing to fulinaohps.ru[a] via a.root-servers.net., maximum of 1 retries
a.root-servers.net. (198.41.0.4)
|\___ f.dns.ripn.net [ru] (2001:0678:0014:0000:0193:0232:0156:0017) Not queried
|\___ f.dns.ripn.net [ru] (193.232.156.17)
| |\___ ns3.fulinaohps.ru [fulinaohps.ru] (210.71.250.131) Got authoritative answer
| |\___ ns5.fulinaohps.ru [fulinaohps.ru] (184.106.195.200) *
| |\___ ns2.fulinaohps.ru [fulinaohps.ru] (110.164.58.250) Got authoritative answer
| |\___ ns1.fulinaohps.ru [fulinaohps.ru] (41.168.5.140) Got authoritative answer
| \___ ns4.fulinaohps.ru [fulinaohps.ru] (203.171.234.53) Got authoritative answer
|\___ b.dns.ripn.net [ru] (2001:0678:0016:0000:0194:0085:0252:0062) Not queried
|\___ b.dns.ripn.net [ru] (194.85.252.62)
| |\___ ns3.fulinaohps.ru [fulinaohps.ru] (210.71.250.131) (cached)
| |\___ ns5.fulinaohps.ru [fulinaohps.ru] (184.106.195.200) *
| |\___ ns2.fulinaohps.ru [fulinaohps.ru] (110.164.58.250) (cached)
| |\___ ns1.fulinaohps.ru [fulinaohps.ru] (41.168.5.140) (cached)
| \___ ns4.fulinaohps.ru [fulinaohps.ru] (203.171.234.53) (cached)
: :
Tracing to emmmhhh.ru[a] via a.root-servers.net., maximum of 1 retries
a.root-servers.net. (198.41.0.4)
|\___ a.dns.ripn.net [ru] (2001:0678:0017:0000:0193:0232:0128:0006) Not queried
|\___ a.dns.ripn.net [ru] (193.232.128.6)
| |\___ ns5.emmmhhh.ru [emmmhhh.ru] (184.106.195.200) *
| |\___ ns2.emmmhhh.ru [emmmhhh.ru] (110.164.58.250) Got authoritative answer
| |\___ ns1.emmmhhh.ru [emmmhhh.ru] (41.168.5.140) Got authoritative answer
| |\___ ns4.emmmhhh.ru [emmmhhh.ru] (203.171.234.53) Got authoritative answer
| \___ ns3.emmmhhh.ru [emmmhhh.ru] (210.71.250.131) Got authoritative answer
|\___ f.dns.ripn.net [ru] (2001:0678:0014:0000:0193:0232:0156:0017) Not queried
|\___ f.dns.ripn.net [ru] (193.232.156.17)
| |\___ ns4.emmmhhh.ru [emmmhhh.ru] (203.171.234.53) (cached)
| |\___ ns2.emmmhhh.ru [emmmhhh.ru] (110.164.58.250) (cached)
| |\___ ns5.emmmhhh.ru [emmmhhh.ru] (184.106.195.200) *
| |\___ ns1.emmmhhh.ru [emmmhhh.ru] (41.168.5.140) (cached)
| \___ ns3.emmmhhh.ru [emmmhhh.ru] (210.71.250.131) (cached)
: :
Tracing to errriiiijjjj.ru[a] via a.root-servers.net., maximum of 1 retries
a.root-servers.net. (198.41.0.4)
|\___ b.dns.ripn.net [ru] (2001:0678:0016:0000:0194:0085:0252:0062) Not queried
|\___ b.dns.ripn.net [ru] (194.85.252.62)
| |\___ ns4.errriiiijjjj.ru [errriiiijjjj.ru] (203.171.234.53) Got authoritative answer
| |\___ ns2.errriiiijjjj.ru [errriiiijjjj.ru] (110.164.58.250) Got authoritative answer
| |\___ ns3.errriiiijjjj.ru [errriiiijjjj.ru] (210.71.250.131) Got authoritative answer
| |\___ ns5.errriiiijjjj.ru [errriiiijjjj.ru] (184.106.195.200) *
| \___ ns1.errriiiijjjj.ru [errriiiijjjj.ru] (41.168.5.140) Got authoritative answer
|\___ e.dns.ripn.net [ru] (2001:0678:0015:0000:0193:0232:0142:0017) Not queried
|\___ e.dns.ripn.net [ru] (193.232.142.17)
| |\___ ns2.errriiiijjjj.ru [errriiiijjjj.ru] (110.164.58.250) (cached)
| |\___ ns4.errriiiijjjj.ru [errriiiijjjj.ru] (203.171.234.53) (cached)
| |\___ ns5.errriiiijjjj.ru [errriiiijjjj.ru] (184.106.195.200) *
| |\___ ns1.errriiiijjjj.ru [errriiiijjjj.ru] (41.168.5.140) (cached)
| \___ ns3.errriiiijjjj.ru [errriiiijjjj.ru] (210.71.250.131) (cached)
: :
Tracing to ejjiipprr.ru[a] via a.root-servers.net., maximum of 1 retries
a.root-servers.net. (198.41.0.4)
|\___ d.dns.ripn.net [ru] (2001:0678:0018:0000:0194:0190:0124:0017) Not queried
|\___ d.dns.ripn.net [ru] (194.190.124.17)
| |\___ ns3.ejjiipprr.ru [ejjiipprr.ru] (210.71.250.131) Got authoritative answer
| |\___ ns1.ejjiipprr.ru [ejjiipprr.ru] (41.168.5.140) Got authoritative answer
| |\___ ns2.ejjiipprr.ru [ejjiipprr.ru] (110.164.58.250) Got authoritative answer
| \___ ns4.ejjiipprr.ru [ejjiipprr.ru] (203.171.234.53) Got authoritative answer
|\___ f.dns.ripn.net [ru] (2001:0678:0014:0000:0193:0232:0156:0017) Not queried
|\___ f.dns.ripn.net [ru] (193.232.156.17)
| |\___ ns3.ejjiipprr.ru [ejjiipprr.ru] (210.71.250.131) (cached)
| |\___ ns4.ejjiipprr.ru [ejjiipprr.ru] (203.171.234.53) (cached)
| |\___ ns1.ejjiipprr.ru [ejjiipprr.ru] (41.168.5.140) (cached)
| \___ ns2.ejjiipprr.ru [ejjiipprr.ru] (110.164.58.250) (cached)
: :
Tracing to eiiiioovvv.ru[a] via a.root-servers.net., maximum of 1 retries
a.root-servers.net. (198.41.0.4)
|\___ e.dns.ripn.net [ru] (2001:0678:0015:0000:0193:0232:0142:0017) Not queried
|\___ e.dns.ripn.net [ru] (193.232.142.17)
| |\___ ns2.eiiiioovvv.ru [eiiiioovvv.ru] (110.164.58.250) Got authoritative answer
| |\___ ns3.eiiiioovvv.ru [eiiiioovvv.ru] (210.71.250.131) Got authoritative answer
| |\___ ns4.eiiiioovvv.ru [eiiiioovvv.ru] (203.171.234.53) Got authoritative answer
| \___ ns1.eiiiioovvv.ru [eiiiioovvv.ru] (41.168.5.140) Got authoritative answer
|\___ f.dns.ripn.net [ru] (2001:0678:0014:0000:0193:0232:0156:0017) Not queried
|\___ f.dns.ripn.net [ru] (193.232.156.17)
| |\___ ns4.eiiiioovvv.ru [eiiiioovvv.ru] (203.171.234.53) (cached)
| |\___ ns1.eiiiioovvv.ru [eiiiioovvv.ru] (41.168.5.140) (cached)
| |\___ ns2.eiiiioovvv.ru [eiiiioovvv.ru] (110.164.58.250) (cached)
| \___ ns3.eiiiioovvv.ru [eiiiioovvv.ru] (210.71.250.131) (cached)
: :
Tracing to finalions.ru[a] via a.root-servers.net., maximum of 1 retries
a.root-servers.net. (198.41.0.4)
|\___ d.dns.ripn.net [ru] (2001:0678:0018:0000:0194:0190:0124:0017) Not queried
|\___ d.dns.ripn.net [ru] (194.190.124.17)
| |\___ ns4.finalions.ru [finalions.ru] (203.171.234.53) Got authoritative answer
| |\___ ns2.finalions.ru [finalions.ru] (110.164.58.250) Got authoritative answer
| |\___ ns1.finalions.ru [finalions.ru] (41.168.5.140) Got authoritative answer
| |\___ ns3.finalions.ru [finalions.ru] (210.71.250.131) Got authoritative answer
| \___ ns5.finalions.ru [finalions.ru] (184.106.195.200) *
|\___ e.dns.ripn.net [ru] (2001:0678:0015:0000:0193:0232:0142:0017) Not queried
|\___ e.dns.ripn.net [ru] (193.232.142.17)
| |\___ ns2.finalions.ru [finalions.ru] (110.164.58.250) (cached)
| |\___ ns1.finalions.ru [finalions.ru] (41.168.5.140) (cached)
| |\___ ns3.finalions.ru [finalions.ru] (210.71.250.131) (cached)
| |\___ ns5.finalions.ru [finalions.ru] (184.106.195.200) *
| \___ ns4.finalions.ru [finalions.ru] (203.171.234.53) (cached)
: :

and so on..
(c)MalwareMustDie, the NPO - malicious domain monitoring scheme..

UPDATE: 2013, March 01
Latest domains used by this Bad Actor:

This group is continuing their criminal operation under NAUNET(Russia) rogue registrar,
registering & activated malicious domains with rogue registration (see marked words below)

registrar:     NAUNET-REG-RIPN
state: "REGISTERED, DELEGATED, UNVERIFIED"
person: "Private Person"
They are keep on updating domains for their crime operation in daily basis,
as per pasted evidence here -->>[HERE] ←see the "Last updated" part (=today)
We marked NAUNET(RU) as a wellknown malware affiliate registrar.
They are starting new infection campaign with the new M.O. as per below details:

Details


New infection methods implemented:
1. Using the (suspected Geo-base)IP rotator base response to infection
2. Starting the infection of the Ransomware for the certain GeoIP.
3. The usage of fake/stolen CA certification is spotted. (thank's to @it4sec)


We monitored this activities for last 4days and exposed 2 reports of this case in
the our beloved Pastebin with the links below:
1. http://pastebin.com/raw.php?i=YkvnFNKx
2. http://pastebin.com/raw.php?i=W40RNxnG

With the PluginDetect exposed as per below:
1. http://pastebin.com/CpRXS5m3
2. http://pastebin.com/MkYVRz4R
3. http://pastebin.com/mCJy7GEn
4. http://pastebin.com/LSUCnvN6

And the "latest" Payloads as per below:

Cridex:
1. 6cd8ae852bd023982b292a714d3e1582537606cc655a74c1fef152742c215e00
2. 5050a5bdf164767ba6a8432a273942983737b3553c2f0d8fdbab42bbdaab3f6e
3. a54c2b298c3fc8162458889f290d2e6713a6ba45c8c697e17a333409c037bff4
4. 6ba7598df3a3111c4304f2c565ecc8307ecef504e0413c230e87ff6d845076da

Ransomer:
1. 3cb0a852b902c1beffa70e6405825dfe71ad28141f8bcc369880af9f7e692b84
2. bea956049c02eefa07495dda55a1624ba3fe4020ed268094f7b63ec53439d48d

You'll see the LATEST popped up snapshot of download binary here:
1. http://urlquery.net/report.php?id=1039316
2. http://urlquery.net/report.php?id=1039314

This criminal group is aiming the:
1. Internet service login credentials (ftp/pop3/imap/http)
2. Online cash/transaction information
3. Phishing & fraudulence of online banking


Proof of Concept


First PoC is as per pasted stealer config file here -->>[HERE]

For the security purpose we can not report the Ransomer parts yet,
but Credential Stealer Trojan used(Cridex+Fareit) are using callbacks with
the below details:

The below communication HTTP headers..(info for filtration purpose)

Method : HTTP/1.1 POST
user-agent : Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
contents-type: application/x-www-form-urlencoded
Callback IPs..
h00p://203.171.234.53:8080   // the url will be plus /XXX(random)/XXX(random)/XXX(random)
h00p://221.143.48.6:8080
h00p://64.85.53.168:8080
h00p://180.235.150.72:8080
h00p://213.214.74.5:8080
h00p://210.56.23.100:8080
h00p://173.201.177.77:8080
h00p://184.106.195.200:8080
h00p://199.167.29.136:8080
h00p://62.28.244.251:8080
h00p://85.94.66.2:8080
h00p://72.251.206.90:8080
h00p://188.132.213.178:8080
h00p://78.28.120.32:8080
h00p://88.119.156.20:8080
h00p://188.117.44.241:8080
h00p://217.65.100.41:8080
h00p://37.122.209.102:8080
h00p://195.191.22.90:8080
h00p://195.191.22.40:8080
h00p://195.191.22.97:8080
h00p://195.191.22.37:8080
h00p://82.100.228.130:8080
Credential stealed with below POSTED formats: (note: grabbed ftp/http/pop3/internet explorer/firefox/macromedia used)
<http time="%%%uu">
<url><![CDATA[%%.%us]]></url>
<useragent><![CDATA[%%.%us]]></useragent>
<data><![CDATA[]]></data>
</http>

<httpshot time="%%%uu">
<url><![CDATA[%%.%us]]></url>
<data><![CDATA[]]></data>
</httpshot>

<ftp time="%%%uu">
<server><![CDATA[%%u.%%u.%%u.%%u:%%u]]></server>
<user><![CDATA[%%.%us]]></user>
<pass><![CDATA[]]></pass>
</ftp>

<pop3 time="%%%uu">
<server><![CDATA[%%u.%%u.%%u.%%u:%%u]]></server>
<user><![CDATA[%%.%us]]></user>
<pass><![CDATA[]]></pass></pop3>

<cmd id="%u">%u</cmd>

<cert time="%u">
<pass><![CDATA[]]></pass>
<data><![CDATA[]]></data>
</cert>

<ie time="%u"><data><![CDATA[]]></data></ie> // Internet Explorer....
<ff time="%u"><data><![CDATA[]]></data></ff> // firefox...
<mm time="%u"><data><![CDATA[]]></data></mm> // Macromedia....
<message set_hash="%%.%us" req_set="%%%%u" req_upd="%%%%u">
<header><unique>%%.%us</unique><version>%%u</version><system>%%u</system><network>%%u</network></header>
<data>
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDa1gmnqfz0x8rbd5d78HJCgdSgkQy7k8IISlrVm8zezmXmqtbnNt7Mtk0BZxCq0xnjc+WGc1Zd8XHAkC5smrgFLgZYMhClUOEAfDLQhsnrWyjT5spwnkEgIVOv6oifW7rPPOCGbCYi1vnDiHJdy5AQqLfl4ynb5Pk259NwsjX0wQIDAQAB
</data>
</message>
Supporting the stealing method/commands:
hash
httpshots
formgrabber
httpinjects
Also supporting the file-sending method:
HTTP/1.1 200 OK
Connection: close
Content-Type: text/html



Content-Disposition: attachment; filename=%S
With sending information to the remote malicious servers/panels below:
h00p://37.139.47.124:80
h00p://85.143.166.72:443
h00p://62.76.177.123:80/if_Career/(admin.php)
IMPORTANT! The GeoIP scheme used to rotate request is matched with the below :
http://ondailybasis.com/blog/?p=1483 by @it4sec

Research Materials

Samples Collected -->>[HERE]We recorded PCAP up to 1700+ sec of a last infection-->>[HERE]
Additional: Thu Feb 21 18:33:41 JST 2013 The PWS Stealer (Cridex drops Fareit) distributed via BHEK, VT: 6ba7598df3a3111c4304f2c565ecc8307ecef504e0413c230e87ff6d845076daLanding page: h00p://faneroomk.ru:8080/forum/links/column.php IP: 77.120.103.221, 84.23.66.74, 210.71.250.131 Landing page + PDF infector PoC http://urlquery.net/report.php?id=1057467Payload Url: h00p://faneroomk.ru:8080/forum/links/column.php?gf=30:1n:1i:1i:33&re=2v:1k:1m:32:33:1k:1k:31:1j Payload PoC: http://urlquery.net/report.php?id=1057662*) thanks to @PhysicalDrive0 for landing page urlquery info.
The below crusaders is supporting this investigation: @Hulk_Crusader. @it4sec, @RazorEQX, @unixfreaxjp, @PhysicalDrive0
#MalwareMustDie, the NPO, Feb 2013.