We've been seeing a fair number of compromised Wordpress sites with various javascript plugins that are redirecting visitors to assorted malicious domains.
Sucuri discussed this in an excellent post: "Massive Admedia/Advertising iFrame Injection"
Since then, we've seen the URI construct of the redirection change from "/admedia/?" to "/megaadvertize/?keyword="
Currently the most popular redirect URLs appear to be:
http://vrot.stervapoimeniliana[.]info/megaadvertize/?keyword=<>
http://pon.krasnayadama[.]info/megaadvertize/?keyword=<>
All the redirect domains we've seen use the following as nameservers
So to get an idea of what other domains might be used for this campaign, we looked at two things:
* Which domains are using these nameservers?
* Which domains have the email address "valera.valera-146.yandex.ru" in the DNS SOA records.?
Below is a list of the domains meeting this criteria:
Nearly all domain names are transliterated Russian word combinations.
Some of the domains registered by valera.valera-146@yandex.ru such as barabolka[.]com bear the Registrant Name: Valeriy Babosuch. - http://www.whoismind.com/whois/barabolka.com.html
This name is associated with other domains listed below and registrant email address mindupper@gmail.com .
Domains registered by mindupper@gmail.com were made of mostly English language word combinations.
Some of the domains associated with Nuclear EK and Pony/Fareit post infection were hosted on 162.247.12.207. See more at:
http://malwaredb.malekal.com/url.php?netname=WFC
http://malwarefor.me/2015-04-26-nuclear-ek-dropping-ponyfareit/
162.247.12.207
https://www.virustotal.com/en/ip-address/162.247.12.207/information/
Country CA - Autonomous System6939 (Hurricane Electric, Inc . )
Phishing (such as https://whois.domaintools.com/blondescript.net) was seen on 91.200.85.137
Passive DNS results for these two IP addresses reveal the domains. VirusTotal results show:
Registrant Name: Valeriy Babosuch
Registrant Organization:
Registrant Street: Truhanovskaya 45
Registrant City: Moscow
Registrant State/Province: N/A
Registrant Postal Code: 121497
Registrant Country: RU
Registrant Phone: +7 . 9453466645
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: mindupper@gmail.com
Compromises in CMS, including Wordpress, Joomla!, and Drupal remain a significant threat. Detecting the malicious redirect via the URI construct is useful. However this is often changed quickly by the attacker. Hopefully to improve awareness and detection, we wanted to provide this list of domains that may be related to this active Wordpress compromise.
Sucuri discussed this in an excellent post: "Massive Admedia/Advertising iFrame Injection"
Since then, we've seen the URI construct of the redirection change from "/admedia/?" to "/megaadvertize/?keyword="
Currently the most popular redirect URLs appear to be:
http://vrot.stervapoimeniliana[.]info/megaadvertize/?keyword=<>
http://pon.krasnayadama[.]info/megaadvertize/?keyword=<>
All the redirect domains we've seen use the following as nameservers
- gotl549293.mars.orderbox-dns[.]com
- gotl549293.earth.orderbox-dns[.]com
- gotl549293.venus.orderbox-dns[.]com
- gotl549293.mercury.orderbox-dns[.]com
So to get an idea of what other domains might be used for this campaign, we looked at two things:
* Which domains are using these nameservers?
* Which domains have the email address "valera.valera-146.yandex.ru" in the DNS SOA records.?
Below is a list of the domains meeting this criteria:
barabawka.net
london88.pw barada222.pw suchka46.pw easy-trading.biz balw5ezvicz7hka.pw balw5ezvicz7hka.pw goroda235.pw trymyfinger.website trymyfinger.website borodavka.website zaleimneviskivgorlo.website bababolka.website daitepospatirodu.website poprobyimoihyi.website suchkakrawenaya.website lovelyclub.biz lovelygames.biz tapochekmiwu.website tapochekkati.website tapochekmiwu.website suchtozahyinya.com golayagopa.website goluivovka.website goluivalerka.website golayapipetka.website golayazadnica.website suchtozahyinya.com batyaebetvseh.website matyaebetvseh.website rozovuiurka.website rozovuimiwka.website rozovuisawka.website rozovuivasunya.website mainlandpage.website siniuurka.website siniukolka.website siniusawka.website zaleimneviskivgorlo.website chernuioleg.website chernuikolya.website chernuipetya.website chernuisanya.website kolhoznik.website malenkiyprince.website zaleimneviskivgorlo.website beluidanya.website beluilanya.website beluisanya.website beluitanya.website beluivanya.website beluidanya.website seruidebil.website seruisanya.website seruitanya.website seruidyatel.website seruidolboeb.website mainlandpage.website zelenuiranya.website zelenuisanya.website zelenuitanya.website zelenuivanya.website meetclub.biz borodatayagenwina.website borodatuiloh.website borodatuiotec.website borodatuimyguk.website borodayasobaka.website easy-trading.biz zo1lotayawlyapa.website zol1otayawlyapa.website zolo1tayawlyapa.website zolot1ayawlyapa.website zolota1yawlyapa.website zolotay1awlyapa.website zolotaya1wlyapa.website zolotayaw1lyapa.website zolotayawl1yapa.website zolotayawly1apa.website getallcooltraffic.com trymysocks1.ws trymysocks2.ws trymysocks4.ws trymysocks5.ws forexmyways.com gameforgods.com ilovetradingz.com nicefilmwatchs.com realylovegames.com surveyforyourss.com watchlovedfilms.com fastestmonkeymakes.com moneyforfriends.net pl1atiebeloe.ws platie1beloe.ws platieb1eloe.ws getallcooltraffic.com lovelygames.biz nicefilmwatchs.com watchlovedfilms.com surveyforyourss.com 1n-dobloebu.ws 1n-dobloebu1.ws 1n-dobloebu2.ws 1n-dobloebu3.ws gamingguidess.com landpagegames.com localpagegengames.com moneyforfriends.net zzzsleepy.ws zzzsleepy1.ws zzzsleepy2.ws realylovegames.com fastestmonkeymakes.com zzzmaluw3.ws zzzmaluw4.ws gameforgods.com ownfavoritesite.com dearcustomersgogo.com listenquicklypage.com gameforgods.com ilovetradingz.com polnuewtaniwki.ws p3olnuew3taniwki.ws poln1uewt1aniwki.ws polnu4ewtan4iwki.ws polnue2wtani2wki.ws polnuewtaniwki.ws dearcustomersgogo.com trackersystemsz.biz barkdenboms.com crazydomainfoq.com p3olnuew3taniwki.ws poln1uewt1aniwki.ws polnu4ewtan4iwki.ws polnue2wtani2wki.ws dydochka12345.ws lydochka12345.ws vodochka12345.ws mordochka12345.ws collectinfoitemsz.com findyourwaytotr.net samplefasttrack.org getmylovelyyy.com dearcustomersgogo.com polnuewtaniwki.ws barkdenboms.com listenquicklypage.com trackersystemsz.biz findyourwaytotr.net goingfortraff.com trackingzystem.com findtrafficcount.com p3olnuew3taniwki.ws polnu4ewtan4iwki.ws polnue2wtani2wki.ws poln1uewt1aniwki.ws barkdenboms.com crazydomainfoq.com fabosik12345.ws nifnafbet.biz nifnafbet.com nifnafbet.net nifnafbet.org baltimoreprivet.biz baltimoreprivet.org baltimoreprivet.com baltimoreprivet.net dedulkasanya.biz malenkiuniger.biz oduvanchiksawa.biz dedulkasanya.com oduvanchiksawa.com dedulkasanya.net oduvanchiksawa.net dedulkasanya.org oduvanchiksawa.org malenkiuniger.info malenkiuniger.com malenkiuniger.net malenkiuniger.org chrenovuihren.biz chrenovuihren.com bolwayazalypencuya.com chrenovuihren.net bolwayazalypencuya.net chrenovuihren.org bolwayazalypencuya.org chrenovuihren.biz babulkadayn.in.net babulkasyka.in.net forbetterget.in.net babulkamaksim.in.net bravayasuchka.in.net nravayasuchka.in.net pravayasuchka.in.net wravayasuchka.in.net poprobyipoprawaika.in.net bravayasuchka.in.net nravayasuchka.in.net pravayasuchka.in.net wravayasuchka.in.net thatsbigidea.info crazyfastestway.info belayadama.info serayadama.info chernayadama.info krasnayadama.info stervapoimeniolya.info stervapoimenialena.info stervapoimenialina.info stervapoimeniliana.info |
Nearly all domain names are transliterated Russian word combinations.
Some of the domains registered by valera.valera-146@yandex.ru such as barabolka[.]com bear the Registrant Name: Valeriy Babosuch. - http://www.whoismind.com/whois/barabolka.com.html
This name is associated with other domains listed below and registrant email address mindupper@gmail.com .
Domains registered by mindupper@gmail.com were made of mostly English language word combinations.
Some of the domains associated with Nuclear EK and Pony/Fareit post infection were hosted on 162.247.12.207. See more at:
http://malwaredb.malekal.com/url.php?netname=WFC
http://malwarefor.me/2015-04-26-nuclear-ek-dropping-ponyfareit/
162.247.12.207
https://www.virustotal.com/en/ip-address/162.247.12.207/information/
Country CA - Autonomous System6939 (Hurricane Electric, Inc . )
Phishing (such as https://whois.domaintools.com/blondescript.net) was seen on 91.200.85.137
Passive DNS results for these two IP addresses reveal the domains. VirusTotal results show:
3/66 2016-01-10 15:49:37 http://givemeaudi . com/
4/66 2015-12-13 15:31:51 http://sampletds . net/ 4/66 2015-11-25 09:25:32 http://yellowfrance . info/ 2/67 2015-11-22 04:21:10 http://sampletds . org/ 1/66 2015-11-20 10:51:43 http://yellowfrance . com/ 3/63 2015-07-19 14:33:43 http://sampletds . info/ 6/63 2015-06-08 01:03:04 http://www . yellowfrance . info/ 4/63 2015-05-19 09:43:33 http://yellowfrance . com/wRJrUHURtdt20 . html 3/63 2015-04-30 15:37:56 http://yellowfrance . com/HelVGnsIlBR20 . html 3/62 2015-04-21 14:30:13 http://yellowfrance . com/falJTWHvsFU20 . html 6/62 2015-04-21 13:35:51 http://yellowfrance . info/qYCrsJuHWhE20 . html 3/62 2015-04-17 10:49:08 http://yellowfrance . com/sHrWgPcxdvy20 . html 6/62 2015-04-16 02:21:39 http://yellowfrance . info/woMbVHaDOfk20 . html 6/62 2015-04-15 19:46:12 http://yellowfrance . info/HXndqXghAHy20 . html 6/62 2015-04-15 19:45:57 http://yellowfrance . info/ppmerkzbRUk20 . html 2/62 2015-04-15 18:57:31 http://givemeaudi . com/ZlqkpeqDQoy20 . html 6/62 2015-04-15 18:33:34 http://yellowfrance . info/JYndncMIRlu20 . html 6/62 2015-04-15 14:31:15 http://yellowfrance . info/vTGmbyYZBGB20 . html 6/62 2015-04-13 14:23:58 http://yellowfrance . info/YRgyxhPwalE20 . html 1/62 2015-04-09 19:58:58 http://givemeaudi . com/jWRihuJevxB20 . html 6/62 2015-04-09 15:12:33 http://yellowfrance . info/LqLEqeicSXT20 . html 6/62 2015-04-09 15:12:15 http://yellowfrance . info/RhFaRmFvnhE20 . html 3/62 2015-04-09 02:35:13 http://yellowfrance . info/qXgxBLvENoH20 . html 4/62 2015-04-08 11:49:18 http://yellowfrance . info/LEZrGknOuaD20 . html 3/62 2015-04-07 18:33:32 http://yellowfrance . info/BaKYxblgbHt20 . html 3/62 2015-04-07 10:44:09 http://yellowfrance . info/gUoyLbRBcJw20 . html 3/62 2015-04-06 18:55:57 http://yellowfrance . info/AomQXriDFBd20 . html 3/62 2015-04-06 05:21:23 http://yellowfrance . info/rIoeSAnGUuf20 . html 3/62 2015-04-03 20:32:58 http://yellowfrance . info/wpwssjkpevc20 . html 3/62 2015-04-02 14:30:25 http://yellowfrance . info/cLFHmTVqCEW20 . html 3/62 2015-04-02 13:11:26 http://yellowfrance . info/KyLpyRWHMUb20 . html 2/62 2015-04-01 12:08:35 http://yellowfrance . info/GNuCrxcJYcP20 . html 2/62 2015-04-01 10:06:37 http://yellowfrance . info/lvNbgtiyxOu20 . html 1/62 2015-04-01 01:53:08 http://yellowfrance . info/inDOFfbujAt20 . html 1/62 2015-04-01 00:23:39 http://yellowfrance . info/vvBdLhNoChB20 . html 1/62 2015-03-31 23:59:50 http://yellowfrance . info/pAJQxOsQxXP20 . html 1/62 2015-03-17 02:16:12 http://sampletds . org/cevch18 . html 1/62 2015-03-16 19:42:09 http://sampletds . org/ANcXoDpCldL20 . html 1/62 2015-03-12 17:48:28 http://sampletds . info/in . cgi? 1/62 2015-03-12 15:47:25 http://sampletds . net/in . cgi?20&CS=1 1/62 2015-03-12 13:48:35 http://sampletds . net/in . cgi?20&CS=1 1/62 2015-03-12 13:43:03 http://sampletds . net/SfzYoUZLuDw20 . html 2/52 2014-05-23 14:11:51 http://theviagrapills . com/?1 |
Registrant Name: Valeriy Babosuch
Registrant Organization:
Registrant Street: Truhanovskaya 45
Registrant City: Moscow
Registrant State/Province: N/A
Registrant Postal Code: 121497
Registrant Country: RU
Registrant Phone: +7 . 9453466645
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: mindupper@gmail.com
Compromises in CMS, including Wordpress, Joomla!, and Drupal remain a significant threat. Detecting the malicious redirect via the URI construct is useful. However this is often changed quickly by the attacker. Hopefully to improve awareness and detection, we wanted to provide this list of domains that may be related to this active Wordpress compromise.
No comments:
Post a Comment