There were over 100 of our customers attempting to access a large number of websites on a handful of IPs with domains matching the pattern:
[3-6 random letters][2 digits][3-6 random letters].rr.nu
Given the very, very large number of domains used, this has to be some auto-domain generation/registration algorithm used in this campaign.
The pages accessed in the campaign includes:
/n.php?h=1&s=mm
/mm.php?d=x1
/nl.php?p=d
Tracing referrer strings in our logs, here is one live example:
www.psoftsearch.com/peoplebooks/ (infected PeopleSoft search site)
-->
tank95ersfl.rr.nu/mm.php?d=x1
-->
tank95ersfl.rr.nu/n.php?h=1&s=mm
-->
protectcustodianmonitor.info/39f678a0d39279b6/3/
-->
protectcustodianmonitor.info/39f678a0d39279b6/3/setup.exe
FakeAV page that dropped setup.exe:
MD5: 153ae4d1813c6d29a7809a62ff23f84c
VirusTotal reports 2/42 A/V vendors detect (very, very poor detection)
I re-downloaded the malware sample a few seconds later and the MD5 was immediately different.
Also a few seconds later, I re-visited the above site and the embedded link had already changed:
protectcustodianmonitor.info resolves to 64.120.207.106 (HostNOC)
Based on other domains on this IP, this will be an IP that you'll want to blacklist - there are numerous other FakeAV sites hosted here (see list below).
It looks like the primary hosting IP of the ".rr.nu" redirect changes each day, for example:
194.28.114.103 and 194.28.114.102 used in an earlier Sucuri post on this.
March 27 it was: 195.88.181.112
March 30 (today) it is: 91.230.147.204
A number of pages on sites have been compromised to drive this campaign. For example:
www.psoftsearch.com
www.sql-plus.com
www.frozencodebase.com
www.megafuentes.com
www.sdamned.com
genaud.net
www.pumpkinpatchdaycare.in
indianmuslims.in
Infected websites have injected "eval(base64_decode(...));" statements in their wp-config.php and other WordPress .php files to communicate back to a command and control to retrieve a list of websites to inject these ".rr.nu" site inclusions into pages.
---
195.88.181.112 hosting information:
inetnum: 195.88.181.0 - 195.88.181.255
netname: INET4YOU
descr: PE Bogaturev Sergey Anatolievich
country: RU
person: Bogaturev Sergey
address: RU, Gornuy Shit, Komsomolskiy str.
phone: +7(495) 324-35-69
route: 195.88.181.0/24
descr: Subnet for servers and VPS
origin: AS57621
mnt-by: INET4YOURU-MNT
route: 195.88.181.0/24
descr: Client_TC_WIFI
origin: AS57189
mnt-by: COMCORNET-MNT
---
91.230.147.204 hosting information:
inetnum: 91.230.147.0 - 91.230.147.255
netname: zuzu-net
descr: OOO "Aldevir Invest"
country: RU
person: Krutko Evgeni Yurevich
address: 192012, St.-Petersburg, Chernova ul., 25, office 12
phone: +7812850202
e-mail: aldevirinvest@lenta.ru
route: 91.230.147.0/24
descr: Route for DC
origin: AS5508
mnt-by: zuzu-mnt
protectcustodianmonitor.info domain information:
Registrant Name:Leah Carandini
Registrant Street1:54 Ridge Road
Registrant City:Cordalba
Registrant State/Province:QLD
Registrant Postal Code:4660
Registrant Country:AU
Registrant Phone:+61.733106403
Registrant Phone: gapes@cutemail.org
---
Other related FakeAV sites that resolve / resolved to 64.120.207.106:
agentcleanerrescue.info
agentkeeprisks.info
agentonlineinspector.info
areon-linescan.info
avdefendqueerprocess.info
cleanavcenter.info
cleanerspywaresecurity.info
cleanprotectionspyware.info
computerinformationthreat.info
controlpcon-line.info
controlsafetystability.info
datasaverprotect.info
debuggerrisksfirewall.info
debugscannerhazard.info
debugvulnerabilityfirewall.info
defenderoptimizermonitor.info
defendtasksspyware.info
delivererdangerkeep.info
delivereron-linepc.info
delivererpreventionthreat.info
delivererworms.info
detectdeliverertrojans.info
detectionprotection.info
efficiencyprotectordefender.info
guarantorthreatcenter.info
guarantorwarderdata.info
highcleantasks.info
inspectionprotectprotection.info
keepcenteron-line.info
keeperdetectormonitor.info
lowhighworry.info
lowwormstesting.info
microsoftdatacenter.info
optimizerscanningpc.info
perilsthreatworry.info
preventiondebuggercenter.info
protectcustodianmonitor.info
protectionvulnerabilityantivirus.info
protectorsolutionav.info
protectsecurityanalysis.info
protectwarderav.info
queerprocesscentersolution.info
queerprocessdetectionon-line.info
queerprocesshazardmonitor.info
reliabilitydefenderon-line.info
remedyscannerprevention.info
risksbrittlenesssafety.info
scannerfirewallrescue.info
scansupervisionprotection.info
securityavdebugger.info
solverqueerprocessinformation.info
solverremedylow.info
spywareantivirusworry.info
stabilitydatadetection.info
systemminimizeranalysis.info
taskssafetyremedy.info
testersolutionperils.info
warderdetectionkeeper.info
warderinspectionantivirus.info
warderrescuescan.info
windowsservantdefend.info
windowssolutionprotect.info
wormsdefenderagent.info
wormsminimizerdanger.info
wreckminimizerprotection.info
Posts
