Disclaimer: This post is hosted here as a courtesy to the author who prefers to remain anonymous. MDNC was not involved in any way with this study.

Introduction

EITest is one of the longest malicious delivery campaigns that has continued to evolve. In the spring of 2017, it started redirecting Internet Explorer users to tech support scams in addition to the existing redirections with the fake Chrome fonts.

We believe the tech support scam campaign we are describing in this post is one of the most widespread and well organized because it relies on several schemes in addition to EITest, such as traffic redirection using a distributed system infrastructure.

Actors behind this campaign are generating hundreds of domains per day.The only purpose of those domains names is to redirect users to tech support scams or malicious websites.

Highlights

• We were able to redirect a considerable amount of traffic destined to Tech Support Scam websites to a controlled infrastructure for a period of 8 hours. After they fixed the flaw that allowed us to do that, we were able to bypass the new protection in place to take control again of the traffic for another 6 hours.

• We discovered a network of bots controlled by a fraudulent Traffic Monetization company

• We’ve collected a list of 1562+1294 compromised websites responsible for the redirections of users to scams

• The actors are generating over 100 new domains each day to serve TSS via Freenom

The scam

The landing page sometimes changes, but always has the same goal: trying to take control of the browser so the user cannot close it, in hopes that they will panic and call the phone number for assistance.

Tech support scammer (TSS) are sometimes changing the landing page to better abuse the browser. Anyhow, this is what the current landing page looks like.

People that call those numbers will be told how to install a remote control software so the interlocutor can show Windows log events and services to the user, pretending that those are signs of an infected machine. The crooks will then offer a remote reparation service varying from $100 to $600.

Look at different redirection mechanisms

While analyzing the different ways for a user to be redirected to those scam support pages that try to hijack the browsers, we quickly documented multiple different redirection schemes using many different infrastructure. For this reason, we believe that many differents actors are responsible for sending traffic to the redirection network. Let’s begin by describing the most prolific methods of redirections.

EITest Redirection

EITest infected websites have the capability of injecting javascript in page upon loading. We can observe redirections to tech support scam (TSS) websites since 2017. The injection that occurs when the victim’s user-agent is IE, Edge or Firefox, is the following:

This script will, after verifying that it is running in a real browser, set a cookie named “popundr” and redirect the user at a decoy URL, hxxp://checkalldir.bid/index/?MGjJPm in this case. Decoy domains injected resolve to IP 204.155.28.5, in a range belonging to KING-SERVERS (AS 14576). Since 2018-02-26, injected domains were resolving to IP 54.36.180.110 at OVH instead (AS16276). It later changed back to 162.244.35.33, where TSS domains are now pointing.

This EITest campaign is generating ~1 new domain per day (usually with the TLD .bid). Those are easily recognizable by their patterns “/?{6 characters}” in the URL, but the pattern is changing about 4 times per day. The reason they are using a decoy URL and a specific pattern is so they can be routed through their Keitaro TDS (traffic distribution system). In fact, we can browse to the panel of this TDS by accessing it with the IP address at URN /admin:

Routing requests to their TDS before landing on the final destination allows them to have better control of the traffic and manage multiple campaigns. They are also doing more filtering on who will be redirected through this URL. We know that they are verifying at least the user-agent of the requester before allowing any redirection. Here is what will happen when the victims get redirected to one of those domains:

In this case, querying the decoy EITest URL with an user-agent set to “MSIE” was enough for the TDS to send a 302 redirection to the landing page: hxxp://coloured-canvas.tk/?number=800-803-1741

Crypper Redirection

This campaign generates about 165 redirections / hour. Website luyengame.com was responsible for 904 redirections (68%).

For this redirection, we were able to get our hands on the malicious PHP file that is responsible for the generation of the script that redirects users:

The PHP code will start by hiding any errors from the output and get the user-agent and referer of the visitor. Prior to the creation of the javascript that will redirect the user, the code checks that the visitor is not a bot (crawler) and that the visitor is not on a mobile device. If those checks pass, it will fetch the current Tech Support Scam (TSS) domain hxxp://roi777.com/domain.php and append the path “/index/?2661511868997” to it.

Finally, the function “redirectdd” is called with the created URL and the script will output with the latest domain that roi777.com provided:

The script then sets a cookie “1561065164894_CRYPPER” and redirects the user with window.location. Although simple, this script is efficient enough to redirect many visitors.

Biz Redirection

This campaign generates about 1888 redirections / hour. Website myilifestyle.com was responsible for 1199 redirections (8%) and www.fertilitychef.com for 1091 (7%) of the redirections.

This redirection is distinguishable with the added path to the TSS domain: “/index/?2171506271081”.

The script will fetch another script from hxxp://5.45.67.97/1/jquery.js.php and run it, leading to a redirection:

Plugin Redirection

This campaign generates about 184 redirections / hour. Website Archive-s54.info was responsible for 119 redirections (8%).

This campaign has malicious Javascript slightly obfuscated by using the “reverse string” function:

There are a few variants of this script containing different URLs. By applying the reverse string function again on the string containing the malicious URL, we were able to identified all of them:

• hxxp://kodmax.com/wp-content/plugins/twitter-widget-pro/lib/
• hxxp://www.katiatenti.com/wp-content/plugins/sydney-toolbox/inc/
• hxxp://emarketing-immobilier.com/wp-content/plugins/gotmls/safe-load/
• hxxp://stefanialeto.it/wp-content/plugins/flexible-lightbox/css/

Once visited, those PHP files will set a cookie and redirect the user to the TSS landing page with the parameter “/index/?2101505838590” without further verification:

Clearly, those four (4) website redirecting users have been hacked. One of them has the directory listing enabled, allowing us to see that the malicious file has been put there on 2017-11-17. It is probably at this date that this campaign started. Also, as another malware researcher did, we can search for some of the unique constants in the javascript file on Google and find more than 8000 indexed websites that are apparently infected with this script:

Sometimes, the script gets injected multiple times within a page or in a way that it doesn’t work. For example, this website got defaced with the badly injected javascript:

We went one step further when we realized that those malicious PHP files redirecting the users were logging every queries received in a .txt file accessible on the same server. For each redirected user, we had the timestamp of the query, their IP address, referrer and their user-agent. We then downloaded the logs for each of those 4 websites to index them in a database. To consider a request unique, we looked at the hash of: The timestamp of the request + the victim IP + the referer domain name.

This allowed us to determine that more than 7400 unique redirections happened since february 20.

Country of redirected users for the ‘Plugin’ redirection

The campaign is still going on so the numbers are constantly increasing. We also looked at unique domains in the referer field. We spotted ~1294 different domains redirected those users. The ones that redirected the most users are:

• Revista.academiamaestre.es (5678 redirections)
• admission.covenantuniversity.edu.ng (1947 redirections)
• blog.apartmentfinder.com (1844 redirections)
• rockthedirt.com (1566 redirections)

Location For Expert Redirection

Some website are redirecting users to TSS domains with the following path: “/index/?1641501770611”. It is the result of running this malicious javascript:

After deobfuscation, the code becomes readable and we can see the redirection:

The client will query the URL at hxxp://ads.locationforexpert.com/b.php (the filename often changes). The remote script then returns the URL where the user will be redirected.

ContainerRU Redirection

This campaign generates about 335 redirections / hour. Website www.cursosortografia.com was responsible for 158 redirections (6%) and cursosaprende.com for 142 redirections (5%).

This Javascript found was obfuscated by hiding the content of the code in a fake image encoded in base64:

After deobfuscation, we can analyse the code:

The script will verify If the navigator of the user is either Chrome or Firefox. In this scenario, the user is redirected to an URL serving a payload. If the browser is Internet Explorer, the user will be redirected to the following URL: hxxp://div-class-container.ru/index5.php, which will in turn redirect the user with an HTTP 301 to the TSS page with the parameter “/index/?801492446045”:

In all cases, if the domain name of the actual infected website contains “edu”, “gov” or “mil”, the script will not redirect the user. The IP address where this redirecting script is hosted (193.201.227.193) has been linked to unwanted redirects in late 2017.

Doorways redirections

What is a Doorway?

A doorway script is usually an obfuscated PHP script that can trick search engines crawler to perform black hat SEO by modifying the content of a website to specific combination of keywords. However, the one used in this campaign is pretty advanced and allows the owner to basically do whatever he wants with the infected websites, such as injecting content. We discovered that he will often ‘upgrade’ those doorway scripts to PHP backdoors.

We also saw other prolific campaigns for which we don’t have the redirections scripts. For instance, the one generating the largest amount of traffic (URLs are recognizable with “/index/?1051496225880”) has been responsible for 43503 redirections over the 8 hours period (5437 redirections per hour) and represents 40% of the overwall traffic seen:

The websites who redirected users for this largest campaign is mostly archive-s54.info with 18331 redirects, followed by:

• sharesix.com (947 redirections)
• www.gowatchfreemovies.to (919 redirections)
• myilifestyle.com (871 redirections)
• www.primewire.ag (862 redirections)
• Sharerepo.com (856 redirections)
• www.fertilitychef.com (820 redirections)
• Filenuke.com (800 redirections)

We believe that those website have the doorways backdoor installed. Most of them are configured to get to latest TSS URL to : hxxp://fped8.org/doorways/settings_v2.php?clientid=<ID>&ineednewurltoredirect=yes

This website will return the appropriate domain to redirect the user:

Other redirections

By monitoring the backend servers, we discovered that the same infrastructure also serves for other malicious activities.

Chrome plugin

We’ve also observed some redirections chains from malvertising leading to fake chrome extensions. For example, one customer of PopAds, whose account is now banned, was redirecting clients to a TDS system at this URL: hxxp://162.244.35.210/newantikas/?cP65FB. After multiple redirections, the users landed on the website livelifeo.top, which resolved to IPs belonging to the back-end server we were monitoring:

After more digging into domains associated to the same scam, we also found another version of the landing page that tried to trick users to those malicious Chrome extensions:

The back-end server, owned by Roi777 was also responsible for the traffic generated by those malicious Chrome extensions.

We also found a control panel that allowed them to categorize the status of those applications. Fortunately for us, the developer had no idea how to properly protect this panel. The password verification function was implemented in client-side Javascript.

We later found those Chrome extension in the Chrome Store infected and heavily obfuscated. The purpose of them was to randomly redirect the user while browsing. The page where users get redirected can vary from nuisance advertisement to fake software installation page and TSS.

Anyhow, those addons are no longer being pushed and the page is no longer being updated. The actors probably moved to something else.

Pinterest

We also found some links to TSS on Pinterest: jeanclementcom.us has been registered with the email address [email protected], like many other domains name hosted on Roi777 infrastructure.

Android applications

Malicious APKs are also found to be served when browsing to a domain hosted on his infrastructure : fped8.org/mob/antivirus/1/en/index.php

The payload is then downloaded from: fped8.org/mob/antivirus/1/en/downloader.php. Once installed, the application will contact another domain hosted on the same server (hxxp://alija.xyz/panel/).

This APK has the ability to redirect users to fraudulent ads and potentially TSS.

Analysis of the backend traffic

By monitoring differents TDS and back-end server serving those TSS campaigns, we saw a lot of different traffic type linked to differents malicious activities.Not only is this actor involved in the selling of fake software and redirecting to scams, but also in severals webshells and doorways backdoors, allowing him to control a vast network of compromised websites. This section take a look at those differents access methods and how they are leveraged.

Uses of scams domains

We observed TSS domains usually having the TLD .TK changing more than 100 times per day for this campaign. In the last 30 days only, we were able to log 2912 of those domains. Here is the most common IPs where they are pointing:

• 999 of them (35%) are resolving to 204.155.28.5 (King Servers)
• 878 of them (30%) are resolving to 185.159.83.47 (King Servers)
• 162 of them (5%) are resolving to 54.36.151.52 (OVH)

PHP Backdoor

We discovered that many “bots” were reporting to the back-end server belonging to Roi777. In fact we account for a total of 1562 infected websites reporting to his server. There are two types of backdoors that report to the infrastructure we monitored.

The first one being Doorways.We counted 386 differents website constantly asking the server for content to inject.

For the other type of backdoor, we observed 1176 differents domains infected reporting to the server, also asking for content to inject. Here is some stats about the CMS they used:

• WordPress : 211
• OpenCart: 41
• Joomla: 19
• Magento: 1
• Unknown: 904

This backdoor is described in the next section.

Doorways to PHP backdoor

The Doorways have the capability to fetch for instruction and code to execute. We noticed that many of them were querying fped8.org/doorways/settings_v2.php. This URL, when queried with the good parameters, returns code to execute. This allowed us to saw how they can deploy PHP shell through their Doorways:

The content returned contains the backdoor encoded in base64, rot13 and base64 again. After de-obfuscation, we got this code:

The first part of this malicious PHP script will query hxxp://kost8med.org/get.php with the user-agent of the current visitor requesting the page and it’s IP address. If a content is returned, it will be outputted in the content of the page. That said, the owner of the backdoor can inject any code they want into the page. Again, kost8med.org is resolving to 162.244.35.30 which is an IP address belonging to Roi777.

The second part of the script contains a backdoor function executing every request received in the “c” field of the POST parameter of the request if the parameter “p” is also set with the correct password.

The password validation is done in a strange way. The received parameter “p” will be hashed twice before being compared to the hardcoded MD5 hash. However both the idea and the implementation is deficient here, because hashing twice is not more secure in this situation and the comparison is done with “==” instead of “===” (strict comparison), plus the fact that MD5 is no longer considered secure.

It took less than 30 mins to crack the actual password allowing the control of those backdoors. We must say that the speciality of those guys is clearly not security, but rather the opposite.

On a Wordpress installation, this backdoor is usually found in those files:

• wp-config.php
• index.php
• wp-blog-header.php
• Footer.php

We also found what looks like the administrator panel on the same server that they are reporting to:

Other backdoors

Many of the websites that were infected by the original backdoor we were investigating on were also infected with other PHP malicious scripts. However, we don’t think those other scripts were linked to this campaign.

Infection vector (plugin that is hacked, infected path)

It is hard to know for sure how those CMS has been infected. One thing we did notice on lot of them is that the malicious code was in the file footer.php of a WordPress plugins named Genesis. It turns out that this plugin was known to be vulnerable against Arbitrary File Upload in late 2016. However a lot of them have been exploited by other means, such as with other vulnerable plugins and passwords stealings / brute forcing.

Redirecting the traffic flow (or dethroning the king)

By looking at requests sent to the back-end servers, we noticed curious GET requests among a the traffic. The GET requests in question were formatted like the following : hxxps://wowbelieves.us/tech_supportv2.php?update_domain=<Tech support Scam domain>

The update_domain parameter immediately drew our attention, so we tried to do a query to the same PHP file with a domain under our control as the value of this parameter. Immediately, our server started receiving traffic.

So apparently, calls to this PHP file change to current domain published for TSS that the backdoors are relying on to redirect the users. In fact, we were able to change the domain returned by roi777.com/domain.php, where multiple backdoors are fetching the current TSS domain. As said before, those domains are changing more than 100 times a day, and we observed that they have a script calling /tech_supportv2.php frequently so users can be redirected to the latest domain. That said, when we changed the TSS domain to point to a domain under our control, it took only few minutes before their script updated it with the real TSS, overwriting ours at the same time. To keep the traffic going to our server, we then had to query multiple time per minute this webpage, and it sure worked.

After the initial 8 hours in which we had control of most of the traffic, they updated tech_supportv2.php and their script calling it so that the parameters expect were now the domain name to update, plus a key: hxxps://wowbelieves.us/tech_supportv2.php?update_domain=<Tech support Scam domain>&key=<Hash MD5>

To fix the aberrant lack of security in their mechanism to update the current TSS domains, they added this key to the parameters so our previous requests weren’t working anymore.

What is this ‘key’ parameter ?

The key parameter was 32 characters long, so we immediately thought of an MD5 hash. We tried to hash the current domain to see if it was matching, but no luck. We also noticed that the ‘key’ value (or hash) was different for each TSS domain they were updating and we were able replay them without problem. Given this information, it looked like it they were probably using some sort of salting with the domain name before hashing it.

Knowing a part of the hashed value (the domain name), and giving their expertise in cryptography, we started a mask attack locally with hashcat. It took us less than 10 seconds to reveal the salt used. The MD5 hash was the result of the domain name concatenated to the string: “ropl”. This allowed us to take the control back (on and off) of the traffic for another 7 hours. However, the stats used above for webshells and redirections are only based on the first 8 hours of collection.

Note that we didn’t take advantage of the redirected traffic, we instead logged every request made and temporarily neutralized the campaigns by avoiding any redirections to malicious websites.

The first time we redirected the traffic, we collected more than 108700 requests (8 hours period). The second attempt to redirect the traffic allowed us to log more than 55000 requests (6 hours).

By combining both data sets, we did some statistics:

Every request made by IP 89.108.105.13 (Russia) was excluded from the graph because it generated by itself 48256 requests to /index/api.php and we believe that this traffic is generated by one of their server that control doorways on their infrastructure.

Here are the top 15 most seen websites in the referer field (probably infected websites):

Here are the most seen user-agents in those requests:

It’s interesting to note that a lot of requests were coming from Kodi (Open Source Home Theater Software), followed by Internet Explorer browser.

Link to Roi777

Considering the variety of coding styles, providers, IPs used and infected websites, we believe that many actors are involved in the traffic redirection. However, it is clear that the one known as roi777 has a central role in this whole scheme. As advertised on his website, he’s buying any type of traffic after all.

How does all of that links to Roi777 ?

Redirections chains explained above will not always redirect users to TSS. In fact, they are often filtering clients base on GeoIP and user-agent. When the traffic is unwanted for TSS, the redirection chain will often lead to : hxxp://balans.shahterworld.org.

The parameters passed to those requests is another indication that this campaign is lead by roi777:
hxxp://balans.shahterworld.org/?utm_medium=4c23b9fecf7dfd895dfe0da99e857f3bee8e9d42&utm_campaign=roi777_cloack

Also, almost all of the redirections scripts are either pointing directly to roi777.com/domain.php to fetch the latest domain or they are reporting to this same backend server, waiting for instruction.

We found an interesting discussion that happened on 06-01-2018 on this Russian forum[^1] involving the owner of the company Roi777 (using the nickname bagussusu) and another actor (azuluk) providing him backdoors, doorways and other elements mean to increase the number of redirected users. You can read the translated conversation here. In summary, we can learn that :

• They were involved in the traffic generated by some Chrome Extension
• They are using Quiwi / WebMoney financial services to transfer money.
• Their main offer is currently Tech Support Scam.
• Bagussusu is accepting a minimum trade of 1000 webshells and can convert them to Doorways
• Azuluk had 30GB of mail accounts+passwords ready to sell. 5 millions of those were corporate accounts
• Bagussusu is also using SPAM to increase the traffic.
• Bagussusu have some employees working for him (developers).
• The return on investment is apparently better in France (people get scammed easier).
• Azuluk is using JakoDorgen to create Doorways.

• Bagussusu recommands to fetch the latest TSS domain to his website with this PHP code:

  $domain = file_get_contents('http://roi777.com/domain.php');

• They also provide other interesting details such as the IP of the TDS

Who is this “Roi777” ?

Being a young adult living in Russia, you can also find him using the following identities:

• https://t.me/roi777Eng
• Tipatop
• ICQ #: 660-349-155
• ICQ #: 380-046-929
• Skype: live: compiknews
• Jabber: [email protected]
• Telegram: @roi777Ru
• [email protected]
• SocMaster

This non-exhaustive list is some of the most common pseudonyms he uses online. He operates a company that does “Traffic Monetization”. We now know how this traffic is brought back to his network (by illegals means) and what it is for (fraud).

Roi777 Website

His official website advertises some Success stories !

Success stories include traffic generated by Doorways

And there’s also a Keitaro TDS installed directly on /tds/:

IOCs:

Most of the domains for domains used for scams are being resolved by ns1.rakamakao.org and ns2.rakamakao.org (195.245.113.186 & 195.245.113.187). The PowerAdmin administration tool they are using is accessible on the same servers:

Also, AS14576 Bullet proof hoster: King Servers doesn’t seems to host any legitimate services except of cyber-crime on their infrastructure.

Conclusion

By distributing fake applications, using underground malware distribution campaigns, and leveraging malvertisements, the actors behind the company Roi777 are trying to get as much traffic as they can, by any means possible. They are well active and always willing to get more traffic redirected to their scams so they can increase their income.

The EITest campaign, in part responsible for the TSS redirections, is still active even if it is one of the oldest campaign running and the backend servers IP have previous been revealed.

[^1]https[://forum.exploit[.in/index.php?act=ST&f=75&t=134802&st=0)

The CVE-2018-4878 is a bug that allows remote code execution in Flash Player up to 28.0.0.137, spotted in the wild as a 0day, announced by the South-Korean CERT on the 31st of January. Patched on February 6, 2018 with ASPB18-03. Seen in malspam campaign two weeks after, it’s now beeing integrated in Exploit Kits.

This is, as far as i know, the first new working RCE integrated in non targeted Exploit Kit¹ since CVE-2016-0189 in july 2016 (!).

GreenFlash Sundown:

Spotted on the 2018-03-09 (but probably there since several days)

GreenFlash is a private heavily modified version of Sundown EK spotted in october 2016 by Trendmicro. It’s beeing exclusively used by the “WordsJS” (aka “ShadowGate”) group. This group is getting traffic from crompromised OpenRevive/OpenX advertising server since at least may 2015.

Some references about the activities of this group:

Files: Fiddler on VT - Pcap on VT (note: some https proxies were used)
IOCs: MISP Json

If you saw this kind of traffic in your perimeter/telemetry, i’d be happy to get more referer

Edits:

• 2018-03-10 - 15:40 GMT - Removed mention of steganography. @smogoreli: “simple offset in the dat file”
  

Acknowledgement:

• Thanks to Genwei Jiang (FireEye) for the CVE identification.
• Thanks to Joseph Chen for inputs allowing the capture of a fresh pass of GreenFlash Sundown.
• Thanks to @GelosSnake & @baberpervez2 for the ping on suspicious activity that could be associated to “WordsJS” (aka “ShadowGate”) and triggered those checks.
  

Magnitude:

Spotted on the 2018-04-01

Magnitude is using the WSH injection described by Matt Nelson in August 2017.

Payload is the Magniber Ransomware, first spotted in the wild in october 2017, in a context documented by Trendmicro.

Select OSINT about this infection chain:

Files: Fiddler on VT - Pcap on VT (note: some https proxies were used)
IOCs: MISP Json (note: all those are changing almost hourly)

RIG:

Spotted on the 2018-04-09

Replying to a customer complaining yesterday (2018-04-08) about the lack of CVE-2018-4878, “TakeThat” wrote early this morning (2018-04-09):

Чистки выполняются вовремя
Конечно мы добавили флеш CVE-2018-4878 он доступен на подписке от недели

Translated by google as:

Cleaning is done on time
Of course, we added the flash CVE-2018-4878 it is available on subscription from the week

And indeed today as spotted by @nao_sec:

Fallout:

Spotted on 2018-06-28, most probably there since 2018-06-16

Despite seeing code pointing to it, we did not saw it properly called in traffic.

Edits:

• 2018-04-10 - 10:05 GMT - Modified to reflect payload id: Urausy. Not seen since 2015-06-09
  

Acknowledgement:

• Thanks to Kimberly for the payload identification.

The CVE-2018-8174 is a bug that allows remote code execution in the VBScript Engine. Found exploited in the wild as a 0day via Word documents, announced by Qihoo360 on April 20, 2018, patched by Microsoft on May 8, 2018 and explained in details by Kaspersky the day after.

A Proof of Concept for Internet Explorer 11 on Windows 7 has been shared publicly 3 days ago, it’s now beeing integrated in Browser Exploit Kits.

This will replace CVE-2016-0189 from july 2016 and might shake the Drive-By landscape for the coming months.

RIG:

Spotted on the 2018-05-25

“TakeThat” wrote yesterday (2018-05-24) that he has integrated it and that infection rate has increased:

Добавлен CVE-2018-8174
Add CVE-2018-8174
Пробив/rate +
[redacted]@exploit.im
[redacted]@xmpp.jp

And indeed today:

Files: PCAP on VT

Acknowledgement:

• Thanks to William Metcalf and Frank Ruiz (FoxIT InTELL) for their help.

Magnitude:

Spotted on the 2018-06-02

After a week without buying traffic, Magnitude is active again, now with CVE-2018-8174:

Note: Magniber is back (after 1 month and half of GandCrab) in this infection chain and is now (as GandCrab) also accepting Dash cryptocurrency as payment

Files: Fiddler on VT (note: some proxy were used)

GrandSoft:

Spotted by Joseph Chen on 2018-06-14

Files: Fiddler on VT - Pcap on VT

Acknowledgement:

• Thanks to Joseph Chen who spotted the new exploit and allowed the capture of this traffic.

Edits:

• 2018-06-19 - Added the name for the Loader
  

Fallout:

Spotted on 2018-06-30, most probably there since 2018-06-16

Files: Fiddler on VT - Pcap on VT

Acknowledgement:

• Thanks to Nao_Sec for the initial referer. Thanks to Joseph Chen for additionnal inputs

Kaixin EK:

Spotted by JayK on 2018-07-12

Files: Fiddler on VT - Pcap on VT

Hunter EK:

Files: Fiddler on VT

Acknowledgement:

• Thanks to Frank Ruiz (FoxIT InTELL) for allowing this capture.

Greenflash Sundown:

Spotted by Chaoying Liu on 2018-09-05

Acknowledgement:

• Thanks to Chaoying Liu for the CVE identification.

Read More:
The King is dead. Long live the King! - 2018-05-09 - SecureList
Analysis of CVE-2018-8174 VBScript 0day - 2018-05-09 - Qihoo360

Post publication reading:
Rig Exploit Kit Now Using CVE-2018-8174 to Deliver Monero Miner - 2018-05-31 - Trend Micro
Delving deep into VBScript - Analysis of CVE-2018-8174 exploitation - 2018-07-03 - SecureList
Hello “Fallout Exploit Kit” - 2018-09-01 - Nao_Sec

The CVE-2018-15982 is a bug that allows remote code execution in Flash Player up to 31.0.0.153, spotted in the wild as a 0day. Patched on December 05, 2018 with APSB18-42.

Underminer:

Underminer exploit kit improves in its latest iteration - 2018-12-21 - Malwarebytes

Fallout:

2019-01-16

Files: Fiddler on VT - Pcap on VT

Associated Advert underground:

Итак! Тяжкие работы по восстановлению всей инфраструктуры связки закончены, были проведены тесты и в данный момент связка работает в полном объеме. Также были произведены множество правок и изменений.

Изменения:

1. Увеличена производительность
2. Полностью переработан механизм обфускации кода и генерации лэндинга.
3. Убран CVE-2018-8373 на переработку. В данный момент сплоит ведет себя не стабильно.
4. Добавлен новый флеш сплоит CVE-2018-15982.
5. Для запуска повершелл в шеллкод добавлен код отключения AMSI
6. Кучка мелких правок

ИЗМЕНЕНА ЦЕНОВАЯ ПОЛИТИКА Неделя 400$ Месяц 1300$

В данный момент при проверке отстука софта со связки было выявлено:

1. Отстук EXE на уровне 80-90%
2. Отстук PowerShell на уровне 95-100%

Translated by google as:

So! The hard work on the restoration of the entire infrastructure of the bundle was completed, tests were carried out and at the moment the bundle is working in full. There have also been many edits and changes.

Changes:

1. Increased performance
2. The code obfuscation and landing generation mechanism has been completely redesigned.
3. Removed CVE-2018-8373 for recycling. At the moment, the flow rate is not stable.
4. Added new flash sploit CVE-2018-15982.
5. To launch Powershell, the disable code AMSI is added to the shellcode
6. A bunch of minor edits

CHANGED PRICE POLICY Week 400 $ Month $ 1300

At the moment, when checking the otstuk software from the bundle, it was revealed:

1. Otstuk EXE level 80-90%
2. Otstuk PowerShell at the level of 95-100%

Spelevo:

2019-03-06 Appears to be a new Exploit Kit which has some similarities with “SPL EK”. (CVE-2018-8174 has been spotted there as well)

Acknowledgement:

Thanks to Chaoying Liu for CVE confirmation.

Files: Fiddler on VT - Pcap on VT (note: Some proxy were used)

GreenFlash Sundown:

19.03.26 #Malvertising -> #GreenFlashSundown EK-> #SeonRansomware ver 0.2 & #pony & #miner using CVE-2018-15982 - 2019-04-05 - @vigilantbeluga

Shadowgate Returns to Worldwide Operations With Evolved Greenflash Sundown Exploit Kit - 2019-06-27 - Trendmicro

Read More:

Adobe Flash Zero-Day Exploited In the Wild - 2018-12-05 - Gigamon

Underminer exploit kit improves in its latest iteration - 2018-12-21 - Malwarebytes

This is the last post/activity you’ll see on MDNC.

I have now chosen to bring the MDNC (Blog/Kafeine/MISP) project to an end.
Thanks to those who helped me during this incredible 8 years journey.

The blog and twitter account will stay up (but inactive) for the records.
The MDNC MISP instance will be shut down in several weeks.

‘Choose again.’ said Aenea. ‘Dan Simmons, The Rise of Endymion‘

That’s all Folks!