By: ThreatLabz

On-Going Dynamic FakeAV Campaign

Malware

Looking back on traffic from this week, I noticed a large spike in the number of companies accessing free TLD / Dynamic DNS related sites.  Digging deeper it appears that a malware campaign tied to massive WordPress compromises was the culprit.  This is a very widespread malware campaign that remains live / on-going and is currently redirecting to FakeAV websites.  The campaign is making use of auto-domain generation and auto-updating of infected sites to change the embedded link with every visit.  Some major infected sites that remain live include: psoftsearch.com and sql-plus.com (careful if you visit these sites as they are currently infected).  We are in the process of reaching out to victim sites and assisting with handling the incident.  Here are the initial details:

There were over 100 of our customers attempting to access a large number of websites on a handful of IPs with domains matching the pattern:
[3-6 random letters][2 digits][3-6 random letters].rr.nu
Given the very, very large number of domains used, this has to be some auto-domain generation/registration algorithm used in this campaign.

The pages accessed in the campaign includes:
/n.php?h=1&s=mm
/mm.php?d=x1
/nl.php?p=d

Tracing referrer strings in our logs, here is one live example:
www.psoftsearch.com/peoplebooks/  (infected PeopleSoft search site)
-->
tank95ersfl.rr.nu/mm.php?d=x1
-->
tank95ersfl.rr.nu/n.php?h=1&s=mm
-->
protectcustodianmonitor.info/39f678a0d39279b6/3/
-->
protectcustodianmonitor.info/39f678a0d39279b6/3/setup.exe

FakeAV page that dropped setup.exe:
MD5: 153ae4d1813c6d29a7809a62ff23f84c
VirusTotal reports 2/42 A/V vendors detect (very, very poor detection)

I re-downloaded the malware sample a few seconds later and the MD5 was immediately different.
Also a few seconds later, I re-visited the above site and the embedded link had already changed:
I refreshed the page, and sure enough the embedded link changed again.  Aside from the hosting IPs, this appears to be a dynamic FakeAV campaign.

protectcustodianmonitor.info resolves to 64.120.207.106 (HostNOC)
Based on other domains on this IP, this will be an IP that you'll want to blacklist - there are numerous other FakeAV sites hosted here (see list below).

It looks like the primary hosting IP of the ".rr.nu" redirect changes each day, for example:
194.28.114.103 and 194.28.114.102 used in an earlier Sucuri post on this.
March 27 it was: 195.88.181.112
March 30 (today) it is: 91.230.147.204

A number of pages on sites have been compromised to drive this campaign.  For example:
www.psoftsearch.com
www.sql-plus.com
www.frozencodebase.com
www.megafuentes.com
www.sdamned.com
genaud.net
www.pumpkinpatchdaycare.in
indianmuslims.in

Infected websites have injected "eval(base64_decode(...));" statements in their wp-config.php and other WordPress .php files to communicate back to a command and control to retrieve a list of websites to inject these ".rr.nu" site inclusions into pages.

---

195.88.181.112 hosting information:

inetnum:  195.88.181.0 - 195.88.181.255
netname:  INET4YOU
descr:       PE Bogaturev Sergey Anatolievich
country:    RU

person:          Bogaturev Sergey
address:         RU, Gornuy Shit, Komsomolskiy str.
phone:           +7(495) 324-35-69

route:           195.88.181.0/24
descr:           Subnet for servers and VPS
origin:          AS57621
mnt-by:          INET4YOURU-MNT

route:           195.88.181.0/24
descr:           Client_TC_WIFI
origin:          AS57189
mnt-by:          COMCORNET-MNT

---

91.230.147.204 hosting information:

inetnum:         91.230.147.0 - 91.230.147.255
netname:         zuzu-net
descr:           OOO "Aldevir Invest"
country:         RU

person:          Krutko Evgeni Yurevich
address:         192012, St.-Petersburg, Chernova ul., 25, office 12
phone:           +7812850202
e-mail:          aldevirinvest@lenta.ru

route:           91.230.147.0/24
descr:           Route for DC
origin:          AS5508
mnt-by:          zuzu-mnt

---

protectcustodianmonitor.info domain information:

Registrant Name:Leah  Carandini
Registrant Street1:54 Ridge Road
Registrant City:Cordalba
Registrant State/Province:QLD
Registrant Postal Code:4660
Registrant Country:AU
Registrant Phone:+61.733106403
Registrant Phone: gapes@cutemail.org

---

Other related FakeAV sites that resolve / resolved to 64.120.207.106:

agentcleanerrescue.info
agentkeeprisks.info
agentonlineinspector.info
areon-linescan.info
avdefendqueerprocess.info
cleanavcenter.info
cleanerspywaresecurity.info
cleanprotectionspyware.info
computerinformationthreat.info
controlpcon-line.info
controlsafetystability.info
datasaverprotect.info
debuggerrisksfirewall.info
debugscannerhazard.info
debugvulnerabilityfirewall.info
defenderoptimizermonitor.info
defendtasksspyware.info
delivererdangerkeep.info
delivereron-linepc.info
delivererpreventionthreat.info
delivererworms.info
detectdeliverertrojans.info
detectionprotection.info
efficiencyprotectordefender.info
guarantorthreatcenter.info
guarantorwarderdata.info
highcleantasks.info
inspectionprotectprotection.info
keepcenteron-line.info
keeperdetectormonitor.info
lowhighworry.info
lowwormstesting.info
microsoftdatacenter.info
optimizerscanningpc.info
perilsthreatworry.info
preventiondebuggercenter.info
protectcustodianmonitor.info
protectionvulnerabilityantivirus.info
protectorsolutionav.info
protectsecurityanalysis.info
protectwarderav.info
queerprocesscentersolution.info
queerprocessdetectionon-line.info
queerprocesshazardmonitor.info
reliabilitydefenderon-line.info
remedyscannerprevention.info
risksbrittlenesssafety.info
scannerfirewallrescue.info
scansupervisionprotection.info
securityavdebugger.info
solverqueerprocessinformation.info
solverremedylow.info
spywareantivirusworry.info
stabilitydatadetection.info
systemminimizeranalysis.info
taskssafetyremedy.info
testersolutionperils.info
warderdetectionkeeper.info
warderinspectionantivirus.info
warderrescuescan.info
windowsservantdefend.info
windowssolutionprotect.info
wormsdefenderagent.info
wormsminimizerdanger.info
wreckminimizerprotection.info

Learn more about Zscaler.