Looking back on traffic from this week, I noticed a large spike in the number of companies accessing free TLD / Dynamic DNS related sites. Digging deeper it appears that a malware campaign tied to massive WordPress compromises
was the culprit. This is a very widespread malware campaign that remains live / on-going and is currently redirecting to FakeAV websites. The campaign is making use of auto-domain generation and auto-updating of infected sites to change the embedded link with every visit. Some major infected sites that remain live include: psoftsearch.com and sql-plus.com (careful if you visit these sites as they are currently infected). We are in the process of reaching out to victim sites and assisting with handling the incident. Here are the initial details:
There were over 100 of our customers attempting to access a large number of websites on a handful of IPs with domains matching the pattern:
[3-6 random letters][2 digits][3-6 random letters].rr.nu
Given the very, very large number of domains used, this has to be some auto-domain generation/registration algorithm used in this campaign.
The pages accessed in the campaign includes:
Tracing referrer strings in our logs, here is one live example:
www.psoftsearch.com/peoplebooks/ (infected PeopleSoft search site)
FakeAV page that dropped setup.exe:
2/42 A/V vendors detect (very, very poor detection)
I re-downloaded the malware sample a few seconds later and the MD5 was immediately different.
Also a few seconds later, I re-visited the above site and the embedded link had already changed:
I refreshed the page, and sure enough the embedded link changed again. Aside from the hosting IPs, this appears to be a dynamic FakeAV campaign.
protectcustodianmonitor.info resolves to 18.104.22.168 (HostNOC)
Based on other domains on this IP, this will be an IP that you'll want to blacklist - there are numerous other FakeAV sites hosted here (see list below).
It looks like the primary hosting IP of the ".rr.nu" redirect changes each day, for example:
22.214.171.124 and 126.96.36.199 used in an earlier Sucuri post
March 27 it was: 188.8.131.52
March 30 (today) it is: 184.108.40.206
A number of pages on sites have been compromised to drive this campaign. For example:
Infected websites have injected "eval(base64_decode(...));" statements in their wp-config.php and other WordPress .php files to communicate back to a command and control to retrieve a list of websites to inject these ".rr.nu" site inclusions into pages.
220.127.116.11 hosting information:
inetnum: 18.104.22.168 - 22.214.171.124
descr: PE Bogaturev Sergey Anatolievich
person: Bogaturev Sergey
address: RU, Gornuy Shit, Komsomolskiy str.
phone: +7(495) 324-35-69
descr: Subnet for servers and VPS
126.96.36.199 hosting information:
inetnum: 188.8.131.52 - 184.108.40.206
descr: OOO "Aldevir Invest"
person: Krutko Evgeni Yurevich
address: 192012, St.-Petersburg, Chernova ul., 25, office 12
descr: Route for DC
protectcustodianmonitor.info domain information:
Registrant Name:Leah Carandini
Registrant Street1:54 Ridge Road
Registrant Postal Code:4660
Registrant Phone: email@example.com
Other related FakeAV sites that resolve / resolved to 220.127.116.11: