Zscaler Data Protection Recognized as a 2023 Product of the Year by CRN

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

Analysis Of Recent "Trojan Tacorti" Malware Run

August 04, 2010 - 3 min read

The past few weeks I noticed a handful of "free access" / "open for free access" malware binary executables. There was some information in the open source about this, but not much piecing the entire picture together - in fact, it appears that there could be a linkage to the Koobface gang for this. Read on for more details...

Of late the binaries have mostly been named "Open.Me.For.free.Access1.1.exe"
For example, (all live at the moment, not blocked through Google SafeBrowsing)

  • fu0ckpisingebonun.com/Open.Me.For.free.Access1.1.exe
  • g1rlyuoung.com/Open.Me.For.free.Access1.1.exe
  • 1000sweeties.com/Open.Me.For.free.Access1.1.exe
  • www.baabbeesss.com/Open.Me.For.free.Access1.1.exe
  • 69poses4u.com/Open.Me.For.free.Access1.1.exe

ImageThere have been a number of other domains registered for this campaign. All sites lure the victims through porn, and are advertised via web and email spam. Clicking on any of the links in the page entices the user to download the binary. Fortunately, the binary remains static in each run. In this particular example the binary has ok A/V detection, V/T results 27/42, MD5: 76553a8e67d22c40fabd52cb57d30ea4

The malware uses a browser helper object (BHO) to automatically access and inject content into the victims browser. The malware accesses and injects content into the victim's browser from adult site affiliates, for example, streamray.com and cams.com.

In a previous blog post, I mention the Partnerka (Russian slang for the affiliate networks). These affiliate programs provide a revenue stream for spammers, SEOers, and malware authors alike based on pay-per-etc.,etc. (traffic volumes, clicks, purchases, installs, credential / sign-up). In other words, the malware from this post is being used to monetize adult site affiliate programs such as the Cams / Streamray affiliate.

Variants of the malware from this post have been classified as "Trojan Tacorti" by some vendors. Here is an example of a ThreatExpert report from a previous Tacorti run -- the possible country of origin from the artifact is identified as Russia.

The resolving IP for the above Tacorti domains is: with nameservers on the same IP block:
Name Server : NS1.CUM4ME.TV (
Name Server : NS2.CUM4ME.TV (

All of the Tacorti domains were registered through:
With private whois info, contact to unmask:
[email protected]

The nameserver domain was registered through:
With private whois info through Domain Discreet
(I sent notification to the appropriate parties for the nameserver domain)

IP Info: 86400 IN PTR bzq-219-250-70.static.bezeqint.net. 86400 IN PTR bzq-219-250-67.static.bezeqint.net.

inetnum: -

person: Zehavit Vigder
address: bezeq-international
address: 40 hashacham
address: petach tikva 49170 Israel
phone: +972 1 800800110
fax-no: +972 3 9203033
e-mail: [email protected]

origin: AS8551

AS8551 is shown to be a fairly "dirty" AS, with a history of hosting Koobface malware, see malwareurl.com report. There is no conclusive evidence at present to link the Trojan Tacorti runs to the Koobface gang, but the modus operandi (MO) is similar to this gang (monetizing affiliate networks through malware infections ... and they have a history of porn / web cam / video as the social engineering lure for victims).


form submtited
Thank you for reading

Was this post useful?

Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.