Zscaler Data Protection Recognized as a 2023 Product of the Year by CRN

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

ATECH-SAGADE Badness - Malicious .IN Campaign

July 15, 2010 - 3 min read

I'm working on generating our Q2 2010 Stats and Trends report, and I noticed a large number of blocked exploit kit activity from domains registered with the .IN TLD. These were not hacked sites but domains registered for the explicit purpose of supporting a criminal enterprise. This activity is on-going. As the post will show, the campaign involves leveraging exploit kits to exploit known vulnerabilities on client applications and installing various payloads including installing various wares to monetize pay-per-installs.

A large number of the the malicious domains have been hosted on: -

These IPs belong to the owned by ATECH-SAGADE:
Which other ATECH-SAGADE netblocks have been described as "evil" in blog posts from earlier this month:

"Evil network: Sagade Ltd / ATECH-SAGADE" -- Dynamoo

"Basically, – is completely evil and has no legitimate use as far as I can see." -- ComputerSecurityArticles

"Exploits, Malware, and Scareware Courtesy of AS6851, BKCNET, Sagade Ltd." -- ComputerSecurityArticles

There have also been a number of recent malicious sites related to this .IN campaign seen on the ATECH-SAGADE netblock as well, for example:
which currently resolve to, .15, and .16.

Here is a snippet of what we've seen and blocked related to this ongoing .IN campaign:

Other open-source research show several of these sites still live on this /24, for example:

Here is an example of the WHOIS for one of the malicious .IN domains:
ImageRussian based information and self-resolving domain. The name servers currently resolve to and respectively on the same ATECH-SAGADE netblock.

Here is a small snippet from the exploit kit hosted on the .IN domains:
ImageI believe this is from the SUTRA exploit pack. In any case, here is an example of an earlier Wepawet report from analyzing one of these .IN sites:
The exploits detected from the report are CVE-2009-0927 and CVE-2007-5659
And the ActiveX controls:

While many of the payloads include Trojan Downloaders and FakeAV, there have been some other wares installed via this campaign. VirusTotal has shown that some of the payloads dropped by the kit are undetectable via anti-virus:

The sigcheck on the artifact shows it as System Explorer by the Mister Group:
ImageSecunia has a brief advisory posted on the Mister Group and their System Explorer here.

The Mister Group has a few pages setup for their System Explorer:

From the above, it seems that this campaign is largely driven by pay-per-install profit.

form submtited
Thank you for reading

Was this post useful?

Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.