Looking back on traffic from this week, I noticed a large spike in the number of companies accessing free TLD / Dynamic DNS related sites. Digging deeper it appears that a malware campaign tied to massive WordPress compromises was the culprit. This is a very widespread malware campaign that remains live / on-going and is currently redirecting to FakeAV websites. The campaign is making use of auto-domain generation and auto-updating of infected sites to change the embedded link with every visit. Some major infected sites that remain live include: psoftsearch.com and sql-plus.com (careful if you visit these sites as they are currently infected). We are in the process of reaching out to victim sites and assisting with handling the incident. Here are the initial details:
There were over 100 of our customers attempting to access a large number of websites on a handful of IPs with domains matching the pattern:
[3-6 random letters][2 digits][3-6 random letters].rr.nu
Given the very, very large number of domains used, this has to be some auto-domain generation/registration algorithm used in this campaign.
The pages accessed in the campaign includes:
Tracing referrer strings in our logs, here is one live example:
www.psoftsearch.com/peoplebooks/ (infected PeopleSoft search site)
FakeAV page that dropped setup.exe:
VirusTotal reports 2/42 A/V vendors detect (very, very poor detection)
I re-downloaded the malware sample a few seconds later and the MD5 was immediately different.
Also a few seconds later, I re-visited the above site and the embedded link had already changed:
I refreshed the page, and sure enough the embedded link changed again. Aside from the hosting IPs, this appears to be a dynamic FakeAV campaign.
protectcustodianmonitor.info resolves to 188.8.131.52 (HostNOC)
Based on other domains on this IP, this will be an IP that you'll want to blacklist - there are numerous other FakeAV sites hosted here (see list below).
It looks like the primary hosting IP of the ".rr.nu" redirect changes each day, for example:
184.108.40.206 and 220.127.116.11 used in an earlier Sucuri post on this.
March 27 it was: 18.104.22.168
March 30 (today) it is: 22.214.171.124
A number of pages on sites have been compromised to drive this campaign. For example:
Infected websites have injected "eval(base64_decode(...));" statements in their wp-config.php and other WordPress .php files to communicate back to a command and control to retrieve a list of websites to inject these ".rr.nu" site inclusions into pages.
126.96.36.199 hosting information:
inetnum: 188.8.131.52 - 184.108.40.206
descr: PE Bogaturev Sergey Anatolievich
person: Bogaturev Sergey
address: RU, Gornuy Shit, Komsomolskiy str.
phone: +7(495) 324-35-69
descr: Subnet for servers and VPS
220.127.116.11 hosting information:
inetnum: 18.104.22.168 - 22.214.171.124
descr: OOO "Aldevir Invest"
protectcustodianmonitor.info domain information:
Registrant Name:Leah Carandini
Registrant Street1:54 Ridge Road
Registrant Postal Code:4660
Registrant Phone: [email protected]
Other related FakeAV sites that resolve / resolved to 126.96.36.199: