Historical OSINT - Massive Black Hat SEO Campaign Spotted in the Wild

Cybercriminals continue actively launching fraudulent and malicious blackhat SEO campaigns further acquiring legitimate traffic for the purpose of converting it into malware-infected hosts further spreading malicious software potentially compromising the confidentiality availability and integrity of the targeted host to a multi-tude of malicious software.

We've recently intercepted a currently active malicious blackhat SEO campaign serving scareware to socially engineered users with the cybercriminals behind it earning fraudulent revenue largely relying on the utilization of an affiliate-network based revenue-sharing scheme.

In this post we'll profile the campaign, provide actionable intelligence on the infrastructure behind it, and discuss in-depth the tactics techniques and procedures of the cybercriminals behind it.

Known malicious domains known to have participated in the campaign:
hxxp://doremisan7.net?uid=213&pid=3&ttl=319455a3f86 - 67.215.238.189

Known malicious redirector known to have participated in the campaign:
hxxp://marketcoms.cn/?pid=123&sid=8ec7ca&uid=213&isRedirected=1 - 91.205.40.5 - Email: JeremyLRademacher@live.com

Related malicious domains known to have been parked within the same malicious IP (91.205.40.5):
hxxp://browsersafeon.com
hxxp://online-income2.cn
hxxp://applestore2.cn
hxxp://media-news2.cn
hxxp://clint-eastwood.cn
hxxp://stone-sour.cn
hxxp://marketcoms.cn
hxxp://fashion-news.cn

Known malicious domains known to have participated in the campaign:
hxxp://guard-syszone.net/?p=WKmimHVmaWyHjsbIo22EeXZe0KCfZlbVoKDb2YmHWJjOxaCbkX1%2Bal6orKWeYJWfZW
VilWWenGOIo6THodjXoGJdpqmikpVuaGVvZG1kbV%2FEkKE%3D - 206.53.61.73

hxxp://yourspywarescan15.com/scan1/?pid=123&engine=pXT3wjTuNjYzLjE3Ny4xNTMmdGltZT0xMjUxMYkNPAFO - 85.12.24.12

Sample detection rate for sample malware:
MD5: 3d448b584d52c6a6a45ff369d839eb06
MD5: 54f671bb9283bf4dfdf3c891fd9cd700

We'll continue monitoring the campaign and post updates as soon as new developments take place.
Share on Google Plus

About Dancho Danchev

Threat Intelligence Analysis (OSINT/Cyber Counter Threat Intelligence/). Approach me ddanchev@confidantmail.org 1790eb593d891cec2e0cd07ee044b283cce9c011 SilentCircle ID: ddanchev +507 833-8931
    Blogger Comment
    Facebook Comment