2012-09-14 - Landscape

1940 IPs for a BHEK/ULocker server - Nexcess-Net

We all remember the hack of Cryptome.org back in February 13th 2012, redirecting 2900 visitors to a "/Home/" Blackhole Exploit kit. (No ? Read cryptome.org thread about that).

Cryptome.org's post keeping readers aware of the situation in real time


I was already following that blackhole (and its ips ) since I started to dive in this field, so since December.

I decided to make a deeper search and found that the BH EK was hidding behind 2428 ips (Pastebin) on AS36444 almost all on NEXCESS-NET networks.

At that time I ensured this information reached Law Enforcement and decided to stop following that BH EK (too many IP rotation, too much work for one rotating payload).

Yesterday Jindrich Kubec (Avast) and Razor both remind me about that "/Home/ BH EK " that i was also seeing from time to time on URLQuery and MalwareDomainList.

I made a scan once again on AS36444 and there is right now 1915 ips (Pastebin) positive to that BH EK.

Winmerge of both files giving a rough idea of differences


I decided to take a look at what was being served :


Session of /Home/ Blackhole (1.2.5) Infection - Highligted : Payload

149.47.134.189 /Home/index.php

149.47.134.189 /Home/Gam.jar
149.47.134.189 /Home/w.php?f=16&e=2  cac5aeefd47e4e537f8f28430f2a3661 (vt link)
149.47.134.189 /Home/data/ap1.php?f=16
149.47.134.189 /Home/data/field.swf


The payload is ULocker (link to @Botnets_fr related page). Another occurence exposed by Xylitol two weeks ago



Screenshot of ULocker I made for Botnets.fr
ULocker initial advert by xfrzx
ULocker update announced by xfrzx


It could be over if that page was not hosted on, guess what ?, the "/Home/ BH EK" server.

Fiddler Trace of the call home from the ULocker ransomware bot.


cdnexits.com/Home /web2/gate.php
cdnexits.com/Home /web2/l/FR.php <-- depending of what gate.php reply.

List of Targeted Countries
I have highlighted the RO (Romania) cause in facts it's in English and it's a glitch that come from previous version of ULocker which is the only known ransomware targeting that country.

cdnexits.com -- 91.204.208.36
52148 | 91.204.208.0/22 | RACKSRV | UK | G-RAFF.COM | RACKSRV COMMUNICATIONS LIMITED


Scanning this range you can find 4 more IPs for the "/Home/ BH EK".


91.204.209.207
91.204.209.208
91.204.209.209
91.204.209.205

Scanning more widely "known" bad ranges you also find :

109.236.81.41 <- Could be the mother Ship.
129.121.35.109
129.121.35.166
129.121.35.173
129.121.35.183
129.121.35.253
129.121.35.36
129.121.35.37
129.121.35.38
129.121.35.39
129.121.35.40
193.33.186.241
193.33.186.242
193.33.186.243
193.33.186.244
193.33.186.245
213.5.176.130
213.5.176.131
213.5.176.132
213.5.176.133
213.5.176.134

Yes you can take any of these IP or from this pastebin and add "/Home/web2/l/DE.php" you'll get the German Landing for ULocker Ransomware.

1940 ips. The lack of IPv4 seems be a joke for some bad guys...(yes am thinking at the AS37599 at 75% occupied by a BH EK deploying Reveton two weeks ago)