2013-10-08 - Affiliate

Flimrans Affiliate : Borracho



In middle of may a new Ransomware appeared (or at least was spotted), pushed in a new Exploit Kit named Flimkit by Chris Wakelin.

Flimkit pushing Flimrans
Encoded Payload in the Jar
404 Call back for stats

Both were really tied, as Kore/Urausy could be or in a less obvious way Cool EK/Reveton.

Ransomware got refered to as : Flimrans

Nothing really new in the clothes...Same designs as the one used by Urausy back in September 2012
Flimrans Design 2013-05
(match Urausy 2012-09)
In middle of June it seems that the group switched to Styx

Styx Pushing Flimrans
2013-06-12
(same infection chain that we could see previously in Flimkit)


Then it seems they moved (or just switched public ?) to affiliate mode as far as middle of July

Advert posted on 2013-07-10
for a locker in affiliate mode
-----------Text of the Advert -----------
Локер/Locker
- Стабильность отстука и конверта
- Много стран
- Любая модель сотрудничества по чекам (НЕ ПРОДАЕТСЯ, только сотрудничество!)
- Имеется необходимый набор инструментов
- и др...

только в ЛС

-----------------------------------------------

- Stable installs rate and conversations
- A lot of Countries
- Choose your business model for Partnership
- We have all needed for work
- and more...

PM Only
----------------------------------------------
Few days later some numbers :

Update to Initial Advert
------------------------------------------------------------------------------------------------
выложу немного строк по конвертам с различных источников и тематик трафика

Adult слитый с бирж

Микс US/EU - 40/60%
27339 955 (334/114/507) 694 (194/93/407) 72.67 % 0/261 1:28 / 1:39 $ 39799

Чистая US
19599 584 (580/1/3) 340 (337/1/2) 58.22 % 0/244 1:33 / 1:57 $ 33920

Микс US/EU - 50/50%
12955 328 (207/37/84) 223 (136/25/62) 67.99 % 0/105 1:39 / 1:58 $ 17345


Non Adult слитый с бирж

Микс US/EU - 50/50%
22337 239 (103/39/97) 150 (55/31/64) 62.76 % 0/89 1:93 / 1:148 $ 9592

Чистая US
8787 139 (136/2/1) 74 (71/2/1) 53.24 % 0/65 1:63 / 1:118 $ 7352


Installs | Checks(MP/Ukash/PSC) | Valid(MP/Ukash/PSC)% | Pending/Bad | Total Ratio/Valid ratio | Money
--------------------------------------------------------------------------------------------------

Note : Adult/Non Adult is distinction made on source of Traffic (would say : porn or no)

Strangely it's only since less than three weeks we are seing more and more of it.
Mainly pushed in Sweet Orange

Flimrans Pushed in Sweet Orange
2013-10-03 - Fiddler at the end.


but also in that new HiMan Exploit Kit.

Flimrans pushed in HiMan EK
2013-10-02
What's behind the curtains ?

Borracho.biz - Flimrans Affiliate Entrance
borracho.biz
109.235.49.64
47869 | 109.235.48.0/21 | NETROUTING | NL | EXNW.COM | NETROUTING TELECOM

Borracho - News

Novie filtri!2013-09-14 | 20:15
Kto slivaet k nam na exploit, pomimo bloka vseh ostalnih stran, krome spiska nije, dobavilis filtri po browseram i OS.
Prinimautsa OS:
Seven,XP,98,95,Vista,Eight

tak je poka puskaetsa tolko browser IE.
Blok stran | Exploit Countries Blocked.2013-08-03 | 16:04
Kto slivaet k nam na exploit, seichas on prinimaet tolko eti strani:
AR CA DA FR IT NO SE AT CH DE GB LU NZ SI AU CR ES GR LV PL SK BE CY EC HU MX PT TR BO CZ FI IE NL RO US
Vse ostalnie strani blokiruutsa i ne schitautsa!

Who send to our exploit, please send only these countries:
AR CA DA FR IT NO SE AT CH DE GB LU NZ SI AU CR ES GR LV PL SK BE CY EC HU MX PT TR BO CZ FI IE NL RO US
All other countries will be blocked and not counted!

Note : I think "our Exploit" was Flimrans and they are now giving Sweet Orange Threads.

Sweet Orange Stats tied to a Thread pushing Flimrans.
Beginning of October 2013

Borracho - Money Stats

Borracho - Referral
It seems you can get "help" in the distribution. (see later "files") and get stats from this "sub affiliate".
It's only an assumption. Didn't see it live.

Borracho - Config
Note that the "lock" function delay can be set independently by each affiliate member and changed any time they want. This function allow a less obvious connection between infection source and locking for victims and can also help bypass some Analysis environment.

Borracho - Checks
Voucher are received by the Affiliate operator, checked then % shared with members.
Yes...people are still falling for Ransomware...

Borracho - Files
Each time you download you'll get a fresh file. File is tied to Account ID but parameter behind the get seems to allow you to create a "sub-affiliate" and see how successful is the distribution in "Referral" and "Money Stats"

Borracho - Profile
Borracho - Payments
I made a time consuming Design Grabbing session. The only things new at that time were :

Default Design (if country not targeted - it's also one of the multiple Reveton US design)

Flimrans "Failover" Design

US Design (it's also one of the Reveton US design)

Flimrans US Design - 2013-10
ES Design (this is something new to me)

Flimrans ES Design - 2013-10

C&C: (c&c moved since HiMan EK post)
192.133.139.249
50245 | 192.133.136.0/21 | SERVEREL | US | SERVEREL.COM | SERVEREL

GET /xfczMgBpgmeyU1Xf3MxFA0jxz3aVLa4= HTTP/1.1
Host: opobokuku.de
Cache-Control: no-cache


<edit1 2013-10-09>
Borracho moved or down just after publication of the post.

Flimrans C&Cs:
85.25.84.201  (cf af3750a4623d25c67b911562b99a9ee3 for instance)
8972 | 85.25.0.0/16 | PLUSSERVER | LI | INTERGENIA.DE | INTERGENIA AG

GET /tyjCGcRuh2eyU1Xf3MxFA0jxz3aVLa4= HTTP/1.1
Host: opobokuku.de
Cache-Control: no-cache
--
Host: ydomolyne.de (2013-10-14)
--

198.27.109.127
16276 | 198.27.64.0/18 | OVH | CA | OVH.COM | OVH HOSTING INC.

</edit1>

Files :
Here (Owncloud)
(2 SWO fiddler - 2 Anubis Cloud Analysis - 4 samples)