|Cryptome.org's post keeping readers aware of the situation in real time|
I was already following that blackhole (and its ips ) since I started to dive in this field, so since December.
I decided to make a deeper search and found that the BH EK was hidding behind 2428 ips (Pastebin) on AS36444 almost all on NEXCESS-NET networks.
At that time I ensured this information reached Law Enforcement and decided to stop following that BH EK (too many IP rotation, too much work for one rotating payload).
Yesterday Jindrich Kubec (Avast) and Razor both remind me about that "/Home/ BH EK " that i was also seeing from time to time on URLQuery and MalwareDomainList.
I made a scan once again on AS36444 and there is right now 1915 ips (Pastebin) positive to that BH EK.
|Winmerge of both files giving a rough idea of differences|
I decided to take a look at what was being served :
|Session of /Home/ Blackhole (1.2.5) Infection - Highligted : Payload|
220.127.116.11 /Home/w.php?f=16&e=2 cac5aeefd47e4e537f8f28430f2a3661 (vt link)
The payload is ULocker (link to @Botnets_fr related page). Another occurence exposed by Xylitol two weeks ago
|Screenshot of ULocker I made for Botnets.fr|
|ULocker initial advert by xfrzx|
|ULocker update announced by xfrzx|
It could be over if that page was not hosted on, guess what ?, the "/Home/ BH EK" server.
|Fiddler Trace of the call home from the ULocker ransomware bot.|
cdnexits.com/Home /web2/l/FR.php <-- depending of what gate.php reply.
|List of Targeted Countries|
cdnexits.com -- 18.104.22.168
52148 | 22.214.171.124/22 | RACKSRV | UK | G-RAFF.COM | RACKSRV COMMUNICATIONS LIMITED
Scanning this range you can find 4 more IPs for the "/Home/ BH EK".
Scanning more widely "known" bad ranges you also find :
126.96.36.199 <- Could be the mother Ship.
Yes you can take any of these IP or from this pastebin and add "/Home/web2/l/DE.php" you'll get the German Landing for ULocker Ransomware.
1940 ips. The lack of IPv4 seems be a joke for some bad guys...(yes am thinking at the AS37599 at 75% occupied by a BH EK deploying Reveton two weeks ago)