2013-10-23 - Landscape

Big Andromeda Campaign back on track. From Sweet Orange to Neutrino



This is not the usual post I write but decided to go on as the campaign is quite big (enough to modify the EK market share feeling) and I have some compromised domain to share for remediation (see at the end)

A big campaign was active from at least 2013-09-27 to 2013-10-14.
A huge number of compromised website were conditionally redirecting to a Sweet Orange pushing Andromeda : (Post by Sucuri about this campaign)

Sweet Orange 82 2013-09-27
Payload : Andromeda
One of the payload : 82735517dd73de39a17c01a74c4fa232 nicely named by Microsoft (as often)

The campaign was really widespread and was imo responsible for the feeling from some that Sweet Orange was prevailing after Paunch's  Arrest (so maybe in "tilt number" but I think most actors are on Neutrino, Magnitude and Nuclear Pack)

The campaign suddenly stopped redirecting to Sweet Orange on 2013-10-14 redirecting instead to google.com and the day after to [rotating].sytes.net/atb/counter.php then to google.

(Note: at same time 4-5 other Sweet Orange threads I was following also disappeared which made me tweet few days later

Note : have been pointed to at least 2 SWO threads that are still active )

That campaign has a huge place
by Sucuri


That campaign was still "on hold" yesterday ( BadwareBusters thread)

On Hold Campaign. Redirectin to Google
2013-10-22


The infection process is on again but redirecting now to Neutrino.
(it's enough to assume that actors can speak russian or are better than most of us at using google translate)

Neutrino thread pushing Andromeda

Having no access to compromised server, based on the way the redirection is handled I thought it was driven by an Apache Rogue module (Darkleech or CDorked installed on compromised server via Cpanel/Parallels Plesk server vulns) but it seems it's more likely compromised Joomla/Wordpress

Payload I got (it's obviously rotating) :
1074b843c0b6e783ee1314c9759067a2 (sample - VT  - Malwr )
Am not 100% sure it's Andromeda but chances for it are really high...





-----
46.22.211.60
34702 | 46.22.208.0/20 | WAVECOM | EE | WAVECOM.EE | AKTSIASELTS WAVECOM
POST /rukomorsdx/forum.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Connection: close
User-Agent: Mozilla/4.0
Host: base.thecreatureteacher.com
Analysis by Joe Sandbox Cloud
-----

At least  >8000 domains were redirecting to the rotator (but I think it's far more than than).
http://pastebin.com/raw.php?i=1vFNKdSW (Please use for remediation - some Cert (CA/CH/CZ/FR/FI/PL) should have already been informed)

<edit1 : 2013-11-01>
After few days out (after that post). They are back again. Using intermediate redictor in : [rotating].dezit/counter.php

Counter-Andro gang back on Neutrino
Payload : 3b75c1b705ce8f0e4e3a09d137a842c1
</edit1>

Read More :
Neutrino: Caught in the Act - Karmina Aquino & Daavid  Hentunen - 2013-10-23 - F-Secure
Malware iFrame Campaign from Sytes(.)net Daniel Cid - 2013-10-03  Sucuri.net
Hello Neutrino ! (just one more Exploit Kit) 2013-03-17 - last update 2013-10-03
Inside Andromeda Bot v2.06 Webpanel / AKA Gamarue - Botnet Control Panel 2012-07-02


EXPLOIT-KIT
Andromeda atp/counter.php Neutrino Sweet Orange