2013-10-10 - Panel

Late Disclosure - Darkleech Actors /Home/ - some numbers



To illustrate a post to come on Blackhole Transition here are some numbers for the /home/ aka q.php Blackhole aka Darkleech fuelled.

Note : Darkleech module filter user-agent. Infection tried only on IE  (so Opera/Mozilla and others are researchers or honeyclient etcs).  Then Blackhole also filter on IE (so 0 infections for others)


Note : Thread Name. Number of Loads.
Browser Filter on blackhole side too.
Last number I was able to see : > 2 800 000 infections.

File : q.php = Pony - Thread mod1
Lock : a.php = Nymain.a - Thread adult (inactive since december)

They were pushing Pony which was then (depending of your country) pushing Urausy or Nymaim.b (which itself was loading Zaccess or Nymaim.a Ransomware). Sébastien Duquette from Eset wrote a nice post about that.


Nymaim.A - Urausy Variant
with B&W Zoo/CP images
(Careful : this design has also been used by Bomba Locker)





Nymaim.A -US Design


2013-04-09 - 20:17 (RU Time) - 31081 infections in 20 hours

q.php Blackhole - 2013-04-09 - 20:17 RU Time
Note the thread name : mod1

2013-04-09 - 21:07
(since monday (day before - 45 hours) numbers)



2013-04-11 - 22:22 - 29398 infections in around 22 hours

q.php Blackhole - 2013-04-11 - 22:22 RU Time


2013-04-12 - 20:29 - 26319 infections in 20.5 hours
q.php Blackhole - 2013-04-12 - 20:29 RU Time

Note : Reveton group were doing as good as this (at least in oct/nov 2012) with Cool EK

Read more :
There are a huge number of posts about this group so i made a selection.
Dissecting FireEye's Career Web Site Compromise 2013-09-18 Dancho Danchev
The Home Campaign: overstaying its welcome 2013-07-02 Sébastien Duquette - Eset
The Evil Came Back: Darkleech's Apache Malware Module - 2013-03-24 -Hendrik Adrian - MalwareMustDie
1940 IPs for a BHEK/ULocker server - Nexcess-Net - 2012-09-14 

Post Publication Reading :
Nymaim: Browsing for trouble - 2013-10-23 - Jean-Iain Boutin - Eset

EXPLOIT-KIT
Darkleech Nymaim Pony q.php Blackhole Home