hxxp://gallipolicountryandsea[.]it/therfgds1.php
hxxp://www.gallipolicountryandsea[.]it/therfgds1.php
hxxp://dutbbc[.]com/?a=374762&c=wl_con&s=nw-404-1che
What drew my attention to it at first was the .IT TLD, as well as this traffic seemed out of place in the context of this persons web browsing patterns. Furthermore, the two request to gallipolicountryandsea[.]it were resolving to different IPs. I decided to toss the first request into VirusTotal which showed it had a detection ratio of 6/66.
That is a relatively high detection rate for a URL, which piqued my interest even more. I then took the URL and plugged it into URLQuery to see if I could find specific HTTP transactions. This is what I found:
The first and second request go to the same domain but at different IP addresses, just as it did in our customers traffic. Then we get a 302 that redirects it to a different domain at zoxxv[.]com (our customer traffic showed dutbbc[.]com). Apart from the domains being different, the URIs are identical. The final redirect of interest is to help-save-wildlife[.]org, a domain that was registered only days prior and is located in Switzerland. Suspicious.
I then looked at the redirects (zoxxv[.]com, dutbbc[.]com, etc) HTML code which showed obfuscated JavaScript in the section. Furthermore, I received the ET alert “Double-Encoded Reverse Base64/Dean Edwards Packet JavaScript Observed in Unknown EK Fed 16 2015 b64 1 M2” via my Security Onion NSM when making the request. Here is the alert and the obfuscated JavaScript:
I then reversed the base64 encoded data and decoded it which gave me this:
I took the decoded script and deobfuscated it until I ended up with the following [Thanks to my coworker Julian for helping me find a good tool for deobfuscation]:
The snippet of code using the function above is executed when users load the page. This JavaScript is checking to see if the users cookies are enabled and will return a boolean value. If that value is true the script sends the host to the spam page at different sub-domains:
hxxp://138-health.ibign[.]net
hxxp://390-diet.pgbbv[.]net
hxxp://438-diet.gjbgnr[.]com/uszlct/d3/pure-natural-forskolin/
hxxp://469-health.kfisg[.]com
hxxp://576-diet.zoxxv[.]com/ustqoe/d4/pure-natural-forskolin/
hxxp://663-healthandbeauty[.]gjbgnr.com/usujuc/d4/pure-natural-forskolin/
hxxp://716-beauty.bjskiu[.]com
hxxp://798-fitness.gjbgnr[.]com/uslrql/m5/pure-natural-forskolin/
hxxp://835-weightloss.obfbx[.]net
hxxp://884-health.zoxxv[.]com/uswcpg/d3/pure-natural-forskolin/
This is only a small list. There are at least 1,907 of these spam pages ranging from 100 all the way to 999. The end of this report contains all the IPs, domains, and sub-domains.
Continuing my investigation… If the value is false it sends the host to various domains, many of which are hosted at 141.8.224.93 and 178.77.81.92:
savethechildren[.]org
save-the-wild-animals[.]org
save-the-wild-animals[.]net
save-the-wild-animals[.]com
help-save-wildlife[.]com
help-save-wildlife[.]org
help-save-wildlife[.]net
save-wildlife[.]net
save-wildlife[.]org
save-wildlife[.]com
save-wildlife[.]org
save-wildlife[.]de
survival-african-wild-dog[.]org
survival-african-wild-dog[.]com
african-childrens-haven[.]com
zeropalmoel[.]de
stop-herakles[.]org
save-european-wildlife[.]org
Trying to reach many of those domains returns this template:
Or are resolving to a what appears to be the SAVE Wildlife Conservation Fund:
There is also evidence that this campaign was at one time sending people to unicef.org.
To to see what would happen I took the URL from the true value in the deobfuscated JS and pasted it into the browser:
No luck. I then tried the referer URL from my research (zoxxv[.]com) and got this spam page:
The spam page is fake as ever link points to “go.php” (884-health.zoxxv[.]com/uswcpg/d3/pure-natural-forskolin/go[.]php). Running that URI through Hybrid-analysis shows it as “no specific threat”.
There were however some malicious artifacts seen on the spam page in the context of contacted host:
This is unrelated to my investigation but these sub-domains at googlecode[.]com are dropping a lot of bad stuff… Google Code is Google’s official open source site meant for developers to host their program’s source code and related files. However, threat actors are using the Google Code repository to host Trojans, backdoors and password stealing keyloggers.
Moving on… Clicking on any of the links on the spam page redirects you to a couple different domains hosting the product page. This time I landed on hxxps://mysecura-gateway[.]com/forskolin/:
Once you have given your name, address, and phone number you click “Rush My Order” and are taken to the “Final Step” page where you are instructed to select a package and then enter in credit card information.
Hybrid-analysis didn’t find any malicious files being dropped on either the spam page or the product pages. Instead, both these pages are advertising Forskolin, a chemical found in the roots of plants, as a means to weight loss.
Doing a quick Google search for “Forskolin scams” returns results for these spam pages. According to Barracudalabs users pay for the pills via credit cards but never receive their product. I haven’t tested this theory out for myself.
It would seem that this company is violating numerous Anti SPAM Acts.
46.161.3.168
Domains
62.4.23.4
62.4.23.6
Domains
Domains
62.149.128.72
62.149.128.74
62.149.128.166
62.149.128.160
62.149.128.157
62.149.128.154
62.149.128.151
62.149.128.163
Domains
94.156.77.41
94.156.77.57
Domains
85.143.217.7
85.143.217.214
Domains
185.31.208.233
185.31.208.236
Domains
In total, there were 3,351 unique domains and sub-domains found to be resolving to the IP addresses listed above.
Malware breakdown 