Finding A ‘Good Man’

On January 20th, 2017, I discovered a Keitaro TDS at anyfucks[.]biz being used in infection chains for Sundown and RIG exploit kit. It was at this point that I began to track the TDS and its registrant.

Keitaro TDS login panel

Image of TDS login panel

My first infection that I found using anyfucks[.]biz also showed the domain in the infection chain. Anyfucks[.]biz was a Keitaro TDS and appeared to be acting as a gate to numerous exploit kits (Sundown and RIG). Unfortunately, I didn’t have access to packet data so I was unable to locate the initial referer (compromised website) for the infection chain. However, the domains anyfucks[.]biz and proved to be a valuable pivot point for my investigation.

Looking through the Whois information, I located my best pivot point, the registrant email address Pivoting from this point led me to 17 domains using Below is a list of those domains:

Domain Registered Expires
perfectgirlss[.]org 2/22/2017 2/22/2018
jokertube[.]org 1/20/2017 1/20/2018
datsonsdaughter[.]com 1/17/2017 1/17/2018
hurtmehard[.]net 12/2/2016 12/2/2017 11/12/2016 11/12/2017
anyfucks[.]biz 11/11/2016 11/11/2017 11/8/2016 11/8/2017 8/15/2016 8/15/2017 4/10/2016 4/10/2017 4/3/2016 4/3/2017
pornstarl33t[.]org 3/28/2016 3/28/2017 3/1/2016 3/1/2017 3/1/2016 3/1/2017
cpro[.]pw 7/1/2015 7/1/2017 5/31/2015 5/31/2016 7/29/2014 7/29/2015 6/23/2014 6/23/2015

Some domains in this list will immediately standout to you if you’re following EK researchers. For instance, the domain hurtmehard[.]net has recently been documented by numerous researchers like Brad at @malware_traffic. This domain is being used as a gate for various exploit kits. While researching this domain I even found instances of redirecting users to hurtmehard[.]net. This means there was likely malvertising that led users to this gate.

Additionally, my Twitter friend @nao_sec found multiple compromised websites on 03/09/17 that contained similar scripts pointing to another gate registered to “good man,” datsonsdaughter[.]com. These compromised websites were:

  • teacherprintables[.]net
  • myprioritydate[.]com
  • bearcat1[.]com

You can view the injected script by following this link and looking at the entries that say “N/A.”

Users visit these compromised sites and are redirected to a gate like hurtmehard[.]net. The gate would then redirect the host to an exploit kit, etc. For example, here is the script that I found on 03/03/17 when visiting hurtmehard[.]net:

hurtmehard iframe

And here is a script that I found on 03/07/17 when visiting the gate datsonsdaughter[.]com:

datsonsdaughter dot com original source

You can see that in this instance the second iframe was cutoff and didn’t contain and URL. This same thing can be seen in one of Brad’s most recent postings, which can be found here: .

I decided to call this campaign and gates “Good Man” since the compromised sites all have similar injected script, and because the gates that are being used are registered to “good man.”

History Behind The Domains:

The first domain that I could find using was This name used during registration was “jnnnnn man.” The namservers were and The registrant country was Malaysia. I can’t find any malicious history associated with this domain and it is no longer resolving. The name of the domain makes it look like it could have been used for phishing, possibly for PayPal users.

The next domain on the list is Again, this domain is no longer resolving and I can’t find any malicious history associated with it. Also, the registrant name was “jnnnnn man” and the registrant country was Malaysia. The nameservers used were and Keep the name “sixer” in mind as it will come up later on in my investigation.

The next domain is The Whois information for this domain is much different than the first two. For example, the registrant name was “Ali Hassan” and the reigstrant country was Pakistan. The nameservers being used were and

An important thing to point out is that I couldn’t find any malicious history associated with,, and However, that doesn’t mean they were on the up-and-up.

Moving on to cpro[.]pw. This domain is actually an underground carding forum. Carding is a cyber term meaning the trafficking of stolen credit cards, bank accounts and other personal information online. This was also the first domain to use the registrant name “good man.” Moreover, I found a post on the forum from a vendor called “sixer” who is soliciting other user for compromised cPanel’s:

image of vendor post

This user is also selling dumps of stolen credit card numbers. Why is this important? Well, for starters, the gates that are registered to “good man” are using cPanel’s:

Domain cPanel

Also, do you remember the domain called This could just be my conspiratorial mind but what if the user sixer and the domain are related? What if sixer is actually “jnnnnn man,” “Ali Hassan,” and “good man”?

tinfoil hats

Of course I can’t prove any of this but it seems like more than a coincidence. Doing some light Googling I was able to find only a couple references online from usernames matching “jnnnnn man” and “GoodMan DiLaltain,” however, there wasn’t anything conclusive. Moving on…

The nameservers being used by cpro[.]pw are,,, and The registrant country for cpro[.]pw is Pakistan.

The next domain on the list is, with .cc being the ccTLD for Cocos (Keeling) Islands, an Australian territory. The registrant name for this domain is “jnnnnn man,” the registrant country is Malaysia, and the nameservers are and (these were also the nameservers for is the next domain on the list. The registrant name was “good man” and the nameservers it used was,,, and Additionally, I captured malware traffic from this domain on January 20th, 2017, as it was being used a distribution site for Dreambot:


As you can see I went to which contained an iframe pointing to the Keitaro TDS at anyfucks[.]biz/1: contains iframe for and references to rarshare dot com

Along with the iframe pointing to anyfucks[.]biz/1 are a lot of references to It almost looks as if the page was mirrored from there (more on that in a bit).

The response from anyfucks[.]biz/1 was a “302 Moved Temporarily” to[].in/land_flash/index.html: 302 to Request-Response

This is what I found on that page:

index.html redirects to executable

The first thing that you see is that the page is mirrored from (sounds like a phishing site). Then, at the very bottom you see a location.href pointing to the relative path /download/FlashPlayer.exe. This prompts my host to download the file FlashPlayer.exe:

FlashPlayer.exe Anythingtds dot com

Notice that this page looks like a mirror of yet the URL is still

I accept the download:

malware payload

The malware was dropped in a newly created folder in %Temp%:


Post-infection traffic shows that it is likely Dreambot. Click the link below to get the IOCs and to read more about the infections from January, 2017:

The next domain is pornstarl33t[.]org. The registrant name is “good man,” the registrant country is Pakistan, and the nameservers are,,, and This domain stoodout to me as it was being used for multiple purposes. For example, examining the source code on 01/27/17 showed the following iframes:


Why is this significant? Well, is a well-known booter and IP stressor. A booter is “a service offered by cyber criminals that provides paying customers with distributed denial of service (DDoS) attack capabilities on demand.”

Fast forward to 03/09/17 and this domain is being blacklisted by ZueS Tracker:

ZeuS C&C:
Malware: VMZeuS
IP address:
Host status: online
Uptime: 59:01:50
SBL: Not listed
AS number: 44901
Country: - Bulgaria (BG)
Level: 4 (Unknown / not categorized)
Sponsoring registrar: Namesilo, LLC
Nameserver(s): | | |
Date added: 2017-03-09
Last checked: 2017-03-11
Last updated: never
BL status: This host is being published on the ZeuS Blocklist!

ZeuS ConfigURLs on this C&C:

Date added ZeuS ConfigURL Status V Builder Filesize MD5 hash HTTP Status File
2017-03-09 pornstarl33t[.]org/zz/config.jpg offline 2 n/a 101’065 5e3cdecf082535809d1aca6ba06d9b5d 501 - download

ZeuS DropURLs (Dropzones) on this C&C

Date added DropURL Status HTTP Status
2017-03-09 pornstarl33t[.]org/zz/gate.php offline 501

ZueS login panel at pornstarl33t[.]org:

panel for goodman campaign

Obviously this domain is being used from criminal activities. is the next domain on the list. The domain was registered by “good man,” the registrant country is Pakistan, and it used the following nameservers:,,,,,,, and I was unable to locate evidence of a malicious activities associated with this domain. is the next domain. It was registered by “by Ali Mana.” The registrant country is Pakistan and the nameservers were and I was unable to locate evidence of a malicious activities associated with this domain.

The next domain is, which was acting as a gate for exploit kits. I have documented numerous cases of this since January, 2017. One such case has been documented in great detail here:

Below is some history with It shows how hosts ended up at (parent), what sites hosts were redirected to after landing on (child), as well as sites that were seen communicating with it.

Hostname First Seen Last Seen Direction Cause 2/9/2017 2:34 2/9/2017 11:06 child redirect
anyfucks[.]biz 12/15/2016 17:35 2/9/2017 11:06 parent redirect 2/9/2017 2:34 2/9/2017 2:34 child unknown 2/9/2017 2:34 2/9/2017 2:34 child iframe.src 2/9/2017 1:47 2/9/2017 1:47 child unknown 2/9/2017 1:47 2/9/2017 1:47 child iframe.src 2/8/2017 20:52 2/8/2017 20:52 child unknown 2/8/2017 20:52 2/8/2017 20:52 child iframe.src 2/8/2017 6:48 2/8/2017 6:48 child unknown 2/8/2017 6:48 2/8/2017 6:48 child iframe.src 2/8/2017 3:41 2/8/2017 3:41 child unknown 2/8/2017 3:41 2/8/2017 3:41 child iframe.src 1/20/2017 0:36 1/20/2017 3:41 child img.src 1/20/2017 0:36 1/20/2017 3:41 child link.href 1/20/2017 0:36 1/20/2017 3:41 child unknown 1/20/2017 0:36 1/20/2017 3:41 child script.src 1/7/2017 10:54 1/7/2017 10:54 child unknown 1/7/2017 10:54 1/7/2017 10:54 child iframe.src 1/7/2017 3:35 1/7/2017 3:35 child unknown 1/7/2017 3:35 1/7/2017 3:35 child iframe.src 1/2/2017 6:37 1/2/2017 6:37 child iframe.src
anyfucks[.]biz 1/2/2017 6:37 1/2/2017 6:37 parent location.refresh
dadadeo[.]com 8/21/2016 10:17 8/21/2016 10:23 child location.refresh 8/21/2016 10:17 8/21/2016 10:23 parent iframe.src

Everything in red was a subdomain hosting the exploit kit landing pages. Everything in green shows a benign site that the host was redirected to. Everything in blue is a compromised website. The site dadadeo[.]com appears to be associated with IOCs from RIG exploit kit campaigns back in July of 16. Read about that here

Lastly, the registrant name for is “good man,” the registrant country is Pakistan, and the nameservers are,,, and is the next domain on the list. The domain was registered by “good man” and it used the following nameservers:,,, (just like The domain shows up in a article by for being associated with Flokibot. Read more about that here

The next domain that was using the registrant email was anyfucks[.]biz. Obviously, we know this is a malicious Keitaro TDS used in different malware campaigns. The registrant name is “good man,” the registrant country is Pakistan, and it’s using the same nameservers as the other domains.

Here is some history involving this TDS:

Hostname First Seen Last Seen Direction Cause
hurtmehard[.]net 2/19/2017 13:34 2/19/2017 13:34 child redirect
dinarmultikarya[.]id 12/3/2016 21:27 2/19/2017 13:34 parent iframe.src 12/15/2016 17:35 2/9/2017 11:06 child redirect
sunnysideconcierge[.]com 12/9/2016 22:24 2/9/2017 11:06 parent unknown
cpro[.]pw 11/28/2016 6:58 2/7/2017 9:53 child redirect
horsepowersalesflorida[.]com 2/4/2017 22:32 2/4/2017 22:32 parent iframe.src
iqgreat[.]com 1/2/2017 6:37 2/1/2017 8:10 parent iframe.src
error in token or ident 1/23/2017 22:12 1/25/2017 0:23 child redirect 1/21/2017 23:47 1/22/2017 0:36 child redirect 1/21/2017 7:31 1/21/2017 7:31 child redirect 1/15/2017 13:26 1/21/2017 5:19 child redirect
rugbyusss[.]com 1/19/2017 7:22 1/19/2017 7:22 parent iframe.src 1/18/2017 15:43 1/18/2017 15:43 child redirect
your subscription has expired please contact support 12/29/2016 20:20 1/18/2017 8:53 child redirect
horsepowersalesflorida[.]com 1/13/2017 13:35 1/13/2017 13:35 parent iframe.src 1/9/2017 8:38 1/10/2017 19:24 child location.refresh 1/9/2017 17:28 1/9/2017 17:28 child redirect
out of date 1/7/2017 22:21 1/9/2017 15:26 child redirect 1/7/2017 22:21 1/9/2017 8:40 parent iframe.src 1/6/2017 11:43 1/6/2017 11:43 child redirect
cercaroma[.]net 1/6/2017 7:07 1/6/2017 7:07 parent iframe.src 1/4/2017 11:18 1/5/2017 16:31 child redirect 1/3/2017 20:49 1/3/2017 20:49 child redirect 1/2/2017 6:37 1/2/2017 6:37 child location.refresh 1/1/2017 2:41 1/1/2017 15:38 child location.refresh
palmistry-astrology[.]com 12/30/2016 7:22 12/30/2016 7:22 parent iframe.src 12/29/2016 2:50 12/29/2016 2:50 child redirect 12/29/2016 1:33 12/29/2016 1:33 child redirect 12/28/2016 21:04 12/28/2016 21:04 child redirect 12/28/2016 10:23 12/28/2016 10:23 child redirect 12/28/2016 4:29 12/28/2016 4:29 child redirect 12/27/2016 23:41 12/27/2016 23:41 child redirect 12/27/2016 10:31 12/27/2016 10:31 child redirect
dessign[.]net 12/25/2016 23:31 12/27/2016 10:31 parent iframe.src 12/27/2016 9:48 12/27/2016 9:48 child redirect 12/27/2016 6:17 12/27/2016 6:17 child redirect 12/12/2016 13:03 12/12/2016 13:03 child redirect 12/12/2016 12:32 12/12/2016 12:32 child redirect
rolandmartinreports[.]com 12/3/2016 14:27 12/12/2016 12:32 parent iframe.src 12/12/2016 11:05 12/12/2016 11:05 child redirect 12/12/2016 10:20 12/12/2016 10:20 child redirect 12/12/2016 7:55 12/12/2016 7:55 child redirect
jndglobalsecurity[.]com 12/8/2016 7:55 12/12/2016 7:55 parent iframe.src 12/12/2016 4:33 12/12/2016 4:33 child redirect 12/10/2016 13:02 12/10/2016 13:02 child redirect 12/10/2016 13:01 12/10/2016 13:01 child redirect 12/10/2016 13:00 12/10/2016 13:00 child redirect 12/10/2016 10:55 12/10/2016 10:55 child redirect 12/10/2016 6:51 12/10/2016 6:51 child redirect 12/10/2016 6:50 12/10/2016 6:51 child redirect 12/10/2016 6:49 12/10/2016 6:49 child redirect 12/10/2016 6:48 12/10/2016 6:49 child redirect 12/10/2016 6:05 12/10/2016 6:05 child redirect 12/10/2016 5:37 12/10/2016 5:37 child redirect 12/10/2016 1:19 12/10/2016 1:19 child redirect 12/7/2016 17:18 12/7/2016 17:18 child redirect 12/7/2016 9:32 12/7/2016 9:32 child redirect
zoboutique[.]com 12/6/2016 3:35 12/7/2016 9:31 parent iframe.src 12/6/2016 10:30 12/6/2016 10:30 child redirect 12/6/2016 7:04 12/6/2016 7:04 child redirect 12/6/2016 7:02 12/6/2016 7:03 child redirect 12/6/2016 3:52 12/6/2016 3:52 child redirect 12/6/2016 3:35 12/6/2016 3:35 child redirect 12/5/2016 12:59 12/5/2016 12:59 child redirect 12/4/2016 9:37 12/4/2016 9:37 child redirect 12/3/2016 21:27 12/3/2016 21:27 child redirect 12/3/2016 19:05 12/3/2016 19:07 child redirect 12/3/2016 19:03 12/3/2016 19:03 child redirect

Everything in pink is associated with “good man” and Everything in red is a subdomain or domain used by RIG or Sundown exploit kits. One of those domains,, was actually involved in a infection chain that dropped Spora ransomware. Read about that here

Also, dinarmultikarya[.]id is a compromised website (and it’s currently defaced) that is redirecting to the Keitaro TDS. It resulted in an infection of Dreambot. Read about that here

You can also see that there were times when “good man” forgot to pay their subscription to the TDS vendor. Everything in blue was compromised and redirected the hosts to the malicious TDS.

The next domain on the list is The registrant for this domain was “good man” and it was using the same nameservers that I’ve discussed before. This domain, like, has a malicious history that is associated with a bot network. For example, VirusTotal is showing the following submitted URLs:

5/68 – 2016-12-06 15:57:33: hxxp://[.]in/folder/bot.exe
7/69 – 2016-11-18 10:08:40: hxxp://[.]in/folder/gate.php
2/68 – 2016-11-15 04:05:34: hxxp://[.]in/folder/config.jpg

This shows the detection ratio, the date submitted to VT, and the URL that was analyzed. Clearly this domain has a history of doing bad stuff.

The next domain on the list is one we are already familiar with, hurtmehard[.]net. This is an active gate being used by exploit kits. Here is some history associated with this domain:

Hostname First Seen Last Seen Direction Cause 3/5/2017 4:53 3/5/2017 6:22 child iframe.src 3/4/2017 20:03 3/4/2017 20:03 child iframe.src 3/4/2017 7:41 3/4/2017 7:41 child iframe.src 3/4/2017 5:13 3/4/2017 5:14 child iframe.src 2/28/2017 20:36 2/28/2017 20:38 child iframe.src 2/10/2017 18:21 2/28/2017 20:38 parent location.refresh 2/28/2017 5:18 2/28/2017 5:18 child iframe.src 2/28/2017 5:18 2/28/2017 5:18 parent redirect
anyfucks[.]biz 2/19/2017 13:34 2/19/2017 13:34 parent redirect

You can see the exploit kit subdomains in red and the TDS in purple. The ones left black are possible malvertising incidents. There are a ton of different infection chains right now involving hurtmehard[.]net and they are well documented by EK researchers. This domain is registered to “good man” and is using the same nameservers.

The next domain is datsonsdaughter[.]com. Similar to hurtmehard[.]net, this site is acting as a gate for exploit kits. I won’t go into much more detail about it because it has already been covered. The Whois information is the same as others, with “good man” being the registrant name.

The last website that was registered to “good man” was perfectgirlss[.]org. This domain is still active and could be the next gate used by this campaign. The Whois information is the same as the others.

I hope this information was helpful. I apologize if I made any mistakes and if I did please let me know via Twitter! Thank you for your ongoing support and I will see you next time!

  1. […] by other security researchers, such as @dynamicanalysis who covers TDS referral traffic used by GoodMan and some malvertising leading to RIG […]



  2. Que es esto?



Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: