On January 20th, 2017, I discovered a Keitaro TDS at anyfucks[.]biz being used in infection chains for Sundown and RIG exploit kit. It was at this point that I began to track the TDS and its registrant.
My first infection that I found using anyfucks[.]biz also showed the domain anythingtds.com in the infection chain. Anyfucks[.]biz was a Keitaro TDS and anythingtds.com appeared to be acting as a gate to numerous exploit kits (Sundown and RIG). Unfortunately, I didn’t have access to packet data so I was unable to locate the initial referer (compromised website) for the infection chain. However, the domains anyfucks[.]biz and anythingtds.com proved to be a valuable pivot point for my investigation.
Looking through the Whois information, I located my best pivot point, the registrant email address firstname.lastname@example.org. Pivoting from this point led me to 17 domains using email@example.com. Below is a list of those domains:
Some domains in this list will immediately standout to you if you’re following EK researchers. For instance, the domain hurtmehard[.]net has recently been documented by numerous researchers like Brad at @malware_traffic. This domain is being used as a gate for various exploit kits. While researching this domain I even found instances of onclkds.com redirecting users to hurtmehard[.]net. This means there was likely malvertising that led users to this gate.
Additionally, my Twitter friend @nao_sec found multiple compromised websites on 03/09/17 that contained similar scripts pointing to another gate registered to “good man,” datsonsdaughter[.]com. These compromised websites were:
You can view the injected script by following this link https://gist.github.com/anonymous/a2a4a5deb8fa50c0687f44b84a3d2ec0 and looking at the entries that say “N/A.”
Users visit these compromised sites and are redirected to a gate like hurtmehard[.]net. The gate would then redirect the host to an exploit kit, etc. For example, here is the script that I found on 03/03/17 when visiting hurtmehard[.]net:
And here is a script that I found on 03/07/17 when visiting the gate datsonsdaughter[.]com:
You can see that in this instance the second iframe was cutoff and didn’t contain and URL. This same thing can be seen in one of Brad’s most recent postings, which can be found here: http://www.malware-traffic-analysis.net/2017/03/09/index.html .
I decided to call this campaign and gates “Good Man” since the compromised sites all have similar injected script, and because the gates that are being used are registered to “good man.”
History Behind The Domains:
The first domain that I could find using firstname.lastname@example.org was verifiedppservice.net. This name used during registration was “jnnnnn man.” The namservers were ns1.carbon2u.com and ns1.carbon2u.com. The registrant country was Malaysia. I can’t find any malicious history associated with this domain and it is no longer resolving. The name of the domain makes it look like it could have been used for phishing, possibly for PayPal users.
The next domain on the list is sixer.info. Again, this domain is no longer resolving and I can’t find any malicious history associated with it. Also, the registrant name was “jnnnnn man” and the registrant country was Malaysia. The nameservers used were ns1.zolaris.net and ns2.zolaris.net. Keep the name “sixer” in mind as it will come up later on in my investigation.
The next domain is develporinline.info. The Whois information for this domain is much different than the first two. For example, the registrant name was “Ali Hassan” and the reigstrant country was Pakistan. The nameservers being used were ns07.domaincontrol.com and ns08.domaincontrol.com.
An important thing to point out is that I couldn’t find any malicious history associated with verifiedppservice.net, sixer.info, and develporinline.info. However, that doesn’t mean they were on the up-and-up.
Moving on to cpro[.]pw. This domain is actually an underground carding forum. Carding is a cyber term meaning the trafficking of stolen credit cards, bank accounts and other personal information online. This was also the first domain to use the registrant name “good man.” Moreover, I found a post on the forum from a vendor called “sixer” who is soliciting other user for compromised cPanel’s:
This user is also selling dumps of stolen credit card numbers. Why is this important? Well, for starters, the gates that are registered to “good man” are using cPanel’s:
Also, do you remember the domain called sixer.info? This could just be my conspiratorial mind but what if the user sixer and the domain sixer.info are related? What if sixer is actually “jnnnnn man,” “Ali Hassan,” and “good man”?
Of course I can’t prove any of this but it seems like more than a coincidence. Doing some light Googling I was able to find only a couple references online from usernames matching “jnnnnn man” and “GoodMan DiLaltain,” however, there wasn’t anything conclusive. Moving on…
The nameservers being used by cpro[.]pw are ns1.qhoster.net, ns2.qhoster.net, ns3.qhoster.net, and ns4.qhoster.net. The registrant country for cpro[.]pw is Pakistan.
The next domain on the list is goodmandilaltain.cc, with .cc being the ccTLD for Cocos (Keeling) Islands, an Australian territory. The registrant name for this domain is “jnnnnn man,” the registrant country is Malaysia, and the nameservers are ns1.carbon2u.com and ns2.carbon2u.com (these were also the nameservers for verifiedppservice.net).
Badboys.net.in is the next domain on the list. The registrant name was “good man” and the nameservers it used was ns1.qhoster.net, ns2.qhoster.net, ns3.qhoster.net, and ns4.qhoster.net. Additionally, I captured malware traffic from this domain on January 20th, 2017, as it was being used a distribution site for Dreambot:
As you can see I went to anythingtds.com which contained an iframe pointing to the Keitaro TDS at anyfucks[.]biz/1:
Along with the iframe pointing to anyfucks[.]biz/1 are a lot of references to rarshare.com. It almost looks as if the page was mirrored from there (more on that in a bit).
The response from anyfucks[.]biz/1 was a “302 Moved Temporarily” to badboys.net.in/land_flash/index.html:
This is what I found on that page:
The first thing that you see is that the page is mirrored from update-flash-player.com (sounds like a phishing site). Then, at the very bottom you see a location.href pointing to the relative path /download/FlashPlayer.exe. This prompts my host to download the file FlashPlayer.exe:
I accept the download:
The malware was dropped in a newly created folder in %Temp%:
Post-infection traffic shows that it is likely Dreambot. Click the link below to get the IOCs and to read more about the infections from January, 2017:
The next domain is pornstarl33t[.]org. The registrant name is “good man,” the registrant country is Pakistan, and the nameservers are ns1.qhoster.net, ns2.qhoster.net, ns3.qhoster.net, and ns4.qhoster.net. This domain stoodout to me as it was being used for multiple purposes. For example, examining the source code on 01/27/17 showed the following iframes:
Why is this significant? Well, instabooter.com is a well-known booter and IP stressor. A booter is “a service offered by cyber criminals that provides paying customers with distributed denial of service (DDoS) attack capabilities on demand.”
Fast forward to 03/09/17 and this domain is being blacklisted by ZueS Tracker:
|AS name:||BELCLOUD , BG|
|Level:||4 (Unknown / not categorized)|
|Sponsoring registrar:||Namesilo, LLC|
|Nameserver(s):||ns1.qhoster.net | ns2.qhoster.net | ns3.qhoster.net | ns4.qhoster.net|
|BL status:||This host is being published on the ZeuS Blocklist!|
ZeuS ConfigURLs on this C&C:
|Date added||ZeuS ConfigURL||Status||V||Builder||Filesize||MD5 hash||HTTP Status||File|
ZeuS DropURLs (Dropzones) on this C&C
|Date added||DropURL||Status||HTTP Status|
ZueS login panel at pornstarl33t[.]org:
Obviously this domain is being used from criminal activities.
Poranoxxx.com is the next domain on the list. The domain was registered by “good man,” the registrant country is Pakistan, and it used the following nameservers: dns1.securefastserver.com, dns2.securefastserver.com, dns3.securefastserver.com, dns4.securefastserver.com, ns1.qhoster.net, ns2.qhoster.net, ns3.qhoster.net, and ns4.qhoster.net. I was unable to locate evidence of a malicious activities associated with this domain.
Wetpusy.org is the next domain. It was registered by “by Ali Mana.” The registrant country is Pakistan and the nameservers were ns1.qhost.org and ns2.qhost.org. I was unable to locate evidence of a malicious activities associated with this domain.
The next domain is anythingtds.com, which was acting as a gate for exploit kits. I have documented numerous cases of this since January, 2017. One such case has been documented in great detail here:
Below is some history with anythingtds.com. It shows how hosts ended up at anythingtds.com (parent), what sites hosts were redirected to after landing on anythingtds.com (child), as well as sites that were seen communicating with it.
|Hostname||First Seen||Last Seen||Direction||Cause|
|google.com||2/9/2017 2:34||2/9/2017 11:06||child||redirect|
|anyfucks[.]biz||12/15/2016 17:35||2/9/2017 11:06||parent||redirect|
|vdv.southpadremarketing.com||2/9/2017 2:34||2/9/2017 2:34||child||unknown|
|vdv.southpadremarketing.com||2/9/2017 2:34||2/9/2017 2:34||child||iframe.src|
|bev.southpadrejetskis.com||2/9/2017 1:47||2/9/2017 1:47||child||unknown|
|bev.southpadrejetskis.com||2/9/2017 1:47||2/9/2017 1:47||child||iframe.src|
|retro.southpadreislandnorth.com||2/8/2017 20:52||2/8/2017 20:52||child||unknown|
|retro.southpadreislandnorth.com||2/8/2017 20:52||2/8/2017 20:52||child||iframe.src|
|more.walkforwomen.com||2/8/2017 6:48||2/8/2017 6:48||child||unknown|
|more.walkforwomen.com||2/8/2017 6:48||2/8/2017 6:48||child||iframe.src|
|self.super8spi.com||2/8/2017 3:41||2/8/2017 3:41||child||unknown|
|self.super8spi.com||2/8/2017 3:41||2/8/2017 3:41||child||iframe.src|
|rarshare.com||1/20/2017 0:36||1/20/2017 3:41||child||img.src|
|rarshare.com||1/20/2017 0:36||1/20/2017 3:41||child||link.href|
|bing.com||1/20/2017 0:36||1/20/2017 3:41||child||unknown|
|rarshare.com||1/20/2017 0:36||1/20/2017 3:41||child||script.src|
|new.collectionhomesgroup.com||1/7/2017 10:54||1/7/2017 10:54||child||unknown|
|new.collectionhomesgroup.com||1/7/2017 10:54||1/7/2017 10:54||child||iframe.src|
|art.viralauthors.com||1/7/2017 3:35||1/7/2017 3:35||child||unknown|
|art.viralauthors.com||1/7/2017 3:35||1/7/2017 3:35||child||iframe.src|
|wer.tufirearms.com||1/2/2017 6:37||1/2/2017 6:37||child||iframe.src|
|anyfucks[.]biz||1/2/2017 6:37||1/2/2017 6:37||parent||location.refresh|
|dadadeo[.]com||8/21/2016 10:17||8/21/2016 10:23||child||location.refresh|
|vetschooldiary.com||8/21/2016 10:17||8/21/2016 10:23||parent||iframe.src|
Everything in red was a subdomain hosting the exploit kit landing pages. Everything in green shows a benign site that the host was redirected to. Everything in blue is a compromised website. The site dadadeo[.]com appears to be associated with IOCs from RIG exploit kit campaigns back in July of 16. Read about that here https://blog.malwarebytes.com/threat-analysis/exploits-threat-analysis/2016/07/a-look-into-some-rig-exploit-kit-campaigns/.
Lastly, the registrant name for anythingtds.com is “good man,” the registrant country is Pakistan, and the nameservers are ns1.qhoster.net, ns2.qhoster.net, ns3.qhoster.net, and ns4.qhoster.net.
Kachapaka.net.in is the next domain on the list. The domain was registered by “good man” and it used the following nameservers: dns1.securefastserver.com, dns2.securefastserver.com, dns3.securefastserver.com, dns4.securefastserver.com (just like Poranoxxx.com). The domain shows up in a article by arbornetworks.com for being associated with Flokibot. Read more about that here https://www.arbornetworks.com/blog/asert/flokibot-invades-pos-trouble-brazil/.
The next domain that was using the registrant email email@example.com was anyfucks[.]biz. Obviously, we know this is a malicious Keitaro TDS used in different malware campaigns. The registrant name is “good man,” the registrant country is Pakistan, and it’s using the same qhoster.net nameservers as the other domains.
Here is some history involving this TDS:
|Hostname||First Seen||Last Seen||Direction||Cause|
|hurtmehard[.]net||2/19/2017 13:34||2/19/2017 13:34||child||redirect|
|dinarmultikarya[.]id||12/3/2016 21:27||2/19/2017 13:34||parent||iframe.src|
|anythingtds.com||12/15/2016 17:35||2/9/2017 11:06||child||redirect|
|sunnysideconcierge[.]com||12/9/2016 22:24||2/9/2017 11:06||parent||unknown|
|cpro[.]pw||11/28/2016 6:58||2/7/2017 9:53||child||redirect|
|horsepowersalesflorida[.]com||2/4/2017 22:32||2/4/2017 22:32||parent||iframe.src|
|iqgreat[.]com||1/2/2017 6:37||2/1/2017 8:10||parent||iframe.src|
|error in token or ident||1/23/2017 22:12||1/25/2017 0:23||child||redirect|
|fredomasearchdsd.top||1/21/2017 23:47||1/22/2017 0:36||child||redirect|
|psg.jai.mobi||1/21/2017 7:31||1/21/2017 7:31||child||redirect|
|badboys.net.in||1/15/2017 13:26||1/21/2017 5:19||child||redirect|
|rugbyusss[.]com||1/19/2017 7:22||1/19/2017 7:22||parent||iframe.src|
|rarshare.com||1/18/2017 15:43||1/18/2017 15:43||child||redirect|
|your subscription has expired please contact support||12/29/2016 20:20||1/18/2017 8:53||child||redirect|
|horsepowersalesflorida[.]com||1/13/2017 13:35||1/13/2017 13:35||parent||iframe.src|
|we.karenmelbourne.com||1/9/2017 8:38||1/10/2017 19:24||child||location.refresh|
|see.colocation.news||1/9/2017 17:28||1/9/2017 17:28||child||redirect|
|out of date||1/7/2017 22:21||1/9/2017 15:26||child||redirect|
|rarshare.com||1/7/2017 22:21||1/9/2017 8:40||parent||iframe.src|
|eya.3074.mobi||1/6/2017 11:43||1/6/2017 11:43||child||redirect|
|cercaroma[.]net||1/6/2017 7:07||1/6/2017 7:07||parent||iframe.src|
|portlandmidwife.com||1/4/2017 11:18||1/5/2017 16:31||child||redirect|
|cwo.2504.mobi||1/3/2017 20:49||1/3/2017 20:49||child||redirect|
|anythingtds.com||1/2/2017 6:37||1/2/2017 6:37||child||location.refresh|
|18.104.22.168||1/1/2017 2:41||1/1/2017 15:38||child||location.refresh|
|palmistry-astrology[.]com||12/30/2016 7:22||12/30/2016 7:22||parent||iframe.src|
|ho.0474.mobi||12/29/2016 2:50||12/29/2016 2:50||child||redirect|
|fhe.0498.mobi||12/29/2016 1:33||12/29/2016 1:33||child||redirect|
|ebc.0648.mobi||12/28/2016 21:04||12/28/2016 21:04||child||redirect|
|kvd.0346.mobi||12/28/2016 10:23||12/28/2016 10:23||child||redirect|
|zi.0487.mobi||12/28/2016 4:29||12/28/2016 4:29||child||redirect|
|cfm.0384.mobi||12/27/2016 23:41||12/27/2016 23:41||child||redirect|
|try.tanews.net||12/27/2016 10:31||12/27/2016 10:31||child||redirect|
|dessign[.]net||12/25/2016 23:31||12/27/2016 10:31||parent||iframe.src|
|top.talink.co||12/27/2016 9:48||12/27/2016 9:48||child||redirect|
|sun.icta.io||12/27/2016 6:17||12/27/2016 6:17||child||redirect|
|kcd.g47.biz||12/12/2016 13:03||12/12/2016 13:03||child||redirect|
|mv.g42.biz||12/12/2016 12:32||12/12/2016 12:32||child||redirect|
|rolandmartinreports[.]com||12/3/2016 14:27||12/12/2016 12:32||parent||iframe.src|
|ae.g14.biz||12/12/2016 11:05||12/12/2016 11:05||child||redirect|
|pu.g45.biz||12/12/2016 10:20||12/12/2016 10:20||child||redirect|
|go.g14.biz||12/12/2016 7:55||12/12/2016 7:55||child||redirect|
|jndglobalsecurity[.]com||12/8/2016 7:55||12/12/2016 7:55||parent||iframe.src|
|db.g30.biz||12/12/2016 4:33||12/12/2016 4:33||child||redirect|
|cs.f34.biz||12/10/2016 13:02||12/10/2016 13:02||child||redirect|
|biw.f34.biz||12/10/2016 13:01||12/10/2016 13:01||child||redirect|
|hi.f34.biz||12/10/2016 13:00||12/10/2016 13:00||child||redirect|
|don.16a.biz||12/10/2016 10:55||12/10/2016 10:55||child||redirect|
|fn.e43.biz||12/10/2016 6:51||12/10/2016 6:51||child||redirect|
|dc.e43.biz||12/10/2016 6:50||12/10/2016 6:51||child||redirect|
|ekp.e43.biz||12/10/2016 6:49||12/10/2016 6:49||child||redirect|
|ahm.e43.biz||12/10/2016 6:48||12/10/2016 6:49||child||redirect|
|eys.e44.biz||12/10/2016 6:05||12/10/2016 6:05||child||redirect|
|gz.e43.biz||12/10/2016 5:37||12/10/2016 5:37||child||redirect|
|ao.e42.biz||12/10/2016 1:19||12/10/2016 1:19||child||redirect|
|esm.09r.biz||12/7/2016 17:18||12/7/2016 17:18||child||redirect|
|afm.p54.biz||12/7/2016 9:32||12/7/2016 9:32||child||redirect|
|zoboutique[.]com||12/6/2016 3:35||12/7/2016 9:31||parent||iframe.src|
|hk.06q.biz||12/6/2016 10:30||12/6/2016 10:30||child||redirect|
|kc.06k.biz||12/6/2016 7:04||12/6/2016 7:04||child||redirect|
|aup.06r.biz||12/6/2016 7:02||12/6/2016 7:03||child||redirect|
|bo.05a.biz||12/6/2016 3:52||12/6/2016 3:52||child||redirect|
|on.07a.biz||12/6/2016 3:35||12/6/2016 3:35||child||redirect|
|cga.06c.biz||12/5/2016 12:59||12/5/2016 12:59||child||redirect|
|dh.san-mateo.info||12/4/2016 9:37||12/4/2016 9:37||child||redirect|
|fay.san-bernardino.info||12/3/2016 21:27||12/3/2016 21:27||child||redirect|
|ay.o17.biz||12/3/2016 19:05||12/3/2016 19:07||child||redirect|
|evb.o17.biz||12/3/2016 19:03||12/3/2016 19:03||child||redirect|
Everything in pink is associated with “good man” and firstname.lastname@example.org. Everything in red is a subdomain or domain used by RIG or Sundown exploit kits. One of those domains, fredomasearchdsd.top, was actually involved in a infection chain that dropped Spora ransomware. Read about that here https://malwarebreakdown.com/2017/01/21/iframe-points-to-rig-v-ek-at-93-158-215-169-ek-drops-spora-ransomware/.
Also, dinarmultikarya[.]id is a compromised website (and it’s currently defaced) that is redirecting to the Keitaro TDS. It resulted in an infection of Dreambot. Read about that here https://malwarebreakdown.com/2017/03/06/tds-redirecting-users-to-rig-exploit-kit-and-other-stuff/.
You can also see that there were times when “good man” forgot to pay their subscription to the TDS vendor. Everything in blue was compromised and redirected the hosts to the malicious TDS.
The next domain on the list is lifuntersnum1.net.in. The registrant for this domain was “good man” and it was using the same qhoster.net nameservers that I’ve discussed before. This domain, like kachapaka.net.in, has a malicious history that is associated with a bot network. For example, VirusTotal is showing the following submitted URLs:
|5/68 – 2016-12-06 15:57:33: hxxp://lifuntersnum1.net[.]in/folder/bot.exe|
|7/69 – 2016-11-18 10:08:40: hxxp://lifuntersnum1.net[.]in/folder/gate.php|
|2/68 – 2016-11-15 04:05:34: hxxp://lifuntersnum1.net[.]in/folder/config.jpg|
This shows the detection ratio, the date submitted to VT, and the URL that was analyzed. Clearly this domain has a history of doing bad stuff.
The next domain on the list is one we are already familiar with, hurtmehard[.]net. This is an active gate being used by exploit kits. Here is some history associated with this domain:
|Hostname||First Seen||Last Seen||Direction||Cause|
|add.kidsonthestreet.com||3/5/2017 4:53||3/5/2017 6:22||child||iframe.src|
|1fds.eastcoastpallets.com||3/4/2017 20:03||3/4/2017 20:03||child||iframe.src|
|1qwe.yanaimark.com||3/4/2017 7:41||3/4/2017 7:41||child||iframe.src|
|1qwe.yanaimark.com||3/4/2017 5:13||3/4/2017 5:14||child||iframe.src|
|qwe.youniquebyvera77.com||2/28/2017 20:36||2/28/2017 20:38||child||iframe.src|
|onclkds.com||2/10/2017 18:21||2/28/2017 20:38||parent||location.refresh|
|2ewq.lmbtechservices.us||2/28/2017 5:18||2/28/2017 5:18||child||iframe.src|
|go.deliverymodo.com||2/28/2017 5:18||2/28/2017 5:18||parent||redirect|
|anyfucks[.]biz||2/19/2017 13:34||2/19/2017 13:34||parent||redirect|
You can see the exploit kit subdomains in red and the TDS in purple. The ones left black are possible malvertising incidents. There are a ton of different infection chains right now involving hurtmehard[.]net and they are well documented by EK researchers. This domain is registered to “good man” and is using the same qhoster.net nameservers.
The next domain is datsonsdaughter[.]com. Similar to hurtmehard[.]net, this site is acting as a gate for exploit kits. I won’t go into much more detail about it because it has already been covered. The Whois information is the same as others, with “good man” being the registrant name.
The last website that was registered to “good man” was perfectgirlss[.]org. This domain is still active and could be the next gate used by this campaign. The Whois information is the same as the others.
I hope this information was helpful. I apologize if I made any mistakes and if I did please let me know via Twitter! Thank you for your ongoing support and I will see you next time!
[…] by other security researchers, such as @dynamicanalysis who covers TDS referral traffic used by GoodMan and some malvertising leading to RIG […]
Que es esto?