Read Finding a Good Man (Part 1):
https://malwarebreakdown.com/2017/03/10/finding-a-good-man/
Read the last update on Good Man:
https://malwarebreakdown.com/2017/04/26/update-on-goodman/
It has been over 5 months since I found and started tracking the actor(s) behind what I dubbed the “Good Man” campaign. I called it the Good Man campaign because the registrant email used for many of the malicious domains was goodmandilaltain@gmail.com. Furthermore, one of the registrant names used during this operation was “good man”.
Goodmandilaltain, possibly written as “good man di laltain” (I’m really not sure), was a fable (mainly from North-West India or East Pakistan) during British rule, known as the “good man’s lantern”. The fable was about a blind man who carried a lantern (“laltain” or “laaltain” in Hindi) as he walked through the forest. “People looked at him bemused as he’d walk by every night, realizing he couldn’t benefit from the light he was carrying. When approached and asked why, the blind man responded: ‘The lantern is for others to see in darkness. It is for those who otherwise, would be lost”.
The first domain ever to be registered to goodmandilaltain@gmail.com was verifiedppservice.net. This domain was registered back on January 28th, 2014, and it is no longer active. I am not sure what it was used for, but “verifiedppservice.net” almost sounds like some sort of PayPal phishing site. The registrant name of that domain was “jnnnnn man”, not “good man”. I couldn’t locate any cached images for verifiedppservice.net.
The second domain registered to goodmandilaltain@gmail.com was sixer.info. It was registered on January 30th, 2014, two days after they registered verifiedppservice.net. It too was registered under the name “jnnnnn man”. Archived pages from sixer.info were inconclusive.
The third domain registered to goodmandilaltain@gmail.com was develporinline.info (registered on February 3rd, 2016). It was during this domain registration that one of the actors behind the Good Man campaign used their real information (OPSEC fail). Here is the public Whois information for develporinline.info:
| Attribute | Value |
| Registrar | GoDaddy.com, LLC (R171-LRMS) |
| goodmandilaltain@gmail.com | |
| Name | Ali Hassan |
| Street | Okara|07714435691 |
| City | Okara |
| State | Punjab |
| Postal | 54000 |
| Country | Pakistan |
| Phone | 927714435691 |
| NameServers | NS07.DOMAINCONTROL.COM |
| NS08.DOMAINCONTROL.COM |
We can see from the public Whois information that a “Ali Hassan” from Pakistan is the registrant. We also have a phone number from Pakistan; 92 + 7714435691. Develporinline.info was the only domain found to be using that phone number. I couldn’t find any archived pages for this domain either.
The fourth domain registered to goodmandilaltain@gmail.com was an illegal carding forum called cpro.pw (no longer resolving). Below is the Whois information for cpro.pw:
| Attribute | Value |
| WHOIS Server | whois.PublicDomainRegistry.com |
| Registrar | PDR Ltd. d/b/a PublicDomainRegistry.com |
| goodmandilaltain@gmail.com | |
| Name | good man |
| Organization | non |
| Street | 343 Sharwood Drive,,Naples,FL |
| City | Naples |
| State | FL |
| Postal | 34110 |
| Country | PAKISTAN |
| Phone | 92923467486896 |
| NameServers | ns4.qhoster.net |
| ns3.qhoster.net | |
| ns2.qhoster.net | |
| ns1.qhoster.net |
We can see from this Whois information that the name being used is “good man” and the email is goodmandilaltain@gmail.com. The phone number used for this registration was 92 + 923467486896.
Looking at archived images for this site shows that there was a moderator called “sixer”:
Image taken from cpro.pw on October 24th, 2016, showing Sixer and RajuRockett selling dumps of stolen data, including credit card information.
Below is an image of Sixer actively looking to buy “shells cpanel’s with high traffic”.
This isn’t just a coincidence. The user Sixer (on cpro.pw) is more than likely the owner of goodmandilaltain@gmail.com and the registrant behind the Good Man domains, including the aptly named sixer.info. It could be Ali Hassan or it could be one of his partners.
Also, the author of Terror EK (AKA Neptune EK and Blaze EK) has informed me that sixer@exploit.im might have been the person who purchased his EK:
Terror EK was then rebranded by the new owner as Eris EK.
Checking Facebook for any accounts tied to goodmandilaltain@gmail.com returns an account called “Sixer SA”:
This establishes a clear link between Sixer on cpro.pw, the domain sixer.info and the email address goodmandilaltain@gmail.com.
Something else to consider… Sixer is the name of a popular cricket team in Sydney Australia. Maybe “Sixer SA” stands for Sixer Sydney Australia? I do know that cricket is a very popular sport in Pakistan and India. Also, I have reason to believe that one of his friends on Facebook is from Pakistan and is currently going to college in Australia.
Additionally, one of the Good Man domains is called goodmandilaltain.cc (registered on 10/10/16). For those of you that don’t know, .CC is the TLD for Cocos (Keeling) Islands, an Australian territory.
Further examination of Sixer SA’s Facebook profile shows that they are Pakistani and friends with a “Ali Hassan Maneka” (Remember that “Ali Hassan” is the name used to register some of the Good Man domains):
Sixer SA’s Facebook profile from May 1st, 2017.
Sixer SA only had one photo on their Facebook account. That photo is of a family member with the last name “Maneka”.
Ali Hassan Maneka’s Facebook profile from May 1st, 2017. He lives in Lahore, Pakistan, and went to DPS College Okara
Ali briefly deactivated his Facebook account during the weeks when all the Good Man domains were taken offline. He has since reactivated his Facebook account, which you can find HERE.
Sixer SA’s Facebook profile also shows that he is following a couple of people:
Checking other popular social media sites, I was also able to locate his Twitter account at @AliHasanManeka:
Ali Hassan Maneka’s Twitter profile from May 1st, 2017.
His Twitter account is using the email address goodmandilaltain@gmail.com and a phone number ending in “96”:
The phone number registered to many of the Good Man domains also ends with a “96” (92923467486896).
Domains registered to that phone number include:
| Domains | Registered | |
| t00lz.biz | goodmandilaltain@gmail.com | 4/18/2017 |
| vicals.pw | goodmandilaltain@gmail.com | 4/3/2017 |
| vicals.net.in | goodmandilaltain@gmail.com | 4/3/2017 |
| vicals.ind.in | goodmandilaltain@gmail.com | 4/3/2017 |
| vicals.gen.in | goodmandilaltain@gmail.com | 4/3/2017 |
| vicals.co.in | goodmandilaltain@gmail.com | 4/3/2017 |
| vicals.in | goodmandilaltain@gmail.com | 4/3/2017 |
| n1shop.net.in | goodmandilaltain@gmail.com | 3/31/2017 |
| adobeflashpayer.net.in | goodmandilaltain@gmail.com | 3/29/2017 |
| sipasalar.net.in | goodmandilaltain@gmail.com | 3/24/2017 |
| perfectgirlss.org | goodmandilaltain@gmail.com | 2/22/2017 |
| jokertube.org | goodmandilaltain@gmail.com | 1/20/2017 |
| datsonsdaughter.com | goodmandilaltain@gmail.com | 1/17/2017 |
| hurtmehard.net | goodmandilaltain@gmail.com | 12/2/2016 |
| lifuntersnum1.net.in | goodmandilaltain@gmail.com | 11/12/2016 |
| anyfucks.biz | goodmandilaltain@gmail.com | 11/11/2016 |
| kachapaka.net.in | goodmandilaltain@gmail.com | 11/8/2016 |
| anythingtds.com | goodmandilaltain@gmail.com | 8/15/2016 |
| poranoxxx.com | goodmandilaltain@gmail.com | 4/3/2016 |
| pornstarl33t.org | goodmandilaltain@gmail.com | 3/28/2016 |
| cpro.pw | goodmandilaltain@gmail.com | 7/1/2015 |
His first tweet was on October 30th, 2016:
Below are some more images taken from his Twitter account:
Doing some digging into his Twitter acquaintances shows an interesting account called @BanjoDon3.
Looking at @BanjoDon3’s Twitter feed we can see they have posted a total of 19 times, all on November 28th, 2016, and all about anyfucks[.]biz/1:
Anyfucks.biz is registered to goodmandilaltain@gmail.com and the registrant name is “good man”. It was also being used to host their Keitaro TDS server (among other things) and was responsible for redirecting victims to exploit kits. Another important thing to note is that both Ali’s and @BanjoDon3’s Twitter accounts were created in November, 2016.
Further research shows a user “GoodMan DiLaltain” on a very old social network called orkut.com. The group that “GoodMan DiLaltain” belonged to on orkut.google.com was called “Scorpion-Dagger”. The group description is as follows:
You can see many names given in the group description :
- “Me” (AKA GoodMan DiLaltain)
- Shehraam Bhai (AKA Shehraam Nawaz)
- Mansoor (AKA Mansoor Khagga and Mansoor Sahab)
- Muneeb Hasan (AKA Waisay Muneeb Bhai and Muneeb Bhai)
This group of friends and classmates called themselves “Pantagon”. They liked to think of themselves as “real gangsters”. Also, looking through the various posts on their forum, I could identify a couple more names:
- Salahuddin Khagga
- “Haider”
Searching through the forum shows that the user GoodMan DiLaltain is the person who wrote part of the description for this group:
It looks like they’ve since deleted this group page, however, you can view the archived pages HERE. Names on these forums can be used to further correlate the link between GoodMan DiLaltain and Ali Hassan Maneka.
I want to mention that I don’t believe Ali Hassan Maneka is acting alone. He just happened to be the one with horrible OPSEC. It is likely that there were multiple individuals involved in the Good Man campaign.
Below is a list of verified Good Man domains:
| adobeflashpayer.net.in |
| anyfucks.biz |
| anythingtds.com |
| badboys.net.in |
| cpro.pw |
| datsonsdaughter.com |
| goodmandilaltain.cc |
| hurtmehard.net |
| jokertube.org |
| kachapaka.net.in |
| lifuntersnum1.net.in |
| londaybaz.pro |
| n1shop.net.in |
| perfectgirlss.org |
| pinktube.pro |
| poranoxxx.com |
| pornstarl33t.org |
| sipasalar.net.in |
| sixer.info |
| t00lz.biz |
| traffic-one.us |
| verifiedppservice.net |
| vicals.co.in |
| vicals.gen.in |
| vicals.in |
| vicals.ind.in |
| vicals.net.in |
| vicals.pw |
Here are some additional domains that I believe were under the control of the Good Man actors:
| Domain | First Seen | Last Seen |
| pinktube.org | 6/7/2017 5:01 | 6/7/2017 5:01 |
| neutrino-waves.biz | 4/2/2017 0:00 | 4/9/2017 2:35 |
| ddobnajanu.club | 4/5/2017 21:30 | 4/8/2017 9:59 |
The only difference with these domains are that they protected their Whois information. Something to note, ddobnajanu.club was being used as a CnC server for ZeuSVM:
https://zeustracker.abuse.ch/monitor.php?search=ddobnajanu.club
Also, the domain “neutrino-waves.biz” is a direct reference to a blog post written by Kafeine called “RIG evolves, Neutrino waves goodbye, Empire Pack appears”:
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
That is all I have for now. Thanks for reading!
Documented Good Man cases:
- https://malwarebreakdown.com/2017/01/23/keitaro-tds-used-to-redirect-hosts-to-sundown-ek-and-rig-v-ek/
- https://malwarebreakdown.com/2017/02/08/keitaro-tds-leads-to-rig-v-ek-at-188-225-36-231/
- https://malwarebreakdown.com/2017/03/06/tds-redirecting-users-to-rig-exploit-kit-and-other-stuff/
- https://malwarebreakdown.com/2017/03/16/sage-2-2-ransomware-from-good-man-gate/
- https://malwarebreakdown.com/2017/04/03/good-man-gate-leads-to-rig-ek-drops-zuesvm-kins/
- http://malware-traffic-analysis.net/2017/03/02/index.html
- http://www.malware-traffic-analysis.net/2017/03/09/index.html
- http://www.malware-traffic-analysis.net/2017/03/13/index3.html
- https://zerophagemalware.com/2017/04/14/terror-ek-via-malvertising-drops-smoke-loader/
- https://zerophagemalware.com/2017/04/02/terror-ek-delivers-zeusvmk-i-n-s/
- https://zerophagemalware.com/2017/03/08/rig-ek-delivers-august-stealer/
Malware breakdown 