In the following intelligence brief, I will perform an analysis of the cybercriminal operations involving a group of individuals that operated successfully though 2009/2010, recruiting money mules, hosting ZeuS crimeware, and participating in a malvertising campaign.
Compared to a previous analysis where I profiled the offensive client-side exploitation campaigns launched by money mule recruiters, in this analysis I’ll emphasize on yet another OPSEC-aware (Operational Security) gang of cybercriminals, this time blocking access to Google and anti-money laundering Web sites/research, in an attempt to trick the newly recruited mules into thinking that they’re working for a legitimate company, preventing them from obtaining info on their new “employer”.
Key summary points:
- The group originally launched its operations in 2009, primary focusing on highly targeted money mule recruitment campaigns
- Only two of the malicious domains involved in the 2009/2010’s campaigns are still active, with the first serving adult content, and the second offering name server services to pharmaceutical scams, indicating they’re didn’t quite left the cybercrime ecosystem just yet
- The cybercriminals behind the campaign impersonated the legitimate Sprott Asset Management company, and blocked access to its official site on mule’s PCs that executed the malicious SSL Certificate supplied to them as a requirement for joining the fake company
- Upon execution, the bogus SSL Certificate executable modified the HOSTS file on the affected hosts, blocking access to ddanchev.blogspot.com and to bobbear.co.uk to prevent potential money mules from reaching my “Keeping Money Mule Recruiters on a Short Leash” series, and bobbear’s vast archive of collected intelligence on money mule recruitment campaigns
- The group hosted multiple ZeuS crimeware variants using the same infrastructure as the money mule recruitment campaigns, and also participated in a malvertising campaign
- Although their initial 2009 operations were launched from (AS39134), they later on migrated to a Kazakhstan-based bulletproof hosting provider (AS50793) that’s no longer in operation, although there’s a high probability that the Kazakhstan hosting service was part of a franchise, and is currently operating in another part of the world. The Web site of the bulletproof hosting provider was hosted in Ukraine (AS6714), an AS also known to have participated in numerous crimeware campaigns
- The malicious activity (besides their operation) was found for (AS39134) indicating that they probably got kicked out of the hosting provider for their attempts to recruit money mules
- The domain name of the Kazakhstan-based bulletproof hosting provider (AS50793) was registered using a GMail account in 2010
- The Kazakhstan-based bulletproof ISP’s domain name is currently registered to an Iranian citizen, two years after the malicious activities took place, with no signs of malicious activity currently taking place there
This post has been reproduced from Dancho Danchev’s blog. Follow him on Twitter.