Monday, January 16, 2017

"Microsoft notification" leads to Pharma Redirector on Steroids

Today while investigating spam in the PhishMe spam collection, I started looking at a spam campaign that used two distinct subject lines:

Subject: Microsoft notification
Subject: Windows notification

The body of the email looked like this:

NOT Your Friend!

In true botnet style, every single email had a different "friend name."  The three links at the bottom, all go to "real" Microsoft locations, but the "View invitation" button is the place we need to be concerned about today.  While this delivery mechanism certainly COULD be used to deliver malware, right now, all we knew was that it was certainly not from Microsoft and was potentially dangerous.  With at least 310 different sending IP addresses sending us the spam, it seemed a deeper investigation was called for.

Since the spam did not have an attachment, the method to determine whether the URL may be malicious is normally to fetch the URL, but first we ran some statistics.  In this case of the 410 "Microsoft" and the 377 "Windows" versions of the spam there were 773 different redirection destinations, each a hacked website where the criminals placed a small .php program.

Here are just a few examples of the many hundred redirection URLs:
  • lsa48.ru / populace.php
  • longevidadeativa1.hospedagemdesites.ws / valences.php
  • regionp.primor.biz / trowels.php
  • vesinhxanh.net / wp-content / gillian.php
  • nord-okna.pl / timeout.php
  • serax.es / bustles.php
  • nethraprophoto.com / i/wp-content/plugins / contour.php
  • hassanstudio.com / muttons.php
Each PHP file is a program that will cause the visitor to be automagically redirected to an additional website! To determine what directions will occur, and what we might encounter at the ultimate "landing site" we visit the redirection pages to see where it sends our web browser.
Here's a sample redirection script from pro-kisti.ru / irving.php, which caused us to visit an illicit pharmaceutical sales website:


(meta name="keywords" content="crowds, nothing, mountains, fulfilld")
(title) ice32044 Pain. Era - ran earth heaven. Nigh spotted relief, found.(/title)

function palee() { palea=61; paleb=[180,166,171,161,172,180,107,177,172,173,107,169,172,160,158,177,166,172,171,107,165,
175,162,163,122,100,165,177,177,173,119,108,108,173,175,166,179,158,177,162,173,166,
169,169,179,158,169,178,162,107,175,178,100,120]; palec=""; for(paled=0;paled lessthan paleb.length; paled++) (palec+=String.fromCharCode(paleb[paled]-palea); return palec;

++++++++++++++++++
This code will subtract the number 61 from each value in the row of integers that begins with 180,166, and will then concatenate each character to the previous and convert it to a string.  Then it will wait 1.295 seconds, and forward the visitor to the website by using the document property "window.top.location.href".

We'll decode a bit of this one by hand:
180 - 61 =  119 which is 77 hex which is an ASCII "w"
166 - 61 = 105 which is 69 hex which is an ASCII "i"
171 - 61 = 110 which is 6E hex which is an ASCII "n"

Rather than do this by hand, I told Excel to separate values by the "," into columns and made a simple spreadsheet.  Update the "Shifter" value (in this case the "palea=61") and then paste the comma separated list into the "Values" portion of the spreadsheet.

the "pro-kisti.ru" redirector (Click for full-size)

Row one is the original values
Row two contains the same values, decremented by "Shifter"
Row three contains the same values, displayed in Hex
Row four contains the decoded to English values, in this case reading:

"windows.top.location.href = http : // privatepillvalue dot ru" (altered for safety)

The next URL we tried, zacpower dot com slash destined.php, had used  "unripea=78" for the Shifter value.  We cut and pasted the comma separated values in and see that it redirects to "healingdrugdeal dot ru".

the "zacpower.com" redirector (click for full-size)

The question though, was how many different sites did these 770 redirectors send us to? and were they all illicit pharmaceutical websites? or was it possible that some would redirect us to malware?  The only solution seemed to be to fetch and decode all of them!

A simple wget script took care of the fetching, and we soon had 559 unique .txt files, each containing the redirection program from one of the "still live" redirection sites. (As soon as a webmaster finds such a program, they hopefully delete it!  We were glad to see more than 100 of the websites, mostly ones from over the weekend, were not available any longer!)

Now for a small shell script to yank out the Shifter value and the comma separated integers for each.  There are certainly better shell scripters than me, but here was my quick-and-dirty script:

cat filelist |while read a; do printf '\n'; printf $a;printf ' Shifter:  '; grep -o '=[0-9][0-9]' $a|tr -d '\n'; printf ' values: '; grep -o '[0-9]*,[ ]*[1-9][0-9]*' $a |tr -d '\n'; done

After asking for a new line, I print the filename, which in this case was "domain.tld.txt", then I looked for a two-digit integer preceded by an equal sign, and declared it to be the "Shifter".  Then I searched for a list of comma delimited integers, and listed only the matches using "grep -o".  Because "grep -o" puts each hit on a new line, I piped the tr -d '\n' to remove the new line character and put them all back on one line as a long comma separated list.  Here are a few example results:

gameguideaz.com.txt Shifter:77 values: 196,182,187,177,188,196,123,193,188,189,
123,185,188,176,174,193,182,188,187,123,181,191,178,179,138,116,181,193,193,189,
135,124,124,185,194,176,184,198,175,178,192,193,192,178,191,195,182,176,178,123,
191,194,116,136

gavez.info.txt Shifter: 49 values: 168,154,159,149,160,168,95,165,160,161,95,157,
160,148,146,165,154,160,159,95,153,163,150,151,110,88,153,165,165,161,107,96,96,153,
150,146,157,154,159,152,149,163,166,152,149,150,146,157,95,163,166,88,108

gelecekdiyarbakirsigorta.com.txt Shifter: 22 values:
141,127,132,122,133,141,68,138,133,134,68,130,133,121,119,138,127,133,132,68,126,
136,123,124,83,61,126,138,138,134,80,69,69,130,139,121,129,143,120,123,137,138
137,123,136,140,127,121,123,68,136,139,61,81

genelev.net.txt Shifter: 23 values:
142,128,133,123,134,142,69,139,134,135,69,131,134,
122,120,139,128,134,133,69,127,137,124,125,84,62,127,139,139,135,81,70,70,131,140,122,
130,144,121,124,138,139,138,124,137,141,128,122,124,69,137,140,62,82

geniusetech.com.txt Shifter: 15 values:
134,120,125,115,126,134,61,131,126,127,61,123,126,114,112,131,120,126,125,61,119,129,
116,117,76,54,119,131,131,127,73,62,62,127,129,120,133,112,131,116,127,120,123,123,
133,112,123,132,116,61,129,132,54,74


Now that the files key values are separated out, it was simple to automate the decoding to learn which URL was recommended by each of the websites that were found in the  "View Invitation" links within our spam messages.

So How Many Redirectors were there?  

It APPEARS that there are four redirection destinations for this spam campaign.
By processing the results from all of the redirectors we visited, we found:

131 redirectors went to "privatepillvalue dot ru"
138 redirectors went to "luckybestservice dot ru"
165 redirectors went to "healingdrugdeal dot ru"
125 redirectors went to "bestgenericstore dot ru"

bestgenericstore dot ru

Caution with Redirectors!!






The problem with redirection sites such as were used in this spam campaign is that we can't be certain that others who visit the same results would be redirected in the same way.  Because we did not OBTAIN the redirection script, but merely observed the resulting html results when visiting the page from an automated script, we can't say at this time whether other visitors would be redirected in the same way.

For example, the script may have said "If you seem to be using automation, redirect to a pharma website, but if you seem to be on a regular PC on a regular browser, redirect to an Exploit Kit!" or the script may have said "Send every 50th visitor to be infected with Malware at this exploit kit, but send everyone else to a pharma website."  It is also possible for the script to say "If your IP address is from one of THESE countries, send to a pharma website, but if your IP address is from one of the OTHER countries, infect with malware!"  Until we get a copy of the script from one of the websites, it will be hard to say whether such a trap was present here.



No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.