Telegram: | maintex |
Join Date: Apr 2015
Location: Carder
Posts: 157
|
We have been investigating several domains registered using the email address drake.lampado777@gmail[.]com. IBM Security X-Force spotted the information-stealing malware named Corebot.
The Corebot’s author included the ability to add plugins to the malware in order to incorporate more features. The features are usually a specific function the malware will perform or turned the bot in, such as being a socks proxy or adding the possibility for the malware to spread via USB drives, grab certificates, or even perform DDOS. The sample analyzed by IBM Security X-Force communicates with two domains registered to drake.lampado777@gmail[.]com that are down at this time: Domain name IP Address arijoputane[.]com 62.76.41.51 vincenzo-sorelli[.]com 62.76.41.51 We found a 64bits version of Corebot, but the sample seems buggy and doesn’t work out properly which suggest that it might still be under development. You can find similar strings in the 64bits code as the 32bits: core.dga core.dga.key_fingerprint core.dga.zones core.dga.group core.dga.domains_count core.server_key C:\work\itco\core\bin\x64\Release\core.pdb c:\work\itco\fabric\config1.dat c:\work\itco\fabric\config1.dat.plain Hosted on the same IP address 62.76.41.5, we found more interesting domains. One was used as a Carberp C&C and the two others hosts a TVSPY C&C: Domain name Description namorushinoshi[.]com Carberp C&C mastersway2[.]com TVSPY C&C bekmambek-ushlu[.]in TVSPY C&C We recently released a blog discussing TVSPY in greater detail. TVSPY is a remote access tool (RAT) leveraging Teamviewer software to gain access to remote computers. With this tool, the attackers could gather private information from their victims as well as take control and install further malware at will. What else has drake.lampado777@gmail[.]com registered: Out of the 30+ domains registered using that email address, one domain stood out, btcshop[.]cc. This is a fairly new domain created July 30th 2015. The domain may mislead people as this is not an online shop to buy bitcoin, but an online shop to buy lists of Socket Secure (socks) proxies and personally identifiable information. The lists of proxies are usually infected machines turned into a socks proxy to be used for further malicious activity. Several malware families have the capability to turn an infected machine into a socks proxy. However, this shop has a few peculiarities that are interesting. The registration process is very simple. You just have to click on the Register button and you are redirected to a new screen notifying you that the registration has been successful. It gives you a hash as a way to log in. The hash is 41 alphanumeric characters long similar to a sha1 hash. corebot001 Once you get the hash you just have to click on Login and copy/paste the hash to get in: corebot003 Once you are logged in, there are two tabs available, Accounts and Socks. The Accounts tab lists several countries you can choose from and check if there are any accounts available. There is no specification of what type of accounts but we can assume they contain personally identifiable information (PII). It also shows a bitcoin wallet assigned to you automatically. To purchase, you’ll have to add bitcoin to that specific wallet. Every hash has a new Bitcoin wallet address assigned. corebot005 As of writing, the base contains 9597 “rows”, where “rows” are individual accounts: corebot007 The socks Tab only seems to contain 4 socks proxies located in the United States. corebot009 BTCSHOP Threat Actor: Once the information about the malicious domains linked to the email drake.lampado777@gmail[.]com was collected, we looked into what we could find about btcshop on forums. We found someone using the handle btcshop who wrote a few posts on forums. In one post btcshop asks advice on how much he could sell socks proxy bots for. The jabber account used is the same account advertized on btcshop[.]cc, btcshop@exploit[.]im. corebot011 In another interesting post btcshop is apparently selling bot source code on behalf of the author. corebot013 The email address is linked to a Google+ account: https://plus.google.com/118423272977624417312/posts Conclusion: The link between Corebot, the TVSPY C&C and the online shop is the email address used to register all the domains. We were able to link the online shop to a person on a forum using the handle btcshop and using the Jabber account [email protected]. This person may or may not be running Corebot and TVSPY a way to collect personally identifiable information for sale in his online shop. However, it would be convenient for the same person or a small group of people to be running malicious domains registered under the email drake.lampado777@gmail[.]com and also running btcshop to sell their collected wares. More evidence is needed to definitively say that drake.lampado777@gmail[.]com and [email protected] are the same person. Damballa detects this threat as ThreePaperConvicts. — Loucif Kharouni Senior Threat Researcher, Damballa Appendix 64bits Corebot version: b536172bdf3a0c638fd68068b7e8077ac8864e03 Domains hosted on the IP 62.76.41.51: IP address Domain name First seen Last seen 62.76.41.51 arijoputane[.]com 20150508 20150816 62.76.41.51 mastersway2[.]com 20150902 20150902 62.76.41.51 wascodogamel[.]com 20150601 20150730 62.76.41.51 namorushinoshi[.]com 20150411 20150626 62.76.41.51 chugumshimusona[.]com 20150718 20150718 62.76.41.51 marcello-bascioni[.]com 20150626 20150626 Full list of domains registered using the email address drake.lampado777@gmail[.]com: Domain arijoputane[.]com ass-p***y-f*****g.net baltazar-btc[.]com bekmambek-ushlu[.]in brazilian-love[.]org btcshop[.]cc cameron-archibald[.]com casas-curckos[.]com castello-casta[.]com casting-cortell[.]com chugumshimusona[.]com critical-damage333[.]org dragonn-force[.]com gooip-kumar[.]com ihave5kbtc[.]biz ihave5kbtc[.]org levetas-marin[.]com marcello-bascioni[.]com mastersway2[.]com my-amateur-gals[.]com namorushinoshi[.]com narko-cartel[.]com narko-dispanser[.]com pasteronixca[.]com pasteronixus[.]com ppc-club[.]org road-to-dominikana[.]biz road-to-dominikana[.]in vincenzo-bardelli[.]com vincenzo-sorelli[.]com wascodogamel[.]com |
Tags |
bitcoin, carded |
Thread Tools | Search this Thread |
|
|